search

jeffvli / feishin

A modern self-hosted music player.
https://feishin.vercel.app
GNU General Public License v3.0
2k stars 79 forks source link

Electron sandbox error #579

Closed Hyask closed 2 months ago

Hyask commented 2 months ago

Expected Behavior

Be able to run Feishin without changing the rights of chrome-sandbox.

Current Behavior

Executing Feishin with the AppImage or from the tar.xz archive on Ubuntu Noble (24.04) leads to the following error:

❯ ./feishin
[765764:0410/105945.462269:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/Feishin-0.6.1-linux-x64/chrome-sandbox is owned by root and has mode 4755.
zsh: trace trap (core dumped)  ./feishin

Possible Solution (Not obligatory)

Executing the following in the extracted Feishin archive works around the issue:

chmod 4755 chrome-sandbox
sudo chown root:root chrome-sandbox

There are some ideas on this issue. Perhaps running the chown/chmod combo could be done in the CI?

Context

Trying to run Feishin on Linux x86_64

Your Environment

kgarner7 commented 2 months ago

I'm not particularly fond of making the binary setuid by default. If your system has unprivileged namespaces this change is unnecessary. Furthermore, even if this was in the pipeline, the ownership still wouldn't be root requiring manual intervention (this is the case with all Electron applications, if it's installed in your distro that normally handles it by default).

At most, I'll update the README to note this.

Hyask commented 2 months ago

Yes, I do agree that setuid was not the first solution I tried, since the risk here is quite huge. I forgot to mention in the original report that I've also played with the sysctl kernel.unprivileged_userns_clone option, without success, although I admit I haven't tried a full reboot after activating this option.
I don't know anything in the Electron world, so haven't dug that issue very much, but there might be other more appropriate solution :thinking:

kgarner7 commented 2 months ago

That's a bit weird. I set that to 1 on a clean Debian install, and I can definitely see that it makes a difference immediately

/sbin/sysctl kernel.unprivileged_userns_clone=1

and when I start Feishin, it no longer complains. Setting values via sysctl should take effect immediately, although they are not persistent

Hyask commented 2 months ago

Trying Feishin on a Monday after the week-end reboot. I still correctly have sysctl kernel.unprivileged_userns_clone=1, and now it's working correctly without me having to make chrome-sandbox suid root.
I guess the topic is definitely closed, thanks :-)

kgarner7 commented 2 months ago

Great! Weird that it required a reboot, but glad it's fully working