-
Notifications
You must be signed in to change notification settings - Fork 548
Appimage needs --no-sandbox
set during build in order to start (Solved)
#1524
Comments
On elementary OS 5.1.2 hera (x86_64 Linux 5.3.0-42-generic), I can run 0.8.10 just fine. Could this be distro-specific, or perhaps something unique to your PC's installation?
|
Are you able to launch from the terminal and check for error output? |
$ ./Beaker.Browser-0.8.10.AppImage |
$ ./Beaker.Browser.0.8.9.AppImage |
Oof, this is a bummer. Related issues:
Looks like neither snap or appimage can run with process sandboxing enabled. Based on https://github.com/electron-userland/electron-builder/blame/fc311995c196f1063ceb2d0bb0af61beac6038e8/packages/app-builder-lib/src/targets/snap.ts#L188 it looks like they disable the sandbox automatically for snaps but not appimage. Can anybody confirm if the beaker 0.8.10 snap works correctly? We'll have to update the build for the appimage manually. EDIT: just to comment on the security, basically the process-sandbox is a second layer of defense. There's a "Web Platform" sandbox by default which doesn't expose any access to the OS. The process-sandbox further isolates the browser's processes so that an exploit in the Web Platform has a harder time attacking the OS. Disabling the process-sandbox is not preferable but it does not remove the Web Platform sandbox; it removes a secondary defense. |
--no-sandbox
set during build in order to start
I just tested the snap v0.8.10 works perfectly and does sync with hashbase without having to restart beaker. |
Okay interesting. It may be time to deprecate the appimage |
I might have a similar issue with Beaker.Browser-1.0.0-prerelease.1.AppImage on Debian.
|
--no-sandbox
set during build in order to start--no-sandbox
set during build in order to start (Solved)
@raphaelbastide See my new edit(Solved) in the description. Should also work for you |
Works perfectly, thank you @danrobi11. Do you know what this command does? |
@raphaelbastide noclue. found it on the internet. nice workaround until this get fixed. |
This is a little bit "apples and oranges", but I've had to use that when I couldn't get a browser to open as root. It would be during times I had to login as root, not just via My memory's foggy about it now, but it seems like that flag and whichever browser I was using had something to do with how the affected browser accessed whatever it needed to function. That functionality is blocked for a few programs with the possible thought process that root is supposed to get in, do some admin work, and then get out, not hang out playing around with games and the Internet, etc. Because I'm always curious, too, I just tried a "what does the --no-sandbox flag do" search and received these two from the front page:
hm 😄 |
Same problem on Ubuntu 20.04 - even with
(which is wrong, /dev/shm is |
Some discussion here: https://security.stackexchange.com/questions/209529/what-does-enabling-kernel-unprivileged-userns-clone-do |
No, I have the same issue on Ubuntu 20.04.02 regardless the value of
|
Running MX Linux here. The appimage 0.8.9 and 0.8.10 both wont launch. Only the appimage 0.8.8 is working. Issue might be related with MX Linux using systemd-shim? https://mxlinux.org/blog/about-mx-19-and-systemd/
Appimage v0.8.10 does work on LinuxLite which have full systemd
OS: MX x86_64
Kernel: 4.19.0-6-amd64
DE: Xfce
OS: Linux Lite 4.8 x86_64
Kernel: 4.15.0-88-generic
DE: Xfce
New edit(Solved): Found this command line: sudo sysctl kernel.unprivileged_userns_clone=1
Run the command line in terminal and after run the appimage. That fixed my issue here
The text was updated successfully, but these errors were encountered: