-
-
Notifications
You must be signed in to change notification settings - Fork 245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found #1426
Comments
It also works with teams-for-linux --no-sandbox |
Same issue after update to 1.11.0 |
Thank you, @fredlubrano , I modified my launcher script by appending the
|
Got the same issue after update to 1.11.0 |
1 similar comment
Got the same issue after update to 1.11.0 |
This seems to be a electron issue electron/electron#42510 There are a few workarounds in electron-userland/electron-builder#5371 (comment) and other pages, but I will see if I can understand the issue better rather than just apply the "no-sandbox" for all. |
Seems to be a pure Ubuntu 24.04 issue where apparmor is rejecting the use of unprivileged user namespaces without a corresponding application configuration in /etc/apparmor.d/ which are used by the sandboxing. Details described here: https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts
This comment describes how to (temporarily) disable the restriction electron/electron#42510 (comment) But the correct solution probably is to deploy such an apparmor file for Ubuntu 24.04 and up which explicitly allows for unrestricted user NS for the teams-for-linux binary. |
I have attached a working AppArmor profile file, to be copied to /etc/apparmor.d/teams-for-linux (I don't have my dev system with me ATM). Seems to be better than running without sandbox. |
Reading further, this seems to be an issue with electron-builder, and maybe also electron. electron-userland/electron-builder#5721 I will keep an eye and see when the fix comes available, but the workaround might be needed for a while. It does affect pretty much all electron apps, so we I do hope a fix appears soon(ish) |
Works like a charm. The profile allows user name spaces for the executable
|
@KPS-MWT, @moether and @IsmaelMartinez thank you for the quick resolution of this issue. |
It would be nice to integrate one of the workarounds in the package, to make the program usable "out of the box" and even after package upgrades. Thanks! |
As far as I can understand, most of the current workarounds are to disable sandbox, while the "best" option is to create an apparmour profile to only disable it for the app. I think electron-userland/electron-builder#8635 should fix this for everything but AppImage that is a bit funny. This seems to be an Ubuntu decision to tie security permissions, and is affecting all electron apps that I know, so should in theory get fixed soon (I hope) by them. In the meantime create an apparmour profile as mentioned in #1426 (comment) and that should solve your problem. In the meantime it should be possible to create an apparmour profile like in https://github.com/gravitational/teleport/pull/43595/files#diff-9fa1aae9168524bdd0a97987f55e4a7ca8b77cd8c8cb47b5cfc33eb4e2a75230 and apply it after install, but I can't unfortunately test this. |
I ran into the same issue trying to move from the snap package to the deb one. |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
The issue is still not fixed. |
See #1426 (comment) @FabioPedretti . This is a bit more complicated as it only affects the distros that have changed their default implementation to force apps to create an AppArmour profile. In my opinion this should be fixed upstream (in the bundling app), as otherwise it more difficult for us to just target the distros/versions that might be affected, as we can't really know easily if the distro can be affected. Applying the AppArmour profile solves the problem to everyone for any installs. Unfortunately the change by Ubuntu didn't count with how this would affect to all electron apps, that are a few. Reason I thought they will fix it in electron-builder, but it taking longer than I expected. |
Yes, I added my previous comment to avoid automatic closure by @github-actions bot. Hope it is OK to let this open until there is a proper fix. |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
Describe the bug
After the update to version 1.11.0, there are permission issues with chrome-sandbox
To Reproduce
Steps to reproduce the behavior:
sudo apt install ./Downloads/teams-for-linux_1.11.0_amd64.deb
Expected behavior
~ teams-for-linux
[83647:0929/152327.695500:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/teams-for-linux/chrome-sandbox is owned by root and has mode 4755.
[1] 83647 trace trap (core dumped) teams-for-linux
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Debug
teams-for-linux --webDebug --logConfig='{}'
[84087:0929/153335.703258:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/teams-for-linux/chrome-sandbox is owned by root and has mode 4755.
[1] 84087 trace trap (core dumped) teams-for-linux --webDebug --logConfig='{}'
IMPORTANT: Ensure that you mask any sensitive information before posting the output.
Additional context
Resolv
sudo chown root:root /opt/teams-for-linux/chrome-sandbox
sudo chmod 4755 /opt/teams-for-linux/chrome-sandbox
The text was updated successfully, but these errors were encountered: