mpfau
commented
4 years ago Happens on Debian buster.
Add the following to /etc/sysctl.conf as workaround:
kernel.unprivileged_userns_clone=1
Open charlag opened 4 years ago
mpfau
commented
4 years ago Happens on Debian buster.
Add the following to /etc/sysctl.conf as workaround:
kernel.unprivileged_userns_clone=1
CrossBound
commented
4 years ago I am experiencing this problem on Debian 10 (Buster). I initially downloaded the file, granted execute permissions, and it did nothing... no warning or error. After running on the command line I realized an error was being thrown.
[4438:1122/230838.647104:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_tutano0dGmEB/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trapusing the --no-sandbox option is not a good option in my opinion as it eliminates the ability to easily run without having to drop to the command line just to open the tutanota app.
vladimiry
commented
4 years ago For the AppImage package the --no-sandbox needs to be hardcoded into the inner AppRun script so you don't have to explicitly pass it as CLI arg (same as for the Snap package). Here is an example of the script that does needed preprocessing during the app bundling stage.
charlag
commented
4 years ago Sorry, closed it by accident.
We don't want to disable sandbox for everyone.
vladimiry
commented
4 years ago Containerized package types (like Snap or AppImage) come with isolation capabilities which as far as I know makes it difficult to work well with built-in electron/chromium sandboxing. Advanced users could try firejail sandboxing utility that is supposed to work well with AppImage.
charlag
commented
4 years ago @vladimiry I believe there's misunderstanding of sandboxing options. The sandbox which Electron uses is for sandboxing the renderer process from the main process. see https://electronjs.org/docs/api/sandbox-option The sandboxing which Snap/Flatpak uses is another thing (it can limit which folders the app can access e.g.) and I don't know about AppImage sandboxing anything.
vladimiry
commented
4 years ago I don't know about AppImage sandboxing anything.
I didn't use sandboxing term but isolation capabilities. Regarding sandboxing, firejail is mentioned there.
maulinglawns
commented
4 years ago Just also want to confirm this bug on Debian 10 (Buster):
[2111:1223/094824.159565:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_tutanoHpzPs6/chrome-sandbox is owned by root and has mode 4755.
The workaround:
kernel.unprivileged_userns_clone=1Mentioned by @mpfau gets you up and running again. Would prefer another way if possible, but thanks for this!
lagerimsi-ds
commented
4 years ago Does it really solve the problem or make them more: Enable these privileges for the whole system. I mean: it's not just one app I decide to enable but anything that comes along like this.
abrahamparayil
commented
4 years ago I can confirm this issue on my Debian Buster setup too.
Also enabling those privileges for the whole system is a very bad idea. It is configured so in Debian so as prevent the vulnerabilities that arise by enabling it. There is however a way to edit the tutanota-desktop.desktop file in ~/.local/share/applications folder and hardcode the --no-sandbox option there.
Hopefully, when the team makes the source code of the desktop available we can package it for various distributions.
mucahitkurtlar
commented
3 years ago I have this problem on my Debian GNU/Lİnux with KDE Plasma machine. The solution is for KDE Plasma users: Right click "Tutanota Desktop" app > "Edit Application" > "Application" tab > Add ' --no-sandbox' to Command area > "OK"
puzzledbycode
commented
3 years ago using the --no-sandbox option is not a good option in my opinion as it eliminates the ability to easily run without having to drop to the command line just to open the tutanota app.
A way to avoid using the command line is to create a desktop launcher. This depends a bit on the desktop environmend you are using, but on most that support it, it should work somewhat like this:
Normally you can assign an Icon for the launcher also, not sure if there is a way to use the original Tutanota Icon, but that seems of little importance to me. At least this is a very simple way to not have to use the command line.
vladimiry
commented
3 years ago By the way, electron-builder has recently merged the https://github.com/electron-userland/electron-builder/pull/4496 PR so it will produce the appimage files with --no-sandbox embedded into the AppRun script.
zarathustra-f90
commented
3 years ago Thanks for the helpful info you all provided. I run all my appimages now with --no-sandbox option, however, does this enable a "security hole"? Sorry about the nomenclature but i'm not too savvy about the electron stuff, i was wondering because root privileges were mentioned in other comments.
danmanrana
commented
3 years ago @avronr I thought basically all Tutanota's code was open-source. Anyways, I still need that --no-sandbox argument for it to open, so I guess the merge that @vladimiry mentioned doesn't apply to Debian.
antonlydell
commented
3 weeks ago I have the same issue aswell on Ubuntu 24.04. It seems similar to this issue in Bitwarden :
Please stop packaging the Desktop client with a setuid root chrome-sandbox
Is it a secure workaround?
charlag
commented
2 weeks ago installing fuse is the right solution
Electron requires sandboxing now. Non-paranoid distributions enable non-privileged containers but Debian does not. App tries to fall back to fall back to the included helper binary but this binary must have setuid root.
It's not clear if we can fix that, at least with AppImage. Maybe we should at least document that and
--no-sandboxoption.see https://github.com/electron/electron/issues/17972 see https://github.com/electron/electron/issues/17972#issuecomment-516957971