Obsidian .AppImage not work in Kubuntu 24.04

What I’m trying to do

Execute .AppImage

Things I have tried

Give permissions to the file

It seems like an electron and sandbox problem. The message that the terminal gives is:

[9483:0427/092723.959907:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I’m aborting now. You need to make sure that /tmp/.mount_Obsidi8XJZAB/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap (core dumped)

And with sudo:

[0427/092559.731276:FATAL:electron_main_delegate.cc(294)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180.
Trace/breakpoint trap

I decided to install the .deb package. It runs smoothly.

You need to install the fuse2 package to run appimages. Fuse3 is already installed but its ok to install the older one along side it.

Unfortunately, on Kubuntu 24.04 you cannot install libfuse2 as libfuse2t64 is installed in its place. If you try to install libfuse2, even using ‘force’ the apt program will tell you that it is selecting libfuse2t64 and that it is already installed and up to date. So this solution doesn’t work - unless you know of some other way to install fuse2…

sudo apt -f install libfuse2
[sudo] password for redacteduser: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'libfuse2t64' instead of 'libfuse2'
libfuse2t64 is already the newest version (2.9.9-8.1build1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

I did find another workaround - but I cannot find any concrete information discussing the possible security concerns of using this workaround - so use at your own risk.

For me, running obsidian with the --no-sandbox command line argument resolved the issue. (I had problems with the Flatpak version of Obsidian in the past, and I’m not a big fan of Snap, so for now, I’m using this solution)

./Obsidan-1.5.12.appimage --no-sandbox

It also fixed 8 of the other 11 appImage programs I have installed, several of which, have no Snap or Flatpak version.

The --no-sandbox solution IMHO is a dirty way, but it does work. The libfuse2t64 is installed, but it did not job. The fix might be in the properly configuring the sandbox. I did not find any solution that worked. Defining mounting options for tmpfs did not resolve the problem. I am looking for solution. I would try no to use --no-sandbox in the Exec field of .desktop file.

Could you try moving the file to /opt/Obsidian/obsidian ?

I tested following steps on AppImage package in version 1.6.3 from GitHub and after doing following steps I was able to run it (on Kubuntu 24.04 LTS).

Added nosuid to mount options for tmpfs in /etc/fstab:

❯ mount | grep tmpfs | grep '/tmp'
tmpfs on /tmp type tmpfs (rw,nosuid,noatime,nodiratime,inode64)

Make sure you have enabled kernel.unprivileged_userns_clone.

sudo sysctl kernel.unprivileged_userns_clone=1
chmod u+x Obsidian-1.6.3.AppImage
sudo mkdir  /opt/Obsidian
sudo mv Obsidian-1.6.3.AppImage /opt/Obsidian/obsidian

Run the app:

/opt/Obsidian/obsidian

The reason why it works is the default AppArmor profile /etc/apparmor.d/obsidian, that enables userns for obsidian (new security confinement restrictions in Ubuntu), but it works only if the application is installed under specific path.

Works for me!

My Obsidian couldn’t either start after upgrade to Ubuntu 24.04 with the same error as OP.

The SUID sandbox helper binary was found, but is not configured correctly.

I do not have a mount to /tmp, but moving the appimage to /tmp worked:

$ sudo mkdir /opt/Obsidian
$ sudo chown $USER:$USER /opt/Obsidian
$ mv ~/.local/bin/obsidian /opt/Obsidian/obsidian

I have Obsidian placed under the path /opt/Obsidian/obsidian but it doesn’t work.

The AppImage and Chromium Sandbox Compatibility Problem

AppImage is a popular format for distributing Linux applications in a portable, self-contained way. It allows users to run applications without installing them system-wide, simply by downloading and executing a single .AppImage file. While this simplicity is a major strength, it also presents challenges — particularly when it comes to applications built on the Electron framework, which relies on Chromium under the hood.

One significant issue arises from Chromium’s use of a security sandbox, designed to isolate the application’s processes and reduce the impact of potential security vulnerabilities. To function securely, Chromium depends on a helper binary called chrome-sandbox, which needs to be owned by the root user and have the setuid permission (mode 4755). This permission allows the binary to run with elevated privileges temporarily, enabling it to set up the secure environment.

However, AppImages are not installed in the traditional sense. When run, they mount themselves as read-only file systems under a temporary path (e.g., /tmp/.mount_*). Because of this, the chrome-sandbox binary inside the AppImage cannot be modified — it cannot be owned by root or assigned the required permissions. As a result, the sandbox cannot initialize, and Chromium (and by extension, Electron apps like Obsidian, Zettlr, or VSCodium) will abort execution by default, refusing to run without sandboxing unless explicitly told to do so using a flag like --no-sandbox.

Origins and Security Rationale

This behavior is not a bug, but a deliberate design choice in Chromium. Running without a sandbox introduces significant security risks, particularly for applications that load remote content or execute complex JavaScript code. Chromium developers intentionally cause the application to crash if sandboxing is misconfigured, unless the user disables it explicitly. From their perspective, it’s safer to fail than to run insecurely without warning.

AppImage, by its very nature, lacks the privileges and installation pathways to set file ownership or permissions as needed. This limitation creates a tension between the portability of AppImage and the security expectations of Chromium.

Potential Solutions and Future Perspectives

There are a few possible solutions to this problem, though none are universally implemented yet. One approach is to extract the AppImage manually, fix the permissions of chrome-sandbox using root access, and then run the application from the extracted directory. While effective, this workaround is inconvenient and defeats some of AppImage’s core goals — portability and simplicity.

Another long-term solution involves modernizing how Electron and Chromium handle sandboxing. There are efforts underway to allow secure sandboxes without relying on setuid binaries, by using technologies like user namespaces or seccomp filters. These mechanisms would make sandboxing work in environments without elevated privileges — such as inside AppImages.

Alternatively, the AppImage format itself could evolve to integrate more advanced sandboxing support, similar to what Flatpak or Snap already offer. These formats provide robust sandboxing without relying on setuid, using system-level services like Bubblewrap or AppArmor. However, doing so would increase the complexity and overhead of AppImage, which currently prides itself on minimalism.

Recommended Installation Methods to Avoid This Issue

For users who want a hassle-free experience with Electron apps like Obsidian, Zettlr, or Visual Studio Code, it is often better to install these applications through system package managers or sandboxed formats rather than using AppImages. Common alternatives include:

• .deb or .rpm packages: Official packages provided by the application developers or distributions, which install the software with the correct permissions and sandboxing configurations.
• Flatpak: A sandboxed app format that isolates applications securely and supports Chromium sandboxing without requiring setuid binaries.
• Snap: Another sandboxed packaging system providing confinement and security features.
• Personal Package Archives (PPAs) on Ubuntu-based systems: Trusted third-party repositories that package and maintain apps properly.

These installation methods handle the sandbox requirements correctly and generally provide automatic updates, integration with your system, and fewer manual fixes.

Conclusion

The incompatibility between AppImage and the Chromium sandbox stems from a fundamental mismatch between security expectations and packaging constraints. Until Electron and Chromium evolve away from their reliance on root-owned binaries, or AppImage adopts new sandboxing models, this issue is likely to persist. For now, users must choose between convenience (--no-sandbox) and security (manual setup), with the hope that future developments in both ecosystems will bring a more seamless solution. For the best experience and security, installing Electron apps through .deb, Flatpak, Snap, or official PPAs is generally recommended over using AppImages.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.