Need help use AppImage

[Stevo]

The Debian kernel doesn't support sandboxing. It starts up for me using a Liquorix kernel, so what kernel are the other users running that have success with it?

[Stevo]

Electron apps, even in Appimages, are using an included runtime version of Chromium as the javascript engine, and we know that Chromium requires sandboxing. I therefore think I asked a legitimate question when I inquired about what kernel the successful users were using.

[Djhappy]

./Ankama\ Launcher-Setup-x86_64.AppImage

Code: Select all

./Ankama\ Launcher-Setup-x86_64.AppImage
[sudo] password for DJ: 
[4200:1210/185337.567698:FATAL:atom_main_delegate.cc(210)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180.
Trace/breakpoint trap

installed some sandbox packages and try again i get dis

Code: Select all

$ ./Ankama\ Launcher-Setup-x86_64.AppImage
[6705:1210/191151.824920:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_AnkamaYnfC58/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap

[skidoo]

Code: Select all

./Ankama Launcher-Setup-x86_64.AppImage

filename contains a space character? If so, yeah, fall down go boom.
Instead of hoping to escape-atize the space character, just rename the file, eh.

[andyprough]

Electron apps, even in Appimages, are using an included runtime version of Chromium as the javascript engine, and we know that Chromium requires sandboxing. I therefore think I asked a legitimate question when I inquired about what kernel the successful users were using.

I've been using the latest antiX 4.19 LTS kernel from the MX repo, and the Dofus Appimage worked for me. So, yes, some difference from the stock MX kernel.

Code: Select all

$ uname -r
4.19.83-antix.1-amd64-smpw

[andyprough]

@andyprough
Just to clarify:

Stevo said ...
The Debian kernel doesn't support sandboxing.

The kernel you're using IS a Debian kernel ... so I still don't understand Stevo's assertion in the context of the OP's problem in this thread ... am I missing something here?

I don't know if something is missing, but there have been multiple reports of chromium-derived apps not working for all users. So, it's probably worthwhile to explore and ask questions like Stevo is asking.

Also, "Debian kernel" - I don't know this phrase. I can compile a plain vanilla kernel right now or a Linux-libre kernel with no proprietary blobs, and it should run just fine with MX. I certainly compiled plenty of my own kernels with Debian and with antiX without any troubles. And I am currently using a Linux-libre kernel with MX on my other laptop without a problem. So I don't know if "Debian kernel" really signifies anything. Maybe when Stevo says "Debian kernel", he simply means one taken from the Buster repository?

[Stevo]

"Debian kernel" means either a kernel directly from the Debian repos, such as the 4.19 currently the default in MX 19, or one backported from upstream Debian, such as we have available in our test repos. No others need apply, even if you compiled them yourself manually on a Debian base.

DJhappy:

Code: Select all

./Ankama\ Launcher-Setup-x86_64.AppImage
[sudo] password for DJ: 
[4200:1210/185337.567698:FATAL:atom_main_delegate.cc(210)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180.
Trace/breakpoint trap

How did sudo become involved?

[Djhappy]

I have by mistake add line sudo. What do I need to do ? Install other kernel?

[fehlix]

ISTM, the AppImage they provide does include chrome-sandbox helper, which requires to have a sandbox enabled.
Below a little AppImage launcher wrapper, which does the missing bit of enabling sandbox to allow the AppImage to run.
There are two ways to achieve this.
Either by running the below script, which I do recommend as it is a more "secure" way of enabling sandbox using SUID (thats what chromium-browser on Debian is doing) in addition to enable a kernel parameter yama-ptrace.scope.
You will be ask for the root-password in order to run the sandbox-fix.

Code: Select all

#!/bin/bash

# AppImage launcher 
# fehlix: 11.12.2019
# A simple appimage (type 2) launcher wrapper to enable chrome-sandbox SUID bit
# and enhance security by setting kernel.yama.ptrace.scope parameter 
# 
# Usage: run_app.sh path-to-appimage
#        run_app.sh   
# default App at: "$HOME/AppImage/Ankama Launcher-Setup-x86_64.AppImage"

APP="${1:-$HOME/AppImage/Ankama Launcher-Setup-x86_64.AppImage}"
APP=$(readlink -e "$APP")
[ ! -f "$APP" ] && echo "Fatal: No such AppImage: $APP" && exit 1
chmod +x "$APP"
TMP=$(mktemp -d /tmp/AppImageLauncher.XXXXXXXXXXXX)
tidy_up() { rm -rf $TMP; }
trap tidy_up EXIT
pushd $TMP
"$APP" --appimage-extract >/dev/null
CRS=$TMP/squashfs-root/chrome-sandbox
RUN=$TMP/squashfs-root/AppRun
YAMA="kernel.yama.ptrace_scope = 1"
CONF=/etc/sysctl.d/10-kernel.yama.ptrace_scope.conf
pkexec bash -c "echo $YAMA > $CONF ; sysctl --load $CONF; chown 0:0 $CRS; chmod 4755 $CRS;"
$RUN

To use the script save it e.g. as run_app.sh
Make the script executable.
Copy "Ankama Launcher-Setup-x86_64.AppImage"
into a new directory AppImage under your HOME
so it is available as:
$HOME/AppImage/Ankama Launcher-Setup-x86_64.AppImage

save the script into $HOME/AppImage/run_app.sh
open from terminal
cd $HOME/AppImage
chmod +x run_app.sh
./run_app.sh
You will be asked for the root-password to turn on the sandbox.
If that works, we might help you get this into the Menu or as a desktop icon.

An alternative approach would be to enable the kernel.unprivileged_userns_clone, kernel parameter which is less secure, hence I don't recommend.
HTH