​Unable to launch through .desktop - SUID Sandbox Error: Affine 0.17.0 Fails to Launch on Ubuntu 22.04 LTS

[elindiotaino]

What happened?

I am encountering issues launching the Affine 0.17.0-stable-linux-x64 version on my Ubuntu 22.04 LTS system. While I can run the application directly from the executable in the extracted .zip folder, launching Affine from the .desktop file (or from the taskbar) fails. The logs show a SUID sandbox error that seems related to the chrome-sandbox binary.

This issue appears similar to what was reported in Issue #6722, which was marked as fixed. However, the problem persists for me in version 0.17.0.

System Information: OS: Ubuntu 22.04 LTS (GNOME) Affine Version: 0.17.0-stable-linux-x64 AppImage/.zip: Both tested libfuse2 Installed: Yes SUID sandbox permissions fixed: Yes, tried chmod 4755 on the chrome-sandbox binary.

Steps to Reproduce:

1. Download Affine 0.17.0-stable-linux-x64.
2. Extract the .zip or run the AppImage version.
3. Set up a .desktop file to launch the extracted AFFiNE executable.
4. Attempt to launch Affine via the .desktop file.

Expected Behavior: Affine should launch correctly (when launching from .desktop) without the SUID sandbox issue.

Actual Behavior: The .desktop file fails to launch the application. Running the executable directly works but doesn't provide the expected system integration.

Desktop File Contents:

[Desktop Entry]
Version=0.17.0
Name=Affine
Exec=/home/joche/Desktop/affine-0.17.0-stable-linux-x64/AFFiNE-linux-x64/AFFiNE
Path=/home/joche/Desktop/affine-0.17.0-stable-linux-x64/AFFiNE-linux-x64
Icon=/home/joche/Desktop/Icons/affine-icon.png
Type=Application
Categories=Office;Productivity;Graphics;
X-GNOME-Autostart-enabled=true
Terminal=false

Troubleshooting Steps Taken:

1. Installed libfuse2 and verified it is correctly installed.

2. Changed ownership and permissions of the chrome-sandbox binary:

   • sudo chown root:root /path/to/chrome-sandbox
   • sudo chmod 4755 /path/to/chrome-sandbox

3. Tried launching with --no-sandbox flag:

   • Exec=/path/to/AFFiNE --no-sandbox
   • This worked when manually running the binary but not when using the .desktop file.

4. Set AppArmor to "complain" mode using:

   • sudo aa-complain /path/to/AFFiNE
   • Issue persists even with AppArmor complain mode enabled.

5. Attempted to manually set the .desktop file as trusted using:

   • gio set /home/joche/Desktop/affine.desktop metadata::trusted true

6. Rebuilt the desktop icon cache:

   • gtk-update-icon-cache ~/.local/share/icons

Distribution version

Linux

What browsers are you seeing the problem on if you're using web version?

No response

Are you self-hosting?

• [ ] Yes

Relevant log output

[16705:0924/104439.968663:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap (core dumped)

Anything else?

Additional Notes:

• The app runs fine when launched directly from the folder using the terminal (./AFFiNE), but it doesn't integrate correctly with the system via the .desktop file.
• I saw a mention in Issue #6722 that a Snap package may be in the works. Is that available yet? Would using Snap or Flatpak potentially avoid these issues?

Suggestions:

• Is there any further workaround to address the sandbox configuration issue when launching via .desktop?
• Are there plans to release a Snap or Flatpak version for easier installation and management on Ubuntu?

[affine-issue-bot[bot]]

Issue Status: 🆕 *Untriaged

*🆕 Untriaged**

The team has not yet reviewed the issue. We usually do it within one business day. Docs: https://github.com/toeverything/AFFiNE/blob/canary/docs/issue-triaging.md

^{_{This is an automatic reply by the bot.}}

[pengx17]

Sorry, we have limited resource on linux right now. Will take a look in the following week, but no promise on how long will it take. Also, marked this issue as help wanted an see if there are any solutions from the community

[pengx17]

@elindiotaino I reviewed the desktop file you provided and it looks like the exec entry is incorrect. If you integrate the appimage with AppImageLauncher, it will produce something like this:

[Desktop Entry]
Name=AFFiNE
Exec=AFFiNE --no-sandbox --disable-setuid-sandbox %u
Terminal=false
Type=Application
Icon=AFFiNE
StartupWMClass=AFFiNE
X-AppImage-Version=0.17.2
Comment=AFFiNE Desktop App
Categories=Utility
MimeType=x-scheme-handler/affine

The part --no-sandbox --disable-setuid-sandbox in EXEC is to make the electron app run without sandbox & %u is to pass deeplink urls to the app for sign-in workflow.