Re: Electron apps in Debian with --no-sandbox

To: debian-user@lists.debian.org
Subject: Re: Electron apps in Debian with --no-sandbox
From: Sven Hartge <sven@svenhartge.de>
Date: Mon, 7 Dec 2020 08:08:56 +0100
Message-id: <[🔎] 8grn96d3btsfv8@mids.svenhartge.de>
References: <[🔎] a1UII0lYCFJwE7WwEq2kiLgbmREla5XW8zeUYp-XkYTOgq2VSdDt2nbmKXC9alzveeun12LcNKCSlZ49q9ZQK0SvI6Ukh091sGERY21-PAU=@protonmail.com>

buckwheatpancake <buckwheatpancake@protonmail.com> wrote:

> So, Electron stuff in Debian comes with this annoying thing where it tells you chrome-sandbox (in various applications) needs to be owned by root and have mode 4755. If you set that, it just tells you the same, with another file. I've taken to running these things with the --no-sandbox option, because I don't know what the solution is... is this safe or recommended?

You are hitting https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898446
and the fact that the Debian Kernel is patched to disable creation of
user namespaces from non-privileged process.

The canonically correct solution here is to do the following, as root:


echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf
service procps restart

That should resolve this problem for now, until Debian concludes their
discussion in the linked bug and enables this feature per default, as
most other distributions already do.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.

Reply to:

References:
- Electron apps in Debian with --no-sandbox
  - From: buckwheatpancake <buckwheatpancake@protonmail.com>

Prev by Date: Electron apps in Debian with --no-sandbox
Next by Date: Re: sad dns
Previous by thread: Electron apps in Debian with --no-sandbox
Next by thread: ssh tunnelling testing
Index(es):
- Date
- Thread