reticulum-meshchat icon indicating copy to clipboard operation
reticulum-meshchat copied to clipboard
Published 3 months ago verified publisher icon liamcottle

FATAL:setuid_sandbox_host.cc(158)

Open ronnietucker opened this issue 1 year ago • 10 comments

Running the AppImage on TuxedoOS (aka: Ubuntu with KDE) and I get:

[31262:1229/191655.761245:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_ReticuJQ7lJt/chrome-sandbox is owned by root and has mode 4755.

ronnietucker avatar Dec 29 '24 19:12 ronnietucker

Howdy! There's some previous discussion around this in the Matrix chat. https://matrix.to/#/!TRaVWNnQhAbvuiSnEK:matrix.org/$JwLq3WF5jGgzEF9Du6e85jrnEtnCFiq3hBECzP9CrN8?via=matrix.org&via=tchncs.de&via=envs.net

I also saw this issue when trying to run the AppImage from CLI, but double clicking it from GUI seemed to launch fine.

If you find a way to resolve this, it would be great to get it fixed properly :)

liamcottle avatar Dec 30 '24 04:12 liamcottle

https://github.com/user-attachments/assets/22170512-8855-4799-9581-7d03f73cb3c4

liamcottle avatar Dec 30 '24 04:12 liamcottle

Thanks for the info. Here's what I've got so far:

If I double click the AppImage (in KDE) it won't run at all. Looks like it's doing nothing.

If I try and run it from the terminal I get the error message in my original post.

If I use AppImageLauncher and double click it it'll ask if I want to run it once, or integrate it. If I run it once, it does nothing again. If I click to integrate, then choose it from my KDE menu it will run, but then I get: Screenshot_20241230_111755

ronnietucker avatar Dec 30 '24 11:12 ronnietucker

Thanks for the info, could you have a read through this one, and check the kernel settings?

https://docs.appimage.org/user-guide/troubleshooting/electron-sandboxing.html

If this doesn't help, I guess the only option is to add that flag to disable the sandboxing... In your screenshot it looks like it gets passed to my python script instead of the electron process.

Let me know if the kernel settings make a difference, if not, I'll look at adding the flag internally.

liamcottle avatar Dec 30 '24 11:12 liamcottle

Yep, my kernel replies with a 1 (as I think it's meant to?)

If I use the terminal to run Reticulum (the gibberish before AppImage is just part of AppImageLauncher) with the -no-sandbox it does run, but like last time it crashes out and I see:

$ ./ReticulumMeshChat-v1.17.0-linux_e1784ecf710d3e9b81182c4c46e6a50b.AppImage -no-sandbox usage: ReticulumMeshChat [-h] [--host [HOST]] [--port [PORT]] [--headless] [--identity-file IDENTITY_FILE] [--identity-base64 IDENTITY_BASE64] [--generate-identity-file GENERATE_IDENTITY_FILE] [--generate-identity-base64] [--reticulum-config-dir RETICULUM_CONFIG_DIR] [--storage-dir STORAGE_DIR] [--test-exception-message TEST_EXCEPTION_MESSAGE] ... ReticulumMeshChat: error: unrecognized arguments: -no-sandbox

[13017:1230/114730.271686:ERROR:browser_main_loop.cc(280)] GLib-GObject: ../../../gobject/gsignal.c:2685: instance '0x345000ef6110' has no handler with id '5168'

ronnietucker avatar Dec 30 '24 11:12 ronnietucker

Cool, thanks for checking that. I will need to spin up a VM to investigate this further. This will likely take me a couple of days. I'll update you once I have a fix :)

liamcottle avatar Dec 30 '24 11:12 liamcottle

Just to add that while the error says: You need to make sure that /tmp/.mount_ReticuAWHeOM/chrome-sandbox is owned by root and has mode 4755.

I don't see any .mount_Reticu... folder in /tmp/

ronnietucker avatar Dec 30 '24 17:12 ronnietucker

I see this issue on Kubuntu 24.04.1 too.

sindelar-fr avatar Jan 07 '25 10:01 sindelar-fr

@liamcottle I was looking at other projects that have the same issue, and according to another dev, this issue was fixed in electron-builder v26, so it seems like simply bumping that version might be all that's needed.

Edit: After further reading it seems like the update to electron-builder v26 only fixes the issue for .deb and other packages but not AppImage. This is supported by comments on electron-builder and comments on launchpad.

stephen304 avatar Apr 18 '25 16:04 stephen304

Running the AppImage on TuxedoOS (aka: Ubuntu with KDE) and I get:

[31262:1229/191655.761245:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_ReticuJQ7lJt/chrome-sandbox is owned by root and has mode 4755.

Ubuntu 23.XX and higher versions implemented a stricter security model through AppArmor that specifically targets unprivileged user namespaces2.

you can review the full article

For a complete understanding of this issue, including technical details, implementation specifics, you can take a look at:

Technical Deep Dive For a more direct practical solutions, you can take a look at:

Practical Workarounds

Nao-30 avatar May 09 '25 01:05 Nao-30