Bug: chrome-sandbox owner and mode

[truemoroz]

Describe the bug
Cannot run Heynote on Kubuntu 24.04

To Reproduce
Steps to reproduce the behavior:

~/dist/Heynote_1.7.0_x86_64.appimage
[19821:0529/124154.856511:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_HeynotNXMb1x/chrome-sandbox is owned by root and has mode 4755.

Expected behavior
To be able to start app

• OS: Kubuntu
• Version 24.04

Additional context
Here's how you can run the AppImage with the --no-sandbox option:
Heynote_1.6.0_x86_64.appimage --no-sandbox

Please note that this is a temporary workaround and not a permanent solution. The best course of action would be to contact the maintainers of the AppImage and ask them to fix the issue.

[heyman]

I don't run desktop Linux myself, but some quick googling suggests two workarounds (electron/electron#17972):

1. Starting the AppImage with --no-sandbox
2. sysctl kernel.unprivileged_userns_clone=1 (I don't know the impact of this, but it sounds like it might make the system less secure)

If anyone knows how this can be fixed in Heynote, I'd be happy to merge such fix.

[heyman]

Could you try the following build and see if it fixed the problem?

https://github.com/heyman/heynote/actions/runs/9282799617/artifacts/1547452521

[heyman]

Would you mind testing the build I made for you @truemoroz and see if it fixes it (it's this branch: https://github.com/heyman/heynote/tree/suid-sandbox-fix)?

[truemoroz]

./Heynote_1.7.0_x86_64.AppImage        
[217518:0605/114039.689536:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_Heynot1MCJ1Q/chrome-sandbox is owned by root and has mode 4755.
[1]    217518 trace trap (core dumped)  ./Heynote_1.7.0_x86_64.AppImage

I have the same error

[heyman]

Okay 🙁, then I would probably need a linux desktop machine where I could reproduce it in order to debug it.

Thanks for checking!

[rambit]

It is a generic issue and not only Heynote. I get the same error with theia-ide.org AppImage. My kernel.unprivileged_userns_clone was already 1 As can be checked with sysctl kernel.unprivileged_userns_clone as mentioned on https://docs.appimage.org/user-guide/troubleshooting/electron-sandboxing.html

The error says: You need to make sure that /tmp/.mount_HeynotNXMb1x/chrome-sandbox is owned by root and has mode 4755. but that mount folder is created when you run the app, so I guess it means that /tmp needs those permissions.

https://askubuntu.com/a/1512419 mentions a solution where you set nosuid on /tmp in fstab. As I was upgrading to Ubuntu 24.04 from 23.10 it makes me wonder if the update forgets to update permissions for /tmp which a fresh install might do when creating it?