teams-for-linux
teams-for-linux copied to clipboard
IsmaelMartinez
setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found
Describe the bug After the update to version 1.11.0, there are permission issues with chrome-sandbox
To Reproduce Steps to reproduce the behavior:
sudo apt install ./Downloads/teams-for-linux_1.11.0_amd64.deb
Expected behavior
~ teams-for-linux
[83647:0929/152327.695500:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/teams-for-linux/chrome-sandbox is owned by root and has mode 4755.
[1] 83647 trace trap (core dumped) teams-for-linux
Screenshots If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
- OS: Ubuntu 24.04.1
- Installation package deb
- Version 1.11.0
Debug teams-for-linux --webDebug --logConfig='{}' [84087:0929/153335.703258:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/teams-for-linux/chrome-sandbox is owned by root and has mode 4755. [1] 84087 trace trap (core dumped) teams-for-linux --webDebug --logConfig='{}'
IMPORTANT: Ensure that you mask any sensitive information before posting the output.
Additional context Resolv sudo chown root:root /opt/teams-for-linux/chrome-sandbox sudo chmod 4755 /opt/teams-for-linux/chrome-sandbox
Thank you, @fredlubrano , I modified my launcher script by appending the --no-sandbox option, so that I can still launch the application from Desktop icon:
cat /usr/share/applications/teams-for-linux.desktop
[Desktop Entry]
Name=Teams for Linux
Exec=/opt/teams-for-linux/teams-for-linux --no-sandbox %U
Terminal=false
Type=Application
Icon=teams-for-linux
StartupWMClass=teams-for-linux
Comment=Unofficial Microsoft Teams client for Linux using Electron. It uses the Web App and wraps it as a standalone application using Electron.
MimeType=x-scheme-handler/msteams;
Categories=Chat;Network;Office;
This seems to be a electron issue https://github.com/electron/electron/issues/42510
There are a few workarounds in https://github.com/electron-userland/electron-builder/issues/5371#issuecomment-791771150 and other pages, but I will see if I can understand the issue better rather than just apply the "no-sandbox" for all.
Seems to be a pure Ubuntu 24.04 issue where apparmor is rejecting the use of unprivileged user namespaces without a corresponding application configuration in /etc/apparmor.d/ which are used by the sandboxing. Details described here: https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts
Sep 30 09:55:49 kernel: audit: type=1400 audit(1727682949.856:664): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=13074 comm="teams-for-linux" requested="userns_create" target="unprivileged_userns"
Sep 30 09:55:49 kernel: audit: type=1400 audit(1727682949.857:665): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=13079 comm="teams-for-linux" capability=21 capname="sys_admin"
This comment describes how to (temporarily) disable the restriction https://github.com/electron/electron/issues/42510#issuecomment-2171583086
But the correct solution probably is to deploy such an apparmor file for Ubuntu 24.04 and up which explicitly allows for unrestricted user NS for the teams-for-linux binary.
I have attached a working AppArmor profile file, to be copied to /etc/apparmor.d/teams-for-linux (I don't have my dev system with me ATM). Seems to be better than running without sandbox.
Reading further, this seems to be an issue with electron-builder, and maybe also electron.
https://github.com/electron-userland/electron-builder/issues/5721 https://github.com/electron-userland/electron-builder/issues/8440 https://github.com/electron/electron/issues/42510
I will keep an eye and see when the fix comes available, but the workaround might be needed for a while.
It does affect pretty much all electron apps, so we I do hope a fix appears soon(ish)
I have attached a working AppArmor profile file, to be copied to /etc/apparmor.d/teams-for-linux (I don't have my dev system with me ATM). Seems to be better than running without sandbox.
Works like a charm. The profile allows user name spaces for the executable /opt/teams-for-linux/teams-for-linux. teams-for-linux starts with sandboxing enabled.
- copy content of teams-for-linux.txt to /etc/apparmor.d/teams-for-linux
- reload AppArmor:
sudo systemctl reload apparmor.service - Enjoy
@KPS-MWT, @moether and @IsmaelMartinez thank you for the quick resolution of this issue. I am proud of this community.
I ran chmod 4755 /opt/teams-for-linux/chrome-sandbox and I am all set.
Before:
After:
It would be nice to integrate one of the workarounds in the package, to make the program usable "out of the box" and even after package upgrades. Thanks!
As far as I can understand, most of the current workarounds are to disable sandbox, while the "best" option is to create an apparmour profile to only disable it for the app.
I think https://github.com/electron-userland/electron-builder/issues/8635 should fix this for everything but AppImage that is a bit funny.
This seems to be an Ubuntu decision to tie security permissions, and is affecting all electron apps that I know, so should in theory get fixed soon (I hope) by them.
In the meantime create an apparmour profile as mentioned in https://github.com/IsmaelMartinez/teams-for-linux/issues/1426#issuecomment-2384889316 and that should solve your problem.
In the meantime it should be possible to create an apparmour profile like in https://github.com/gravitational/teleport/pull/43595/files#diff-9fa1aae9168524bdd0a97987f55e4a7ca8b77cd8c8cb47b5cfc33eb4e2a75230 and apply it after install, but I can't unfortunately test this.
I ran into the same issue trying to move from the snap package to the deb one.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
See https://github.com/IsmaelMartinez/teams-for-linux/issues/1426#issuecomment-2453340003 @FabioPedretti . This is a bit more complicated as it only affects the distros that have changed their default implementation to force apps to create an AppArmour profile. In my opinion this should be fixed upstream (in the bundling app), as otherwise it more difficult for us to just target the distros/versions that might be affected, as we can't really know easily if the distro can be affected.
Applying the AppArmour profile solves the problem to everyone for any installs. Unfortunately the change by Ubuntu didn't count with how this would affect to all electron apps, that are a few. Reason I thought they will fix it in electron-builder, but it taking longer than I expected.
Yes, I added my previous comment to avoid automatic closure by @github-actions bot. Hope it is OK to let this open until there is a proper fix. Thanks for the time devoted to this project!
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
This issue was closed because it has been stalled for 5 days with no activity.
Some additional information. I installed the recommended apparmor file. When I tried to restart the teams-for-linux app, I was still seeing the error page. It wasn't until I clicked the Restart button that the issue resolved and I was able to get to the Teams home page after signing in.
Ok, I just releases version 1.14.0 (pre-release) that moves us to electron (35) and electron-builder (26) that includes an apparmour fix https://github.com/electron-userland/electron-builder/pull/8636
Hopefully this problem goes away for ever!!