Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot start IPFS desktop: The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. #1044

Closed
Tanja-4732 opened this issue Aug 20, 2019 · 12 comments
Labels
area/linux Linux kind/bug A bug in existing code (including security flaws)

Comments

@Tanja-4732
Copy link

I'm running Manjaro Linux (based on Arch) and tried to install IPFS Desktop from source after the official (.AppImage) version didn't work.

But to my surprise, I got the same error.

I ran

  • Git clone
  • npm install
  • npm start
    • The output of which is displayed below
[bernd@bernd-pc ipfs-desktop]$ npm start

> ipfs-desktop@0.9.0-beta.2 start /home/bernd/Build/ipfs-desktop
> cross-env NODE_ENV=development electron -r @babel/register src/index.js

[18816:0820/141831.072284:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /home/bernd/Build/ipfs-desktop/node_modules/electron/dist/chrome-sandbox is owned by root and has mode 4755.

Please note that I am also using nvm:

[bernd@bernd-pc ~]$ nvm ls
->     v11.15.0
        v12.8.0
         system
default -> 11.15.0 (-> v11.15.0)
node -> stable (-> v12.8.0) (default)
stable -> 12.8 (-> v12.8.0) (default)
iojs -> N/A (default)
unstable -> N/A (default)
lts/* -> lts/dubnium (-> N/A)
lts/argon -> v4.9.1 (-> N/A)
lts/boron -> v6.17.1 (-> N/A)
lts/carbon -> v8.16.0 (-> N/A)
lts/dubnium -> v10.16.2 (-> N/A)

Why won't IPFS Desktop start?
And what does the error mean anyways?

@hacdias
Copy link
Member

hacdias commented Aug 20, 2019

I see you're using Manjaro, which is based on Arch, and that might be the issue. Please take a look at electron/electron#17972. I will see what I can do

@hacdias
Copy link
Member

hacdias commented Aug 20, 2019

Just out of curiosity: are you using any other Electron apps?

@Tanja-4732
Copy link
Author

Just out of curiosity: are you using any other Electron apps?

I am using VS Code (from the Manjaro repos) and Discord (from the AUR), which both work fine for me.

@hacdias hacdias added kind/bug A bug in existing code (including security flaws) area/linux Linux labels Aug 29, 2019
@hacdias
Copy link
Member

hacdias commented Sep 6, 2019

People have reported me that the .AppImage from 0.9.0-beta.3 is working. I'll close this now. Please feel free to re-open if the issue persists.

@hacdias hacdias closed this as completed Sep 6, 2019
@jacklund
Copy link

I'm running into this issue as well. I'm running Debian stretch.

% ./ipfs-desktop-0.9.2-linux-x86_64.AppImage
[4360:0912/221735.691205:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_ipfs-d4zHw66/chrome-sandbox is owned by root and has mode 4755.                                                                          
zsh: trace trap  ./ipfs-desktop-0.9.2-linux-x86_64.AppImage
% /opt/IPFS\ Desktop/ipfs-desktop
[5343:0912/221852.646119:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/IPFS Desktop/chrome-sandbox is owned by root and has mode 4755.                                                                                 
zsh: trace trap  /opt/IPFS\ Desktop/ipfs-desktop

^ From the .deb image

I also get the same thing when running from source

% npm start

> ipfs-desktop@0.9.2 start /home/jack/git/ipfs-desktop
> cross-env NODE_ENV=development run-s build:babel start:electron


> ipfs-desktop@0.9.2 build:babel /home/jack/git/ipfs-desktop
> babel src --out-dir out --copy-files --source-maps

Successfully compiled 41 files with Babel.

> ipfs-desktop@0.9.2 start:electron /home/jack/git/ipfs-desktop
> electron out/index.js

[6193:0912/221953.894155:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /home/jack/git/ipfs-desktop/node_modules/electron/dist/chrome-sandbox is owned by root and has mode 4755.

@hacdias
Copy link
Member

hacdias commented Sep 13, 2019

Ugh, oh... Using Arch or some Arch-based distro, right?

@hacdias hacdias reopened this Sep 13, 2019
@jacklund
Copy link

Nope, Debian buster, actually (I misspoke before when I said it was stretch).

@jacklund
Copy link

As another data point, when I sudo chmod 4755 /opt/IPFS\ Desktop/chrome-sandbox and then run it, I get:

% /opt/IPFS\ Desktop/ipfs-desktop  
zsh: trace trap  /opt/IPFS\ Desktop/ipfs-desktop

@ZeroAurora
Copy link

I'm running into this as well in Debian testing

@cchris-org
Copy link

ipfs-desktop-0.10.2-linux-x86_64.AppImage
Linux Mint LMDE (debian stretch)
Same here ..

@Mikaela
Copy link

Mikaela commented Feb 12, 2020

Workaround seems to be enabling usernamespaces and receiving the security issues from it brave/brave-browser#3420. If I understand the Arch Wiki security page correctly, the same should work on Arch (and likely deriatives).

Adjusting that a bit:

echo 'kernel.unprivileged_userns_clone=1' | sudo tee /etc/sysctl.d/00-local-userns.conf
sudo sysctl -p --system

I ran into this on my laptop while not on family PC, both running Debian 10 and the difference is that on the family PC I have ran Brave and thus done that and after copying the config on the laptop that wasn't working, IPFS Desktop started working, but I don't think this is a real solution as you can see from the Brave issue.

@lidel
Copy link
Member

lidel commented Mar 12, 2020

FYI v0.10.4 shipped with updated ipfs-desktop.desktop manifest which starts the electron app with --no-sandbox by default, which fixes startup via GUI shortcut on Debian 10 without lowering security system-wide (unprivileged_userns_clone).

Running ipfs-desktop --no-sandbox is so far the most robust way of making it work on all distros without the need for root access. In case someone is interested in technical details, or other ways of fixing "Electron/Chromium sandboxing issue", I wrote some details in #1362 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/linux Linux kind/bug A bug in existing code (including security flaws)
Projects
None yet
Development

No branches or pull requests

7 participants