Please stop packaging the Desktop client with a setuid root chrome-sandbox

[jbillingredhat]

Steps To Reproduce

Check out the RPM scripts for the latest (as of today) RPM:

$ rpm -qp --scripts https://github.com/bitwarden/clients/releases/download/desktop-v2023.3.1/Bitwarden-2023.3.1-x86_64.rpm

Expected Result

An RPM scriptlet that doesn't run chmod 4755 '/opt/Bitwarden/chrome-sandbox'

Actual Result

$ rpm -qp --scripts https://github.com/bitwarden/clients/releases/download/desktop-v2023.3.1/Bitwarden-2023.3.1-x86_64.rpm
postinstall scriptlet (using /bin/sh):
#!/bin/bash

# Link to the binary
ln -sf '/opt/Bitwarden/bitwarden' '/usr/bin/bitwarden'

# SUID chrome-sandbox for Electron 5+
chmod 4755 '/opt/Bitwarden/chrome-sandbox' || true

update-mime-database /usr/share/mime || true
update-desktop-database /usr/share/applications || true
postuninstall scriptlet (using /bin/sh):
#!/bin/bash

# Delete the link to the binary
rm -f '/usr/bin/bitwarden'

Screenshots or Videos

No response

Additional Context

Electron has long since stopped needing a setuid root chrome sandbox. The AppImage doesn't appear to have a setuid root chrome-sandbox. I believe its only electron 5 and less that needed it, but it still warns about it. Please see:

https://bugs.chromium.org/p/chromium/issues/detail?id=598454

I also checked the .deb file, and I see a very similar script that sets chrome-sandbox as 4755 in the deb postinst script.

Removing the setuid bits on the RPM will still permit the package to run, and also changing the permissions on a packaged RPM causes it to fail RPM integrity verification, which will show up on some security scans. It really doesn't make sense to do this for all RPM and DEB distros just to support an out of date method of setting up namespaces.

Operating System

Linux

Operating System Version

Fedora Linux 37 x86_64

Installation method

Other

Build Version

2023.3.1

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[joshuabjordan]

Hi there,

This has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

[Hinton]

Hi @jbillingredhat,

We use the default installation template for electron-builder, and we've recently upgraded electron builder to the latest version. However it seems they still chmod the chrome-sandbox. https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/templates/linux/after-install.tpl#L14. A quick search shows that the deb and rpm packages appears to be sandboxed and seems to still require the chmod command to run properly.

[jbillingredhat]

I think that the electron-builder package tries to solve the problem for all distributions.

RHEL8 and later have User namespaces enabled by default, as well as Fedora. There's no need to have a setuid root executable. A lot of the electron-builder issues assume debian-specific kernel sysctls too, so it is unlikely that they've even considered running on any other platform.

It doesn't sound like you want to deviate from electron-builder, so I'll just recommend we not use this package.

[Hinton]

While it is possible to diverge from the default electron-builder settings to do so would require us to investigate the issue further and make certain there are no degraded experiences on any environments using the rpm build. My understanding is that the setuid approach is still used as a fallback for environment that don't have user namespaces enabled, I don't know how many setups still does this though.

Would you be willing to open an upstream issue with electron-builder? That would be a good confirmation that we can safely change it on our side or if we can resolve it upstream.

Can you expand a bit deeper into how this breaks rpm integrity validation?

[jbillingredhat]

I opened electron-userland/electron-builder#7545. I hope it has enough information, I'm not deeply familiar with how electron-builder works.

[mmaietta]

Reposting from the electron-builder issue. I took a look at it and might have a recommendation. I'm not familiar enough with linux distros to test this myself, I just found related code via stackoverflow

To test this solution, you'd want to copy the default afterInstall.tpl and edit the related line to be:

if [[ `cat /boot/config-$(uname -a | awk '{print $3}') | grep '^CONFIG_USER_NS'` == "CONFIG_USER_NS=y" ]]; then echo "You have support for User Namespaces, skipping setuid root chrome-sandbox"; else chmod 4755 '/opt/${sanitizedProductName}/chrome-sandbox' || true; fi

Pulled the code from https://stackoverflow.com/a/40155124

I don't know enough linux to be able to assist much here, but happy to open a PR for it the change above works for you.

You'd allocate the new afterInstall.tp in the electron-builder config like this:

  deb: {
    afterInstall:"installer/linux/after-install.tpl", // or whatever path to the script is
  },
  rpm: {
    afterInstall:"installer/linux/after-install.tpl",
  }

Ref: https://www.electron.build/api/programmatic-usage

[jtherrmann]

I opened #9105 to report that running ./Bitwarden-2024.4.3-x86_64.AppImage on Ubuntu 24.04 LTS fails with an error like:

[325156:0509/102335.519347:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_BitwarNfStY1/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap (core dumped)

After reading https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces, it seems that the workaround is to create a file /etc/apparmor.d/bitwarden with the following contents (I used /etc/apparmor.d/chrome for reference):

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile bitwarden /path/to/install/bin/Bitwarden-2024.4.3-x86_64.AppImage flags=(unconfined) {
  userns,
}

And then run sudo service apparmor reload.

The only annoying part will be keeping the executable path up-to-date with the latest version of Bitwarden, but this could be scripted.

[luckylinux]

@jtherrmann Unfortunately it doesn't work for me on Ubuntu 24.04

UPDATE: see EDIT below. It actually works, but apparmor Service was refusing to Start !

[77770:0603/110135.856272:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_BitwarQ4kdAL/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap (core dumped)

It seems that since Electron 5, chrome-sandbox does NOT have the setuid bit anylonger, as they basically only rely on User Namespaces. That seems bad considering how vulnerable User Namespaces seem to be ...

Relevant sysctl -a | grep userns on my System, maybe something is not tuned correctly ?

kernel.apparmor_restrict_unprivileged_userns = 1
kernel.apparmor_restrict_unprivileged_userns_complain = 0
kernel.apparmor_restrict_unprivileged_userns_force = 0
kernel.unprivileged_userns_apparmor_policy = 1
kernel.unprivileged_userns_clone = 1

Until now I was using the "workaround" of enabling User Namespaces.
Now I am reconsidering, given how insecure they are and how many exploits took advantage of them.

EDIT 1: actually it was caused by some snapd Files I (re)moved to somewhere else, due to me uninstalling snapd from my System.

The answer was in /var/log/syslog | grep -i apparmor:

2024-06-03T10:39:41.306623+02:00 ubuntuworkstation02 kernel: systemd-sysv-generator[5851]: Native unit for apparmor.service already exists, skipping.
2024-06-03T10:39:41.468777+02:00 ubuntuworkstation02 systemd[1]: unit_file_build_name_map: normal unit file: /usr/lib/systemd/system/apparmor.service
2024-06-03T10:39:41.508492+02:00 ubuntuworkstation02 systemd[1]: snapd.apparmor.service: Failed to load configuration: No such file or directory
2024-06-03T10:39:41.555432+02:00 ubuntuworkstation02 systemd[1]: var-cache-apparmor.mount: Failed to load configuration: No such file or directory
2024-06-03T10:39:41.729181+02:00 ubuntuworkstation02 systemd[1]: apparmor.service: Changed dead -> failed
2024-06-03T10:39:41.767318+02:00 ubuntuworkstation02 systemd[1]: apparmor.service: Releasing resources...
2024-06-03T10:39:41.827264+02:00 ubuntuworkstation02 systemd[1]: var-cache-apparmor.mount: Collecting.
2024-06-03T10:39:41.925930+02:00 ubuntuworkstation02 systemd[6099]: systemd 255.4-1ubuntu8 running in user mode for user 118/lightdm. (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
2024-06-03T10:39:42.225383+02:00 ubuntuworkstation02 dbus-daemon[6187]: [session uid=118 pid=6187] AppArmor D-Bus mediation is enabled
2024-06-03T10:58:26.514610+02:00 ubuntuworkstation02 kernel: audit: type=1400 audit(1717405106.512:144): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=67616 comm="bitwarden" requested="userns_create" target="unprivileged_userns"
2024-06-03T10:58:26.515596+02:00 ubuntuworkstation02 kernel: audit: type=1400 audit(1717405106.513:145): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=67624 comm="bitwarden" capability=21  capname="sys_admin"
2024-06-03T10:59:09.883602+02:00 ubuntuworkstation02 kernel: audit: type=1400 audit(1717405149.881:146): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=70082 comm="bitwarden" requested="userns_create" target="unprivileged_userns"
2024-06-03T10:59:09.884587+02:00 ubuntuworkstation02 kernel: audit: type=1400 audit(1717405149.882:147): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=70090 comm="bitwarden" capability=21  capname="sys_admin"
2024-06-03T10:59:54.845606+02:00 ubuntuworkstation02 kernel: audit: type=1400 audit(1717405194.843:148): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=72235 comm="bitwarden" requested="userns_create" target="unprivileged_userns"
2024-06-03T10:59:54.846595+02:00 ubuntuworkstation02 kernel: audit: type=1400 audit(1717405194.844:149): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=72243 comm="bitwarden" capability=21  capname="sys_admin"
2024-06-03T11:00:35.846607+02:00 ubuntuworkstation02 kernel: audit: type=1400 audit(1717405235.844:150): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=74733 comm="bitwarden" requested="userns_create" target="unprivileged_userns"
2024-06-03T11:00:35.847611+02:00 ubuntuworkstation02 kernel: audit: type=1400 audit(1717405235.845:151): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=74741 comm="bitwarden" capability=21  capname="sys_admin"
2024-06-03T11:00:50.365126+02:00 ubuntuworkstation02 systemd[1]: Got message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1/unit/apparmor_2eservice interface=org.freedesktop.DBus.Properties member=GetAll  cookie=1 reply_cookie=0 signature=s error-name=n/a error-message=n/a
2024-06-03T11:00:50.366165+02:00 ubuntuworkstation02 systemd[1]: Found unit apparmor.service at /usr/lib/systemd/system/apparmor.service (regular file)
2024-06-03T11:00:50.366816+02:00 ubuntuworkstation02 systemd[1]: Preset files don't specify rule for apparmor.service. Enabling.
2024-06-03T11:00:50.377070+02:00 ubuntuworkstation02 systemd[1]: apparmor.service: Trying to enqueue job apparmor.service/reload/replace
2024-06-03T11:00:50.377143+02:00 ubuntuworkstation02 systemd[1]: apparmor.service: Installed new job apparmor.service/reload as 52197
2024-06-03T11:00:50.377212+02:00 ubuntuworkstation02 systemd[1]: apparmor.service: Enqueued job apparmor.service/reload as 52197
2024-06-03T11:00:50.377260+02:00 ubuntuworkstation02 systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/apparmor_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=1 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
2024-06-03T11:00:50.377304+02:00 ubuntuworkstation02 systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/apparmor_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=2 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
2024-06-03T11:00:50.377348+02:00 ubuntuworkstation02 systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/apparmor_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=22866 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
2024-06-03T11:00:50.377391+02:00 ubuntuworkstation02 systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/apparmor_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=22867 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
2024-06-03T11:00:50.377611+02:00 ubuntuworkstation02 systemd[1]: apparmor.service: Unit cannot be reloaded because it is inactive.
2024-06-03T11:00:50.377654+02:00 ubuntuworkstation02 systemd[1]: apparmor.service: Job 52197 apparmor.service/reload finished, result=invalid
2024-06-03T11:00:50.377790+02:00 ubuntuworkstation02 systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/apparmor_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=6 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
2024-06-03T11:00:50.377850+02:00 ubuntuworkstation02 systemd[1]: Sent message type=signal sender=org.freedesktop.systemd1 destination=n/a path=/org/freedesktop/systemd1/unit/apparmor_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=7 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
2024-06-03T11:00:50.377883+02:00 ubuntuworkstation02 systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/apparmor_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=22870 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
2024-06-03T11:00:50.377912+02:00 ubuntuworkstation02 systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1/unit/apparmor_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=22871 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
2024-06-03T11:00:50.378017+02:00 ubuntuworkstation02 systemd[1]: Got message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1/unit/apparmor_2eservice interface=org.freedesktop.DBus.Properties member=Get  cookie=3 reply_cookie=0 signature=ss error-name=n/a error-message=n/a
2024-06-03T11:00:52.430615+02:00 ubuntuworkstation02 kernel: audit: type=1400 audit(1717405252.429:152): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=75639 comm="bitwarden" requested="userns_create" target="unprivileged_userns"
2024-06-03T11:01:35.847589+02:00 ubuntuworkstation02 kernel: audit: type=1400 audit(1717405295.846:153): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=77770 comm="bitwarden" requested="userns_create" target="unprivileged_userns"
2024-06-03T11:03:57.020616+02:00 ubuntuworkstation02 kernel: audit: type=1400 audit(1717405437.019:154): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=84792 comm="bitwarden" requested="userns_create" target="unprivileged_userns"

So the workaround for that is:

mv /var/lib/snapd /var/lib/snapd.backup.20240602
mkdir -p /root/apparmor.disabled/
mv /etc/apparmor.d/usr.lib.snapd.snap-confine.real /root/apparmor.disabled/

After that I can confirm that @jtherrmann Solution works fine.

EDIT 2: Updated /etc/sysctl.d/99-userns.conf Settings for better Hardening (minus the User Namespaces ... 😞):

# This is needed to run some AppImage (notably Electron Apps)
kernel.unprivileged_userns_clone=1

# However, make sure to restrict their activity
# Create /etc/apparmor.d/<app> Profile
# Then Issue a systemctl restart apparmor
kernel.apparmor_restrict_unprivileged_userns=1
kernel.apparmor_restrict_unprivileged_userns_complain=0
kernel.apparmor_restrict_unprivileged_userns_force=1

kernel.apparmor_restrict_unprivileged_unconfined=1

kernel.unprivileged_userns_apparmor_policy=1