pkg2appimage icon indicating copy to clipboard operation
pkg2appimage copied to clipboard

Published 20 hours ago verified publisher icon AppImageCommunity

Chromium no usable sandbox

Open chrisnharvey opened this issue 9 years ago • 9 comments
trafficstars

I'm getting a "no usable sandbox" issue when running the Chromium AppImage on Arch Linux. It runs fine when passing --no-sandbox to it. But, by default, the AppImage doesn't run.

chrisnharvey avatar Aug 30 '16 08:08 chrisnharvey

Which version of Chromium?

Related to https://github.com/probonopd/AppImages/pull/54 https://github.com/probonopd/AppImages/issues/53

probonopd avatar Aug 30 '16 08:08 probonopd

It was Chromium 55. The latest on your Bintray page.

chrisnharvey avatar Aug 30 '16 09:08 chrisnharvey

The reason for this is due to the fact that user namespace features are not compiled into Arch's default kernel. Without this the Chromium sandbox needs to be SUID to root in order to setup a suitable secure environment. However, this cannot be done within Appimage. Thus the Appimage format is not really suitable for Chromium based browsers, at least if you are expecting truly distro independent, "universal" packages.

I have written a bit more about this issue on my work blog. I am speaking about Vivaldi browser, but it is Chromium based and the same applies for pure Chromium.

P.S. @chrisnharvey You can confirm that your kernel lacks this feature via the following command:

zgrep CONFIG_USER_NS /proc/config.gz

(Note: This command will not work on all distros since "/proc/config.gz" is not consistently available but it should work on Arch)

If you want the long Arch discussion about why they do not enable user namespaces, read this bug.

ruario avatar Sep 22 '16 09:09 ruario

Arch and derivatives are not the only distros that have user namespaces off and hence do not have a working sandbox, if the binary is not SUID to root. Any older distro with a kernel below 3.17 will also generally not work, unless the distro vendor has backported this feature (older Ubuntu releases do have this backported, thankfully).

Sadly however I do not have a comprehensive list of distros where this is a problem.

ruario avatar Sep 22 '16 10:09 ruario

@chrisnharvey I would also strongly advise against using the --no-sandbox switch as you are disabling important security features of the browser and hence leaving yourself open to attack. This switch is really only present for development and debugging purposes, not for regular usage.

I suggest you use a native Arch package of Chromium instead, so that yo can browse securely.

ruario avatar Sep 22 '16 10:09 ruario

Having a suid binary to make something "secure" is, well,... strange.

probonopd avatar Sep 27 '16 21:09 probonopd

Sure but traditional chroots work essentially the same way. You need root to start them. In any case the engineers who wrote this sandbox would entirely agree with you, which is why they have moved onto using other techniques and only have this as a fallback now. But with some distros (e.g. Arch) not having support for user sandboxes, this fallback is all that is available.

In the long term I am sure that Arch will add support for user namespaces and this issue will largely go away. Until then, an AppImage of a chromium based browser cannot run properly on such distros because we cannot have a SUID root owned binary and the host kernel does not support these features.

ruario avatar Sep 28 '16 08:09 ruario

In that case, it should imho be run without the sandbox on those systems.

probonopd avatar Sep 28 '16 18:09 probonopd

I read here that e.g., on Arch one needs to run sudo sysctl kernel.unprivileged_userns_clone=1 to make it work without the need for --no-sandbox.

probonopd avatar Sep 04 '19 18:09 probonopd