Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found #1426

Open
fredlubrano opened this issue Sep 29, 2024 · 19 comments
Open
Labels
known issue/workaround Workaround available in the know_issues.md file

Comments

@fredlubrano
Copy link

Describe the bug
After the update to version 1.11.0, there are permission issues with chrome-sandbox

To Reproduce
Steps to reproduce the behavior:

sudo apt install ./Downloads/teams-for-linux_1.11.0_amd64.deb

Expected behavior
~ teams-for-linux
[83647:0929/152327.695500:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/teams-for-linux/chrome-sandbox is owned by root and has mode 4755.
[1] 83647 trace trap (core dumped) teams-for-linux

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: Ubuntu 24.04.1
  • Installation package deb
  • Version 1.11.0

Debug
teams-for-linux --webDebug --logConfig='{}'
[84087:0929/153335.703258:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/teams-for-linux/chrome-sandbox is owned by root and has mode 4755.
[1] 84087 trace trap (core dumped) teams-for-linux --webDebug --logConfig='{}'

IMPORTANT: Ensure that you mask any sensitive information before posting the output.

Additional context
Resolv
sudo chown root:root /opt/teams-for-linux/chrome-sandbox
sudo chmod 4755 /opt/teams-for-linux/chrome-sandbox

@fredlubrano
Copy link
Author

It also works with teams-for-linux --no-sandbox

@damien-louis
Copy link

Same issue after update to 1.11.0

@ondrej-simon
Copy link

Thank you, @fredlubrano , I modified my launcher script by appending the --no-sandbox option, so that I can still launch the application from Desktop icon:

cat /usr/share/applications/teams-for-linux.desktop

[Desktop Entry]
Name=Teams for Linux
Exec=/opt/teams-for-linux/teams-for-linux --no-sandbox %U
Terminal=false
Type=Application
Icon=teams-for-linux
StartupWMClass=teams-for-linux
Comment=Unofficial Microsoft Teams client for Linux using Electron. It uses the Web App and wraps it as a standalone application using Electron.
MimeType=x-scheme-handler/msteams;
Categories=Chat;Network;Office;

@huxxer
Copy link

huxxer commented Sep 30, 2024

Got the same issue after update to 1.11.0

1 similar comment
@SergeyKhrystenko
Copy link

Got the same issue after update to 1.11.0

@IsmaelMartinez IsmaelMartinez added the known issue/workaround Workaround available in the know_issues.md file label Sep 30, 2024
@IsmaelMartinez
Copy link
Owner

This seems to be a electron issue electron/electron#42510

There are a few workarounds in electron-userland/electron-builder#5371 (comment) and other pages, but I will see if I can understand the issue better rather than just apply the "no-sandbox" for all.

@moether
Copy link

moether commented Sep 30, 2024

Seems to be a pure Ubuntu 24.04 issue where apparmor is rejecting the use of unprivileged user namespaces without a corresponding application configuration in /etc/apparmor.d/ which are used by the sandboxing. Details described here: https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts

Sep 30 09:55:49 kernel: audit: type=1400 audit(1727682949.856:664): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=13074 comm="teams-for-linux" requested="userns_create" target="unprivileged_userns"

Sep 30 09:55:49 kernel: audit: type=1400 audit(1727682949.857:665): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=13079 comm="teams-for-linux" capability=21 capname="sys_admin"

This comment describes how to (temporarily) disable the restriction electron/electron#42510 (comment)

But the correct solution probably is to deploy such an apparmor file for Ubuntu 24.04 and up which explicitly allows for unrestricted user NS for the teams-for-linux binary.

@KPS-MWT
Copy link

KPS-MWT commented Sep 30, 2024

I have attached a working AppArmor profile file, to be copied to /etc/apparmor.d/teams-for-linux (I don't have my dev system with me ATM). Seems to be better than running without sandbox.

teams-for-linux.txt

@IsmaelMartinez
Copy link
Owner

IsmaelMartinez commented Sep 30, 2024

Reading further, this seems to be an issue with electron-builder, and maybe also electron.

electron-userland/electron-builder#5721
electron-userland/electron-builder#8440
electron/electron#42510

I will keep an eye and see when the fix comes available, but the workaround might be needed for a while.

It does affect pretty much all electron apps, so we I do hope a fix appears soon(ish)

@moether
Copy link

moether commented Oct 1, 2024

I have attached a working AppArmor profile file, to be copied to /etc/apparmor.d/teams-for-linux (I don't have my dev system with me ATM). Seems to be better than running without sandbox.

teams-for-linux.txt

Works like a charm. The profile allows user name spaces for the executable /opt/teams-for-linux/teams-for-linux. teams-for-linux starts with sandboxing enabled.

  1. copy content of teams-for-linux.txt to /etc/apparmor.d/teams-for-linux
  2. reload AppArmor: sudo systemctl reload apparmor.service
  3. Enjoy

@NaimadTheOne
Copy link

@KPS-MWT, @moether and @IsmaelMartinez thank you for the quick resolution of this issue.
I am proud of this community.

@burneystarke
Copy link

I ran chmod 4755 /opt/teams-for-linux/chrome-sandbox and I am all set.
Before:
image
After:
image

@FabioPedretti
Copy link

It would be nice to integrate one of the workarounds in the package, to make the program usable "out of the box" and even after package upgrades. Thanks!

@IsmaelMartinez
Copy link
Owner

IsmaelMartinez commented Nov 3, 2024

As far as I can understand, most of the current workarounds are to disable sandbox, while the "best" option is to create an apparmour profile to only disable it for the app.

I think electron-userland/electron-builder#8635 should fix this for everything but AppImage that is a bit funny.

This seems to be an Ubuntu decision to tie security permissions, and is affecting all electron apps that I know, so should in theory get fixed soon (I hope) by them.

In the meantime create an apparmour profile as mentioned in #1426 (comment) and that should solve your problem.

In the meantime it should be possible to create an apparmour profile like in https://github.com/gravitational/teleport/pull/43595/files#diff-9fa1aae9168524bdd0a97987f55e4a7ca8b77cd8c8cb47b5cfc33eb4e2a75230 and apply it after install, but I can't unfortunately test this.

@atommaki
Copy link

I ran into the same issue trying to move from the snap package to the deb one.

Copy link

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the Stale label Dec 12, 2024
@FabioPedretti
Copy link

The issue is still not fixed.

@IsmaelMartinez
Copy link
Owner

See #1426 (comment) @FabioPedretti . This is a bit more complicated as it only affects the distros that have changed their default implementation to force apps to create an AppArmour profile. In my opinion this should be fixed upstream (in the bundling app), as otherwise it more difficult for us to just target the distros/versions that might be affected, as we can't really know easily if the distro can be affected.

Applying the AppArmour profile solves the problem to everyone for any installs. Unfortunately the change by Ubuntu didn't count with how this would affect to all electron apps, that are a few. Reason I thought they will fix it in electron-builder, but it taking longer than I expected.

@FabioPedretti
Copy link

Yes, I added my previous comment to avoid automatic closure by @github-actions bot. Hope it is OK to let this open until there is a proper fix.
Thanks for the time devoted to this project!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
known issue/workaround Workaround available in the know_issues.md file
Projects
None yet
Development

No branches or pull requests