Can't start in Debian Buster

[Doc73]

Dear Mantainers,
This is the error I receive every time I try to run chromium:

Your Flatpak version does not support the expose-pids flag, which means that Chromium is unable to run. This generally happens if your distro's bubblewrap installation is setuid instead of using user namespaces.

I'm running Debian Buster AMD64.
I installed chromium a few minutes ago.

Many thanks and best regards,
DC

[rany2]

Hello,

This isn't org.chromium.Chromium's fault. If you want it to work on Debian properly you'll have to run the following commands as root:

echo 'kernel.unprivileged_userns_clone=1' >> /etc/sysctl.conf
sysctl -p 
bash -c 'chmod -s $(which bwrap)'
bash -c 'dpkg-statoverride --add --update root root 0755 $(which bwrap)'

[Doc73]

Ah, thanks!
Does this change affect security?

[rany2]

I am not sure if it's that big of a deal but you should know Debian is the only major distro that has user namespaces disabled. All the other distros and the official linux kernel don't disable user namespaces by default and actually can't disable user namespaces. Even Ubuntu which is based on Debian has it enabled.

There have been some vulnerabilities with enabling that feature (all the known ones are fixed now) but I don't think it should be that concerning for the majority of users. For the most part it's safe

[rany2]

grsecurity has a patch similar to the one that Debian uses but that is about it

[Doc73]

Thank you very very much for your kind explanations.
I will read up on the matter carefully.
Many thanks again and best regards

[Erick555]

See also discussion in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898446

[refi64]

The dialog should probably say more info, it's not super descriptive atm...

[Erick555]

It seems that next debian version will have unpriv user ns by default.

[adrelanos]

Reported to Debian.
org.chromium.Chromium broken in Debian buster

[Doc73]

Still not working!
I receive this message:

But...

$ apt policy flatpak
flatpak:
  Installato: 1.10.1-1~bpo10+1
  Candidato:  1.10.1-1~bpo10+1
  Tabella versione:
 *** 1.10.1-1~bpo10+1 100
        100 http://deb.debian.org/debian buster-backports/main amd64 Packages
        100 /var/lib/dpkg/status
     1.2.5-0+deb10u3 500
        500 http://deb.debian.org/debian buster/main amd64 Packages
        500 http://security.debian.org/debian-security buster/updates/main amd64 Packages

$ apt policy bubblewrap
bubblewrap:
  Installato: 0.4.1-3~bpo10+1
  Candidato:  0.4.1-3~bpo10+1
  Tabella versione:
 *** 0.4.1-3~bpo10+1 100
        100 http://deb.debian.org/debian buster-backports/main amd64 Packages
        100 /var/lib/dpkg/status
     0.3.1-4 500
        500 http://deb.debian.org/debian buster/main amd64 Packages

$ uname -a
Linux desktop 5.10.0-0.bpo.3-amd64 #1 SMP Debian 5.10.13-1~bpo10+1 (2021-02-11) x86_64 GNU/Linux

😢

[refi64]

@Doc73 apologies for the delay, what's the output of

$ cat /proc/sys/kernel/unprivileged_userns_clone
$ ls -l /usr/bin/bwrap

also, do you see any errors when you flatpak run org.chromium.Chromium from the CLI?

[Doc73]

@refi64

~$ cat /proc/sys/kernel/unprivileged_userns_clone
1
~$ ls -l /usr/bin/bwrap
-rwsr-xr-x 1 root root 63776 gen  8 10:24 /usr/bin/bwrap

No errors wen running Chromium from the CLI; only the window above posted

[Erick555]

You didn't removed setuid bit from bwrap, you may follow instructions from https://github.com/flathub/org.chromium.Chromium/blob/master/portal_error.txt#L17 to fix that (This is also what the window above tells you to do 😄).

[Doc73]

@Erick555
Yes, now it works, but the instructions to fix this issue talk about "other distros": I'm using Debian Buster! 😄

[refi64]

I'll add an updated message to #89 when it gets merged in.

EDIT: Indeed, the setuid bit was re-added in early January:

bubblewrap (0.4.1-3~bpo10+1) buster-backports; urgency=medium

  * Rebuild for buster-backports.
    - Return to a setuid root /usr/bin/bwrap, the same as before 0.4.1-3,
      for compatibility with the default kernels in Debian 10 'buster'.