Debian sandbox ownership error

SiqingYu commented 4 years ago

Description

Steps to reproduce issue

Nativefying a public website ticktick.com:

user@xps:~/Downloads$ nativefier --icon ~/Downloads/ticktick.png --single-instance --tray start-in-tray "http://ticktick.com"
  packaging [==============================                    ] 60%Packaging app for platform linux x64 using electron v5.0.10

user@xps:~/Downloads$ ls
ticktick.png  tick-tick-todo-list-checklist-and-task-manager-app-for-android-i-phone-and-web-linux-x64

user@xps:~/Downloads$ cd tick-tick-todo-list-checklist-and-task-manager-app-for-android-i-phone-and-web-linux-x64/

user@xps:~/Downloads/tick-tick-todo-list-checklist-and-task-manager-app-for-android-i-phone-and-web-linux-x64$ ls
chrome_100_percent.pak  locales
chrome_200_percent.pak  natives_blob.bin
chrome-sandbox          resources
icudtl.dat              resources.pak
libEGL.so               snapshot_blob.bin
libffmpeg.so            swiftshader
libGLESv2.so            tick-tick-todo-list-checklist-and-task-manager-app-for-android-i-phone-and-web
LICENSE                 v8_context_snapshot.bin
LICENSES.chromium.html  version

Executing the generated binary throws out an error:

user@xps:~/Downloads/tick-tick-todo-list-checklist-and-task-manager-app-for-android-i-phone-and-web-linux-x64$ ./tick-tick-todo-list-checklist-and-task-manager-app-for-android-i-phone-and-web 
[18943:1007/015706.048292:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /home/user/Downloads/tick-tick-todo-list-checklist-and-task-manager-app-for-android-i-phone-and-web-linux-x64/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap

I tried chmod and chown to chrome-sandbox according to the error messages; but it didn't work either.

-rwxr-xr-x 1 root root 5.0M Oct  6 15:14 chrome-sandbox

Running with root throws out another error:

user@xps:~/Downloads/tick-tick-todo-list-checklist-and-task-manager-app-for-android-i-phone-and-web-linux-x64$ sudo ./tick-tick-todo-list-checklist-and-task-manager-app-for-android-i-phone-and-web 
[32224:1007/022741.471444:FATAL:atom_main_delegate.cc(194)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180.
Trace/breakpoint trap

With --no-sandbox:

user@xps:~/Downloads/tick-tick-todo-list-checklist-and-task-manager-app-for-android-i-phone-and-web-linux-x64$ sudo ./tick-tick-todo-list-checklist-and-task-manager-app-for-android-i-phone-and-web --no-sandbox

(tick-tick-todo-list-checklist-and-task-manager-app-for-android-i-phone-and-web:32227): libappindicator-WARNING **: 02:27:58.094: Unable to get the session bus: Unknown or unsupported transport “disabled” for address “disabled:”

Details

Version of Nativefier: v7.7.0
Version of node.js: I've tried both v10.15.2 and v12.10.0
OS: Debian Buster

soifou commented 4 years ago

Same problem here on Debian testing (same Nativefier version), but as stated by the error message, the following commands fixed it for me :

$ sudo chown root chrome-sandbox
$ sudo chmod 4755 chrome-sandbox

Are you sure you have chmod correctly the file?

amaramrahul commented 3 years ago

Rather than setting the setuid bit on chrome-sandbox (which would give the binary root privileges), it is probably safer to enable the option of running unprivileged namespaces. sysctl -w kernel.unprivileged_userns_clone=1 or to set it permanently echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/userns.conf

References: https://www.reddit.com/r/linux/comments/dvb43s/til_electron_requires_setuid_root_to_operate/ https://unix.stackexchange.com/questions/303213/how-to-enable-user-namespaces-in-the-kernel-for-unprivileged-unshare

nativefier / nativefier