/opt/Signal/chrome-sandbox gets installed with 0755 instead of 4755 on Debian.

[aknrdureegaesr]

• I have searched open and closed issues for duplicates

I found #3566 which has the same problem, but for a different signal-desktop version. It seems the problem was fixed 1.27.2 (which worked for me as well), but it re-appeared in 1.27.3.

Bug Description

Installing signal-desktop version 1.27.3 on Debian GNU Linux Stretch leaves chrome-sandbox without the SUID bit set, so signal-desktop does not start up, with the error message

[12265:0927/090500.972291:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Signal/chrome-sandbox is owned by root and has mode 4755.
Trace/Breakpoint ausgelöst

Steps to Reproduce

1. Have a Debian GNU Linux Stretch, version 9.11. (AMD64, in case that matters.)
2. Integrate Signal desktop via APT source line deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main
3. Install signal-desktop
4. Try to run (as regular user, of course), via signal-desktop at the shell prompt.

Actual Result:

$ signal-desktop
[12521:0927/091506.037972:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Signal/chrome-sandbox is owned by root and has mode 4755.
Trace/Breakpoint ausgelöst

... and UI does not open.

Expected Result:

Signal desktop UI opens.

Additional info

$ ls -lta /opt/Signal/chrome-sandbox
-rwxr-xr-x 1 root root 5099032 Sep 25 23:51 /opt/Signal/chrome-sandbox

Workaround

sudo chmod u+s /opt/Signal/chrome-sandbox

fixes the problem.

Platform Info

Signal Version:

$ apt-cache show signal-desktop                  
Package: signal-desktop                                     
Priority: extra                                  
Section: default
Installed-Size: 257238
Maintainer: Open Whisper Systems <[email protected]>
Architecture: amd64
Version: 1.27.3
Depends: libnotify4, libappindicator1, libxtst6, libnss3, libasound2, libxss1
Filename: pool/main/s/signal-desktop/signal-desktop_1.27.3_amd64.deb
Size: 85860608
MD5sum: fe94ce3c848e7f2206b40248a1bb95ee
SHA1: fafa3707dfaa8b0a6fd77238d9eb6e755b358eae
SHA256: c26a08393c9a1d69aab8817618ed9faf58bc949d2e83cae7ce9102c52dcf2ab1
Description: Private messaging from your desktop
Description-md5: 4d25287b3fca1f18585f09153ea57a8f
Vendor: Open Whisper Systems <[email protected]>
Homepage: https://github.com/signalapp/Signal-Desktop#readme
License: GPL-3.0

Operating System:

Debian GNU Linux Stretch 9.11

Linked Device Version:

Not relevant.

Link to Debug Log

Not relevant.

[kenpowers-signal]

Our current workaround is to run signal with --no-sandbox. #3536 (comment)

[allefeld]

Same on Debian 10 (buster). The workaround to fix permissions manually works, but of course is lost with installation of a update.

The --no-sandbox workaround works, but @kenpowers-signal, that's not a proper fix, is it? I guess this one is closed because there is also issue #3536?

[aknrdureegaesr]

Problem still persists on Debian Stretch with Signal desktop version 1.27.4.

[aknrdureegaesr]

Indeed, @allefeld !

This bug has been closed, and obviously the reason for closing was not that the problem is fixed. I too think the reason was that this is considered a duplicate of #3536.

[scottnonnenberg-signal]

We will not be forcing a root setuid on our users to solve this problem. Running signal-desktop with --no-sandbox is our solution.