Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add instructions on how to run on Debian #1986

Closed
asddsaz opened this issue Nov 5, 2018 · 40 comments · Fixed by brave/brave-core#1204
Closed

Add instructions on how to run on Debian #1986

asddsaz opened this issue Nov 5, 2018 · 40 comments · Fixed by brave/brave-core#1204

Comments

@asddsaz
Copy link

asddsaz commented Nov 5, 2018

I installed brave today, and got this errors:

Log:

usr@LINUX:~$ sudo apt install brave
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:

[removed for privacy]

Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
brave
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 97.8 MB of archives.
After this operation, 443 MB of additional disk space will be used.
Get:1 https://s3-us-west-2.amazonaws.com/brave-apt stretch/main amd64 brave amd64 0.25.2-1 [97.8 MB]
Fetched 97.8 MB in 10s (9,152 kB/s)                                                                             
Selecting previously unselected package brave.
(Reading database ... 309999 files and directories currently installed.)
Preparing to unpack .../brave_0.25.2-1_amd64.deb ...
Unpacking brave (0.25.2-1) ...
Processing triggers for mime-support (3.60) ...
Processing triggers for desktop-file-utils (0.23-1) ...
Processing triggers for bamfdaemon (0.5.3-2) ...
Rebuilding /usr/share/applications/bamf-2.index...
Processing triggers for gnome-menus (3.13.3-9) ...
Setting up brave (0.25.2-1) ...
usr@LINUX:~$ brave
[16129:16129:1104/213523.113443:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
Trace/breakpoint trap
usr@LINUX:~$ 

Installation steps followed: https://github.com/brave/browser-laptop/blob/master/docs/linuxInstall.md

@Mikaela
Copy link

Mikaela commented Nov 5, 2018

You can workaround it by enabling user sandboxes with sudo sysctl kernel.unprivileged_userns_clone=1 and to make it permanent echo kernel.unprivileged_userns_clone = 1 | sudo tee /etc/sysctl.d/00-local-userns.conf via me in brave/browser-laptop#15279 (comment).

CC: @bsclifton this is still happening, I just also experienced this on Debian Buster/testing where I didn't have Brave installed before.

@simonorono
Copy link

Also happens on Manjaro with Linux 4.19.1 and Brave version 0.56.12 installed with this package

The workaround that @Mikaela commented also works.

[11991:11991:1114/225404.179905:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
Trace/breakpoint trap (core dumped)

@Brave-Matt
Copy link

+1 (2 seperate users) from Community:
https://community.brave.com/t/brave-browser-wont-open-on-debian-64bit/38203/5

@asddsaz
Copy link
Author

asddsaz commented Dec 3, 2018

@Mikaela Appears to have fixed the issue, however I will keep this issue open.

Since most users don't utilize the Terminal very often. An easy to use solution should be reached or these commands need to be added to documentation.

@Mikaela
Copy link

Mikaela commented Dec 3, 2018

Thanks for reminding me about this issue, I had written this note, but I don't think I ever remembered to ask it anywhere.

About user namespaces, after they are enabled, the browser starts and about:sandbox seems OK. But all instructions for namespaces say that users should be assigned more uids in some file which is a step I am skipping.

What are the implications of this? Do Chromium-based browsers on all users claim to be properly userns-sandboxed while being sandboxed into uid of the current user and being able to do everything that the user can do, thus providing weaker security than the setuid sandbox it replaces?

I am feeling too tired for researching this more by myself at the moment and it's not very high priority on my todo list.


however I will keep this issue open.

👍 I believe that there is no valid reason for a web browser to demand me changing my kernel configuration, especially if I am running the stock configuration of my distribution, and if I did made my own kernel configuration changes, I expect a lot more apps would be breaking over it.

@cndouglas
Copy link
Contributor

+1 from brave/browser-laptop#15320

@cndouglas
Copy link
Contributor

Related: #1899 (same for Arch Linux)

@Mikaela
Copy link

Mikaela commented Dec 5, 2018

I think this should be renamed into "No usable sandbox" or "Requires userns namespaces" or something similar and that made a duplicate of this one as I understand both are the same issue.


I would like to bring this thread aware of what @veox said there (#1899 (comment)):

A commonly-quoted workaround is enabling unprivileged user namespaces using
sudo sysctl kernel.unprivileged_userns_clone=1

However, before doing that, see this reply on arch-general for why it's not enabled by default.

Note also that (from the link above):

   Moreover there are many applications that use this feature to provide or enhance security
   Among them are:
   lxc, systemd-nspawn, docker, flatpak, bubblewrap, firejail, firefox, chromium

There's one well-written sandbox there (Chromium's usage) and it doesn't require this feature.
Which is true: Chromium works just fine on Arch with the defaults, so I don't see a reason why Brave shouldn't.

@Brave-Matt
Copy link

+1 from Community:
https://community.brave.com/t/various-bugs-on-arch-or-manjaro-linux/38521/3

@jacobc-eth
Copy link

I would like to add on here. There should be no reason to lower the security settings of the kernel as a workaround. Here is what the Arch documentation writes about this:

Unprivileged usage is disabled by default unless the kernel.unprivileged_userns_clone sysctl 1 is set to 1 , since it greatly increases the attack surface for local privilege escalation.

https://wiki.archlinux.org/index.php/security

This seems like a significant security issue and it is very bad that many people are being told to reduce their kernel security. We need to solve the internal sandbox issue within Brave.

@diracdeltas
Copy link
Member

diracdeltas commented Dec 6, 2018

We require user namespaces because Chromium's builtin setuid sandbox is being deprecated: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux_suid_sandbox.md

In the nearish future, Chromium linux users will also need to enable userns.

EDIT: see https://groups.google.com/a/chromium.org/forum/m/#!topic/security-dev/t5Zu0i3PbYE and https://bugs.chromium.org/p/chromium/issues/detail?id=312380 for more details

@diracdeltas
Copy link
Member

Here are more details on why chrome is dropping the setuid sandbox: https://bugs.chromium.org/p/chromium/issues/detail?id=312380

we should port brave/muon#171 over to this repo to make the error message more helpful

@diracdeltas diracdeltas self-assigned this Dec 6, 2018
@veox
Copy link

veox commented Dec 6, 2018

We require user namespaces because Chromium's builtin setuid sandbox is being deprecated: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux_suid_sandbox.md

If docs are being linked, then perhaps the slightly more higher-level Linux Sandboxing explanation is in order; or even the generic Sandbox overview.

(EDIT: The three links are basically the doc tree on sandboxing in reverse.)

@posix4e
Copy link
Contributor

posix4e commented Dec 7, 2018

my main question for those who support enabling the setuid sandbox is this any different then what docker requires?

@michaldybczak
Copy link

michaldybczak commented Dec 11, 2018

Here are more details on why chrome is dropping the setuid sandbox: https://bugs.chromium.org/p/chromium/issues/detail?id=312380

Maybe I'm not understanding something but this thread started in 2013 and only last responses are from this year and July the second was marked as fixed.

"chrome is dropping" suggest present or near feature while the fix was done a half year ago and Chrome/Chromium is not having this issue, at least not in a visible way.

@diracdeltas
Copy link
Member

@michaldybczak from 2017: https://groups.google.com/a/chromium.org/forum/m/#!topic/security-dev/t5Zu0i3PbYE

@LaurenWags
Copy link
Member

@Mikaela
Copy link

Mikaela commented Dec 19, 2018

+1 from twitter https://twitter.com/plus530/status/1073957916560973824

I think that might actually be something with snapcrafters/brave#21 as I think Ubuntu defaults to enabling user namespaces, but I am not entirely sure if that was the case with Ubuntu 16.04 LTS.

@posix4e
Copy link
Contributor

posix4e commented Dec 19, 2018 via email

@diracdeltas diracdeltas changed the title Does not Run on Debian Add instructions on how to run on Debian Jan 3, 2019
diracdeltas added a commit to brave/brave-core that referenced this issue Jan 3, 2019
@phi11235
Copy link

told the authors to put the review pieces on this app on hold. until major issues fixed.

i like honey but the pots aint for our protection. no worries we have enough in our screen, ad infinitum boards. no legit human safety force has any excuse for such flaws. they dont need.

@diracdeltas
Copy link
Member

@jacobcantele i closed this because the original issue was someone asking how to run Brave on Debian which is now solved; let's move discussion of potential userns sandbox alternatives to #3420

@fmarier
Copy link
Member

fmarier commented Feb 19, 2019

cn you explain thaa command to me. I know it is asking alot but I am intrigued.

This first command:

curl -s https://brave-browser-apt-dev.s3.brave.com/brave-core-nightly.asc | sudo apt-key --keyring /etc/apt/trusted.gpg.d/brave-browser-dev.gpg add -

does two things:

  1. It downloads a copy of the Brave public key (curl -s ...) which is used to sign the packages that we distribute.
  2. It adds this signing key to a new keyring (/etc/apt/trusted.gpg.d/brave-browser-dev.gpg) that the OS' package manager can use to ensure that downloaded brave-browser packages come from Brave Software.

The next line reads version information from the operating system:

source /etc/os-release

in order to detect the correct packages to use for your OS.

For example, on my Ubuntu 18.04 machine, that file contains the following:

NAME="Ubuntu"
VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

Then the next line adds the Brave package repository from which the signed packages can be downloaded:

echo "deb [arch=amd64] https://brave-browser-apt-dev.s3.brave.com/ $UBUNTU_CODENAME main" | sudo tee /etc/apt/sources.list.d/brave-browser-dev-${UBUNTU_CODENAME}.list

The extra repository is added in a file like /etc/apt/sources.list.d/brave-browser-dev-bionic.list (that's the example for Ubuntu 18.04).

After adding the extra repository, we need to update the OS' list of available packages:

sudo apt update

before installing the brave-browser and brave-keyring packages:

sudo apt install brave-browser-dev brave-keyring

The brave-browser package is the web browser itself. The brave-keyring package is currently empty, but it will be used in the future to automatically update the signing key that was added in the first step.

In other words, once you are done following these instructions, you end up with four things:

  • a brave-browser package is installed
  • a brave-keyring package is installed
  • a new repository is enabled in /etc/apt/sources.list.d/brave-browser-dev-bionic.list
  • a new signing key is enabled in /etc/apt/trusted.gpg.d/brave-browser-dev.gpg

@palutz
Copy link

palutz commented Apr 18, 2019

I'm sorry but why this was closed if there is still no instruction how to install on debian (and still not working?)
On debian the instruction provided are not working
I'm getting these errors:

Err:8 https://brave-browser-apt-dev.s3.brave.com stretch InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0B31DBA06A8A26F9
...
...
Reading package lists... Done
W: GPG error: https://brave-browser-apt-dev.s3.brave.com stretch InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0B31DBA06A8A26F9
E: The repository 'https://brave-browser-apt-dev.s3.brave.com stretch InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

@fmarier
Copy link
Member

fmarier commented Apr 18, 2019

@palutz Since you seem to have a few leftovers from a previous attempt at getting this to work, I would suggest you remove all of the Brave-related things from your system first by deleting the following files:

  • /etc/apt/sources.list.d/brave-browser*
  • /etc/apt/trusted.gpg.d/brave-browser*

and then removing any signing keys:

sudo apt-key del D8BAD4DE7EE17AF52A834B2D0BB75829C2D4E821
sudo apt-key del 9228DBCE20DDE5EC46488DE90B31DBA06A8A26F9

and any packages that may still be installed:

sudo apt purge brave-browser brave-browser-beta brave-browser-dev brave-browser-nightly brave-keyring

We will soon be changing the way we do our packages to better accommodate Debian, but in the meantime, try these instructions to install Brave on Debian. That's what I use on my Debian machine and it works well.

@palutz
Copy link

palutz commented Apr 18, 2019

Thanks.
Ok, so now my brave is back. Despite I lost ALL my session!!
Still not getting why you'd have done something like that since the system before was working (even if deprecated or deprecating) and the new one (clearly) not ready yet.
PS: I'm (maybe I should say I was, not really keen to keep using this now) on the stable channel, on Debian one of the most stable and slow updating distro. So, again, don't understand the rush with a half backed solution like this one.

@fmarier
Copy link
Member

fmarier commented Apr 19, 2019

@palutz Brave browser keeps a different profile for you depending on what version you use (release, beta, dev, nightly). You can see them in ~/.config/BraveSoftware/.

I suspect that your old browser profile is not lost, but rather you installed a different version of Brave than the one you were running before. From the error messages in #1986 (comment), I think you were running brave-browser-dev (i.e. the "dev" version) instead of brave-browser (i.e. the "release" version).

If you want to reinstall the dev version, follow the development channel installation instructions instead of the release channel ones.

@scribnermj
Copy link

If this thread clearly explains How to install brave on Debian stretch, I missed it.
is there a clear instruction page somewhere I can link to?

@bsclifton
Copy link
Member

@fmarier
Copy link
Member

fmarier commented May 18, 2019

@scribnermj Have a look at https://community.brave.com/t/unable-to-install-brave-browser-in-my-debian-os-distro/43891/5?u=fmarier. I got it to work successfully, both on Debian unstable/sid and Debian stable/stretch.

@SaFiSec
Copy link

SaFiSec commented Jun 23, 2019

sudo apt install brave

sudo apt install brave
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package brave
????

Not Install Why?

@srirambv
Copy link
Contributor

sudo apt install brave

This tries to install the snap package of muon which is deprecated. Please follow the instructions at https://brave-browser.readthedocs.io/en/latest/installing-brave.html. Once you have added the source list you need to install using sudo apt install brave-browser

@IIvexII
Copy link

IIvexII commented Jun 24, 2019

sudo apt install brave

sudo apt install brave
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package brave
????

Not Install Why?

You can install using sudo apt install brave-browser

@BlockHackTk
Copy link

Hello,

I tried different ways by following the different topics covered but I still can't launch Brave.
I run a Debian Sid on an Asus C301 chromebook with the Mate desktop using crouton. It works perfectly.
I would like to use the Beta version
I install this way:

I add:
deb [arch=amd64] https://brave-browser-apt-beta.s3.brave.com/ bionic main
in

/etc/apt/sources.list.d/brave.list

and do a:
curl -s https://brave-browser-apt-beta.s3.brave.com/brave-core-nightly.asc | sudo apt-key --keyring /etc/apt/trusted.gpg.d/brave-browser-beta.gpg add -

I do an update and then install
sudo apt install brave-browser-beta

Then I also added

kernel.unprivileged_userns_clone = 1
in
/etc/sysctl.d/00-local-userns.conf

I also tried

echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf

As for Brave, here is the error message when launching Brave :

(sid)rom@localhost:~$ brave-browser-beta [24276:24276:0712/114139.882425:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! You probably need to enable user namespaces in your kernel. See https://brave-browser.readthedocs.io/en/latest/installing-brave.html#linux for more information. Trappe pour point d'arrêt et de trace (core dumped)

Could someone help me and and explain to me where I'm wrong

Thank you very much
Rom

@fmarier
Copy link
Member

fmarier commented Jul 12, 2019

@BlockHackTk After adding the line to /etc/sysctl.d/00-local-userns.conf, you'll have to either reboot, or run sysctl -p /etc/sysctl.d/00-local-userns.conf.

@feliziachen
Copy link

@MohakChugh
Copy link

Unable to download brave on 19.10 ubuntu due to unsigned ppa? does anyone else faces the same issue?

@fmarier
Copy link
Member

fmarier commented Oct 23, 2019

@MohakChugh See #6522 (comment).

@mirekphd
Copy link

mirekphd commented Dec 9, 2019

In case you wondered, the source for Brave that causes this error is not in the usual location, but here (enough to comment it out to repair apt-get update):

$ cat /etc/apt/sources.list.d/brave-browser-release-bionic.list 
# deb [arch=amd64] https://brave-browser-apt-release.s3.brave.com/ bionic main

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment