Appimage: chrome-sandbox issue

Steps to reproduce

download Obsidian-0.12.3.AppImage
make executable and run

Expected result

It works

Actual result

error message is shown:
[4956:0530/120836.350061:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I’m aborting now. You need to make sure that /tmp/.mount_obsidiuH0vSK/chrome-sandbox is owned by root and has mode 4755.

Environment

  • Operating system: Debian 10
  • Obsidian version: 0.12.3

Additional information

UPD:
may be related(?) to: The SUID sandbox helper binary was found, but is not configured correctly · Issue #17972 · electron/electron · GitHub

Feedback: I run the 0.12.3 AppImage on Linux Mint 20.1 and don’t get this error. My installer is also 0.12.3.

You aren’t—by chance—trying to run Obsidian as root (a bad idea)?

My /tmp of course is owned by root, but my .org.chromium.Chromium.xxxx folder(s) and the files by my user.

I am running the appimage by usual user.
The file is: /tmp/.mount_obsidi4TpuMh/
-rwxr-xr-x 1 root root 4708288 May 10 22:58 chrome-sandbox

I’m not into the AppImage intrinsics so much, but it looks like happening during startup (so AppImage doing its thing before Obsidian is even started).

Guesswork: Is your /tmp folder available to everyone (i.e. at least 755)?

My /tmp has 1777 even (sticky bit set):

Auswahl_078

Good find about the namespace sandbox above!

My kernel.unprivileged_userns_clone is actually 1 which would explain it.

Auswahl_079

Let us know if it works to switch kernel.unprivileged_userns_clone on on a “naked” Debian, might be helpful for others!

Hello.
I just tried to switch the sysctl setting which we were talking about. It worked.
But the first link from google tells that this might be a bad idea which might lower the security of the system:

Until the appimage is fixed, I prefer to use .deb installation. It was installed and worked just fine.

1 Like