mullvad / mullvadvpn-app

The Mullvad VPN client app for desktop and mobile
https://mullvad.net/
GNU General Public License v3.0
5.09k stars 338 forks source link

Impossible to launch Mullvad GUI | The SUID sandbox helper binary was found, but is not configured correctly. #6128

Closed lureedo closed 6 months ago

lureedo commented 6 months ago

It works using --no-sandbox.

lureedo commented 6 months ago

After a talk with mullvad support, they suggested using --no-sandbox option as a temporarily bypass to this issue.

Either /opt/Mullvad\ VPN/mullvad-gui --no-sandbox or /opt/Mullvad\ VPN/mullvad-vpn --no-sandbox work.

raksooo commented 6 months ago

@lureedo I found this thread on the Electron GitHub: https://github.com/electron/electron/issues/30758

Have you set user.max_user_namespaces kernel parameter to 0? The author of that issue seems to have found that this kernel parameter causes the same/similar issues with Electron/chromium applications using the sandbox.

bungabunga commented 6 months ago

The same problem here, after upgrade to Ubuntu 24.04, Mullvad version 2024.1. stable. Haven't changed any kernel stuff.

lureedo commented 6 months ago

@lureedo I found this thread on the Electron GitHub: electron/electron#30758

Have you set user.max_user_namespaces kernel parameter to 0? The author of that issue seems to have found that this kernel parameter causes the same/similar issues with Electron/chromium applications using the sandbox.

@raksooo After your message, I tested a bit this parameter and this is what i found out:

The culprit is Ubuntu stock kernel but not user.max_user_namespaces ?

timsdeepsky commented 6 months ago

Greetings, Same type of issue for me also.... Mullvad GUI impossible to launch under Ubuntu 24.04 LTS (April 25 2024 release-fresh install).... Appears to be similar to this bug #6128.... Installed the app without the Mullvad repository from the page below.... https://mullvad.net/en/help/install-mullvad-app-linux.... (using this code below)

wget --trust-server-names https://mullvad.net/download/app/deb/latest
sudo apt install ./MullvadVPN-2024.1_amd64.deb

(terminal output) **

t@t-HP-ENVY-17-Notebook-PC:~$ wget --trust-server-names https://mullvad.net/download/app/deb/latest sudo apt install ./MullvadVPN-2024.1_amd64.deb --2024-04-25 18:25:47-- https://mullvad.net/download/app/deb/latest Resolving mullvad.net (mullvad.net)... 45.83.223.209 Connecting to mullvad.net (mullvad.net)|45.83.223.209|:443... connected. HTTP request sent, awaiting response... 302 Found Location: /en/download/app/deb/latest [following] --2024-04-25 18:25:48-- https://mullvad.net/en/download/app/deb/latest Reusing existing connection to mullvad.net:443. HTTP request sent, awaiting response... 302 Found Location: https://cdn.mullvad.net/app/desktop/releases/2024.1/MullvadVPN-2024.1_amd64.deb [following] --2024-04-25 18:25:48-- https://cdn.mullvad.net/app/desktop/releases/2024.1/MullvadVPN-2024.1_amd64.deb Resolving cdn.mullvad.net (cdn.mullvad.net)... 45.149.104.1 Connecting to cdn.mullvad.net (cdn.mullvad.net)|45.149.104.1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 88931748 (85M) [application/octet-stream] Saving to: ‘MullvadVPN-2024.1_amd64.deb’

MullvadVPN-2024.1_a 100%[===================>] 84.81M 707KB/s in 89s

2024-04-25 18:27:18 (971 KB/s) - ‘MullvadVPN-2024.1_amd64.deb’ saved [88931748/88931748]

[sudo] password for t: Reading package lists... Done Building dependency tree... Done Reading state information... Done Note, selecting 'mullvad-vpn' instead of './MullvadVPN-2024.1_amd64.deb' The following NEW packages will be installed: mullvad-vpn 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/88.9 MB of archives. After this operation, 351 MB of additional disk space will be used. Get:1 /home/t/MullvadVPN-2024.1_amd64.deb mullvad-vpn amd64 2024.1 [88.9 MB] Selecting previously unselected package mullvad-vpn. (Reading database ... 169343 files and directories currently installed.) Preparing to unpack .../t/MullvadVPN-2024.1amd64.deb ... Unpacking mullvad-vpn (2024.1) ... Setting up mullvad-vpn (2024.1) ... Created symlink /etc/systemd/system/multi-user.target.wants/mullvad-daemon.servi ce → /usr/lib/systemd/system/mullvad-daemon.service. Created symlink /etc/systemd/system/mullvad-daemon.service.wants/mullvad-early-b oot-blocking.service → /usr/lib/systemd/system/mullvad-early-boot-blocking.servi ce. Processing triggers for hicolor-icon-theme (0.17-2) ... Processing triggers for gnome-menus (3.36.0-1.1ubuntu3) ... Processing triggers for desktop-file-utils (0.27-2build1) ... **> N: Download is performed unsandboxed as root as file '/home/t/MullvadVPN-2024.1_amd64.deb' couldn't be accessed by user 'apt'. - pkgAcquire::Run (13: Permission denied)** t@t-HP-ENVY-17-Notebook-PC:~$

(noticed this from the terminal text) N: Download is performed unsandboxed as root as file '/home/t/MullvadVPN-2024.1_amd64.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)**

(the temp fix shown up the page does work for me and launches the gui and lets me login for the session....) (but this shows me leaking dns servers on the Mullvad page....) Either /opt/Mullvad\ VPN/mullvad-gui --no-sandbox or /opt/Mullvad\ VPN/mullvad-vpn --no-sandbox work

Report details

Date generated:2024-04-25 18:15:36

Hardware Information:

Hardware Model:Hewlett-Packard HP ENVY 17 Notebook PC Memory:12.0 GiB Processor:Intel® Core™ i7-4720HQ × 8 Graphics:Intel® HD Graphics 4600 (HSW GT2) Disk Capacity:1.0 TB

Software Information:

Firmware Version:F.57 OS Name:Ubuntu 24.04 LTS OS Build:(null) OS Type:64-bit GNOME Version:46 Windowing System:Wayland Kernel Version:Linux 6.8.0-31-generic

Thank you....

brian-bourdon commented 6 months ago

I have the same problem after upgrading to ubuntu 24.04 LTS (mullvad version: 2024.2)

LinuxEnthusiast99 commented 6 months ago

Temporary workaround:

Add --no-sandbox flag in /usr/share/applications/mullvad-vpn.desktop from

Exec="/opt/Mullvad VPN/mullvad-vpn" %U

to

Exec="/opt/Mullvad VPN/mullvad-vpn" --no-sandbox %U

or there is the error

FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Mullvad VPN/chrome-sandbox is owned by root and has mode 4755. Trace/breakpoint trap (core dumped)

The same flag must be added in the Startup Application entry.

raksooo commented 5 months ago

We've now released 2024.3 which contains a fix for this issue. --no-sandbox is no longer needed for the app to run under these circumstances.

LinuxEnthusiast99 commented 5 months ago

@raksooo thanks, fix confirmed

tinglycraniumplacidly commented 5 months ago

I'm running 2024.3 and I still have to use --no-sandbox to run mullvad-gui. This is also after upgrading Ubuntu to 24.04

bungabunga commented 5 months ago

I am on Ubuntu 24.04 and Mullvad 2024.03 and everything is working fine now.

Flimm commented 5 months ago

This bug report is mentioned by this official web page: https://mullvad.net/en/help/install-mullvad-app-linux

> We have not tested the Mullvad VPN app on Ubuntu 24.04 and it may not start.

That web page may need to be modified now that a fix has been released.

This has been fixed now.

gamer191 commented 4 months ago

For end-users: if you encounter this issue, run sudo dpkg-reconfigure mullvad-vpn

For developers: This issue is not properly fixed, because the patch is only applied if Mullvad VPN is configured after upgrading to 24.04. The following common usecase will likely trigger this issue:

  1. install Mullvad-VPN on a previous version of Ubuntu
  2. upgrade to 24.04

EDIT: If, after upgrading to 24.04, the user were to upgrade the mullvad-vpn package, I believe that would fix this issue. This is likely the reason why the patch appeared to be effective (users who were waiting for the patch had already upgraded to 24.04, and the patch forced them to upgrade the mullvad-vpn package). However, 90% of the time there won't be an upgrade available (I haven't tested this, so it's possible there's some mechanism that means an upgrade will always be available)

tinglycraniumplacidly commented 4 months ago

For end-users: if you encounter this issue, run sudo dpkg-reconfigure mullvad-vpn

For developers: This issue is not properly fixed, because the patch is only applied if Mullvad VPN is configured after upgrading to 24.04. The following common usecase will likely trigger this issue:

1. install Mullvad-VPN on a previous version of Ubuntu

2. upgrade to 24.04

thank you, this worked for my case!

mrp52 commented 3 weeks ago

Sigh this issue has popped up again for me on KDE Neon User. Works with --no-sandbox fine but sadly sudo dpkg-reconfigure mullvad-vpn doesn't fix it.

I know KDE Neon is a "moving target" but figured I would add to this for anyone else that hits this problem. Using Mullvad 2024.5 installed via the standard ubuntu repo method.

Also fails with 2024.6-beta manually installed via the MullvadVPN-2024.6-beta2_amd64.deb package.

Full output from the error with the stable 2024.5 install

[11702:1020/120617.802188:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Mullvad VPN/chrome-sandbox is owned by root and has mode 4755.
zsh: trace trap (core dumped)  /opt/Mullvad\ VPN/mullvad-vpn

And the permissions for chrome-sandbox (that appear to be correct?)

.rwxr-xr-x   54k root  3 Sep 14:54  chrome-sandbox
mrp52 commented 3 weeks ago

After a little research today I found a simple solution. It appears that on Ubuntu the package correctly installs the apparmor profile but it doesn't on some Ubuntu-based distros such as KDE Neon

This was simply fixed by manually installing the profile with the following after installing Mullvad VPN

sudo cp /opt/Mullvad\ VPN/resources/apparmor_mullvad /etc/apparmor.d/mullvad
sudo apparmor_parser -r /etc/apparmor.d/mullvad
magnum61 commented 2 weeks ago

After a little research today I found a simple solution. It appears that on Ubuntu the package correctly installs the apparmor profile but it doesn't on some Ubuntu-based distros such as KDE Neon

This was simply fixed by manually installing the profile with the following after installing Mullvad VPN

sudo cp /opt/Mullvad\ VPN/resources/apparmor_mullvad /etc/apparmor.d/mullvad
sudo apparmor_parser -r /etc/apparmor.d/mullvad

I have a new install with KDE neon (latest release from yesterday) and trapped into the error. The two commands you provided worked for me as well.

mrp52 commented 2 weeks ago

I have a new install with KDE neon (latest release from yesterday) and trapped into the error. The two commands you provided worked for me as well.

Glad my comment helped. Hopefully the Mullvad team can have a look at the package install script and figure out why it isn't installing the AppArmor profiles on Ubuntu-based distros like it does on Ubuntu itself.

magnum61 commented 2 weeks ago

Yeah, would be great, especially because it's only two lines of code in the post-install scripts after the used linux version is determined during setup.