Sandbox error on Linux app launch

[michaeldina357]

I am running a Debian 9 based system (MX Linux) Kernel version 4.19.0-6-amd64. I installed the .deb without any errors but when I tried to run the program it would not work. I ran it on command line so I could share the error message. I also tried to run the Appimage version and got a similar error.

Attempted to run .deb installation and got the following error: [21299:0319/210345.004538:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Simplenote/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap

Attempted to run the Appimage version (64 bit) and got the following error: [21403:0319/210533.227036:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_SimpleGuztU5/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap

[belcherj]

Interesting, this might be an electron issue. Please continue to use the previous version until we can get this resolved.

[michaeldina357]

Cool, thank you for such a useful FOSS project I will use a previous version. Please message me if there is any way I can help. I don't know any programming but I can bumble around in the command line.

[ralf-meyer]

I am experiencing the same problem on Debian 10. Simple workaround for now (without downgrading) is to use the --no-sandbox flag:

./Simplenote-linux-1.15.1-x86_64.AppImage --no-sandbox

[michaeldina357]

Thanks ralf-meyer I will try this on the App image when I get home tonight. I will report back if it works or not.

[michaeldina357]

Simple note 1.15.1 is working in my Linux machine using the --no-sandbox flag. Thank you!

[julienbenjamin]

Seems like the latest version (1.15.1) needs some tweaking. After installing the package on Debian 10:

$ simplenote 
[10014:0411/124608.457450:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Simplenote/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap

[apjyotirmay]

This one's because of a Chromium bug and something to do with Linux's permission.

[clebermacieski]

Successful workaround with:

sudo chown root:root /opt/Simplenote/chrome-sandbox

sudo chmod 755 -R /opt/Simplenote/chrome-sandbox

sudo chmod 4755 /opt/Simplenote/chrome-sandbox

Source:
https://www.vivaolinux.com.br/topico/Suporte/Simplenote-Nao-abre/

[belcherj]

Should be fixed by #2102, which will be in version 1.19

[codebykat]

Closing, please let us know if there are still any issues with the latest version!

[spanderman]

The issue is still there, for Debian 10, as of today:

:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_Simple***/chrome-sandbox is owned by root and has mode 4755.

Just downloaded release 2.0.0 AppImage.

[sandymcfadden]

I've just tested this with the latest version 2.4.0 on Debian 10 and everything installed and ran as expected.
Closing for now but please reopen again if you do notice the same again.

[spanderman]

I've just tested this with the latest version 2.4.0 on Debian 10 and everything installed and ran as expected.
Closing for now but please reopen again if you do notice the same again.

Hi @sandymcfadden

I am trying to run this file:

https://github.com/Automattic/simplenote-electron/releases/download/v2.4.0/Simplenote-linux-2.4.0-x86_64.AppImage

and the error is still the same:

./Simplenote-linux-2.4.0-x86_64.AppImage
[5631:0116/143550.453734:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_SimpleG33BaW/chrome-sandbox is owned by root and has mode 4755.

As a comparison, version 1.14.0 still runs without issues, I removed and reinstalled it again, to be sure.

My version of Debian (no particular tweak as far as I know):

lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster

cat /etc/debian_version
10.7

[apjyotirmay]

Okay, I have an idea about what's going wrong.

Installing simpleapp (or any electron package) under "root" using "sudo" sets appropriate permissions. But if one tries to run the appimage version, they'll face the error. This can be resolved by passing the flag --no-sandbox to the AppImage.

I'm using AppImage for version 2.4.0, and I can confirm that I'm able to run the app without passing the --no-sandbox flag. Prior to this, I needed to set the flag.

[spanderman]

Okay, I have an idea about what's going wrong.

Installing simpleapp (or any electron package) under "root" using "sudo" sets appropriate permissions. But if one tries to run the appimage version, they'll face the error. This can be resolved by passing the flag --no-sandbox to the AppImage.

I'm using AppImage for version 2.4.0, and I can confirm that I'm able to run the app without passing the --no-sandbox flag. Prior to this, I needed to set the flag.

Hi @ajyotirmay

I am not sure I understood, I am/was trying to run the 2.4.0 as well. Using the --no-sandbox flag or install the AppImage as root doesn't look ideal to me.

[apjyotirmay]

@spanderman, no no, don't install AppImage as root. I was talking about installing a distro specific package (like .deb or .rpm) from official repos.

Yeah, I know running it by passing the flag isn't ideal, but looks like electron's changes weren't kept in line with the usage patterns of AppImages, since sandboxing requires root access on Linux.

However, I'm no expert, but so far looks like it's an issue with Electron.js

[codebykat]

Yeah, you're right. Some discussion in Electron here: electron/electron#17972 . --no-sandbox seems to be the officially recommended workaround.

It's possible we can remediate that with another Electron upgrade on our end, but that thread seemed to imply it might require the --no-sandbox argument regardless, depending on your system.

[apjyotirmay]

Yeah, if we're talking about doing it for Appimages. But wherever the installation happens with the help of a root account, e.g. using "sudo apt install..." it's totally possible to setup up right permissions for the electron runtime, but otherwise it's a huge challenge that isn't fixable by even a simple script (as an update to the app might break it)

[codebykat]

@ajyotirmay If this is possible for us to fix by adjusting the options in the Electron builder script, I'm happy to make any changes you suggest. I obviously don't want to be encouraging folks to install apps with sudo by default.

A bit more spelunking suggests there might be a fix in electron-builder (we're overdue for a dependencies update unfortunately). Does this read to you like it would fix the problem? electron-userland/electron-builder#4496

It seems like all that does is allow us to pass --no-sandbox by default for AppImages; is that a safe default?

[apjyotirmay]

@codebykat I'm looking for a possible solution. I'll be back with whatever I'm able to find

[spanderman]

@codebykat @apjyotirmay I am happy to report that the latest build:

https://github.com/Automattic/simplenote-electron/releases/tag/v2.19.1

works fine on Debian 11. No issues so far.

[kirillt]

What about RPMs? Are they going to be fixed as well?

[kirill@lenovo tmp]$ sudo rpm -i Simplenote-linux-2.21.0-x86_64.rpm
[sudo] password for kirill: 
chmod: cannot access '/opt/simplenote/chrome-sandbox': No such file or directory

Folder /opt/simplenote/ is not created neither.
OS: Fedora 32

[apjyotirmay]

As of now, I'm using the flatpak version of latest release, and I no longer encounter this issue. I'm assuming it's safe to close this now. Maintainers should look into this, cheers!

[raumalainen]

I found a bug
Linux Mint 21.1 Vera
dpkg -i Simplenote-linux-2.21.0-amd64.deb
->
chmod: cannot access '/opt/simplenote/chrome-sandbox': No such file or directory

Of course can not access, because the name of the folder is:
/opt/simplenote/

NOTE THE UPPERCASE 'S'

Just change the name of the folder and it gets installed
Now I have there /opt/Simplenote and /opt/simplenote. dhcp generated this 'S'-version.
The folders are copies of each other.
If I try to run simplenote in terminal, I get:
[8891:0410/142612.198838:FATAL:gpu_data_manager_impl_private.cc(415)] GPU process isn't usable. Goodbye.

This does not help me in any way. Why is it talking aput GPU ?

Sad. Simplenote worked fine until I made the upgrade to Linux Mint 21.1 Vera.
It is one of the most valuable programs, if you got to use Android phones and tablets.
And I REALLY do not want any snaps to my device !

[agung-m]

@raumalainen I found the same issue, and a workaround is to use the --no-sandbox flag.

[codebykat]

The latest version (2.22.1) upgraded a ton of dependencies and should have fixed issues such as this one. Please let us know if this is still a problem after updating!