[Appimage] Chrome Sandbox - Root mode 4755

[JimmyMD]

I downloaded the Linux AppImage which downloads the Linux generic 64 bit data. The game requests the user to set a provided Chrome-Sandbox binary to 'owned by root" with mode "4755". It is very abnormal for a game to want root owned binaries with mode 4755 while those binaries are not part of the actual system.

This would generally be seen as dangerous and unwanted behavior.

• OS: Manjaro 18.0, 64 bit
• Thrive version 0.4.0.2 Linux AppImage

This is a very small log. Pasting it down here wont hurt.

Playing Thrive 0.4.0.2
Thrive is running. Log output:

Process Started
ERROR: /home/GenericUser/.config/Revolutionary-Games/Launcher/Installed/Thrive-0.4.0.2-LINUX-generic/Thrive-0.4.0.2-LINUX-generic/bin/Thrive: /usr/lib/libtiff.so.5: no version information available (required by /home/GenericUser/.config/Revolutionary-Games/Launcher/Installed/Thrive-0.4.0.2-LINUX-generic/Thrive-0.4.0.2-LINUX-generic/bin/lib/libfreeimage.so.3)
ERROR: [0302/110147.372847:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /home/GenericUser/.config/Revolutionary-Games/Launcher/Installed/Thrive-0.4.0.2-LINUX-generic/Thrive-0.4.0.2-LINUX-generic/bin/chrome-sandbox is owned by root and has mode 4755.
child process exited with code null

[hhyyrylainen]

I'm not seeing this behaviour. Your OS probably has some different settings. I'm running Fedora 28. There's also some Mint users who have not had this problem. I don't think the game looks for system wide install of that (as I can't find chrome-sandbox in /usr).

This is what I see (it's strange that it is not marked executable, but this is how the executable gets compiled on my computer):

-rw-r--r--.  1 hhyyrylainen hhyyrylainen   227152  4. 1. 12:27 chrome-sandbox

chrome-sandbox is part of Chromium Embedded Framework, which we use for the GUI. Unless this is just a small configuration issue this is a problem the CEF devs need to fix. You can run the game specifically with the --no-sandbox flag to skip the sandboxing (which disables protection of your computer from content loaded by CEF).

[JimmyMD]

I will attempt the '--no-sandbox" command line option soon. I have also found confirmation on another system (Arch Linux) concerning the chrome-sandbox binary which the game provides: https://aur.archlinux.org/packages/thrive/

Please note that i am using the 'official" AppImage. I did not compile the game, nor did i use the AUR on Manjaro Linux.

[hhyyrylainen]

Okay, so using find on other directories I did find -rwsr-xr-x. 1 root root 216824 13. 2. 04:33 opt/google/chrome/chrome-sandbox. Which might indicate that the game infact won't run if you don't have chrome installed. So perhaps I need to rethink how to install the game. I really don't want to have to write custom packages for all Linux flavours to make the game work. So it might just be that I'll need to put chrome as a dependency or something. It's not optimal. The other choice would be for the launcher to handle installing that chrome-sandbox binary if it is missing, but it would have to request root permissions when trying to install.

[JimmyMD]

I have chrome installed on my system. However, it is the Thrive Linux Data which provides its own chrome-sandbox binary and expects it to be root. I can understand why it does that, but i expect that many would not trust a random binary being set to root.

[hhyyrylainen]

If you delete that file does it work? On my system having that file with the wrong permissions has no effect.

[hhyyrylainen]

I made a comment on that arch package:

Hi, I'm one of the Thrive developers and responsible for the provided Linux packages.

Recently an issue was opened concerning the "chrome-sandbox" binary: #749 and this package was linked there. I'll reiterate some of my points here (and I ended up writing more info here, that I'll copy there).

The game uses Chromium Embedded Framework for the GUI. They recommend that the GUI content process is sandboxed (like in chrome) to prevent loaded web content from exploiting bugs in chromium to escape the browser process and do malicious things to the computer. Currently the game has no web content loaded in it but in the future we might want to show something like a wiki or help forums inside the game which is only partly controlled by us and could contain for example malicious JavaScript meant to exploit chrome. So the chrome-sandbox binary is part of CEF and distributed with the game. Slightly offtopic note is that on Windows due to the MD MT flag craziness the sandbox is not used.

In the packaged version the chrome-sandbox binary is included, but it is not even marked executable as that is the way the CEF library creates it when compiling. On my system (Fedora 28) this works just fine. I think this might be as I have chrome installed and have chrome-sandbox owned by root with permissions "-rwsr-xr-x." installed in opt/google/chrome/chrome-sandbox. When I deleted the chrome-sandbox binary from Thrive-0.4.0.2-LINUX-generic/bin the game still ran fine leading me to believe that that binary must be installed system wide in a location that CEF looks for. And the packaged binary is currently not needed / it needs to be installed with the correct permissions. As a fix for running the game I think the "--no-sandbox" flag should allow the game to start without a proper chrome-sandbox binary.
Suggestions as to how to solve this and pull requests are welcome.

I've been planning on switching away from CEF but that won't be happening soon. And I'd like to keep the possibility of having web content in the game in the future as well, which might work with servo if that becomes usable as an embedded browser.

[JimmyMD]

I removed the chrome-sandbox binary from the 'Thrive-0.4.0.2-LINUX-generic" folder. It crashes because it can't find that exact binary.

Playing Thrive 0.4.0.2
Thrive is running. Log output:
Process Started
ERROR: /home/GenericUser/.config/Revolutionary-Games/Launcher/Installed/Thrive-0.4.0.2-LINUX-generic/Thrive-0.4.0.2-LINUX-generic/bin/Thrive: /usr/lib/libtiff.so.5: no version information available (required by /home/GenericUser/.config/Revolutionary-Games/Launcher/Installed/Thrive-0.4.0.2-LINUX-generic/Thrive-0.4.0.2-LINUX-generic/bin/lib/libfreeimage.so.3)
ERROR: [0302/125504.786423:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
child process exited with code null

[hhyyrylainen]

The message about No usable sandbox! Update your kernel is interesting. Which kernel version do you have? I have:

$ uname -a
Linux dakara.local 4.20.8-100.fc28.x86_64 #1 SMP Wed Feb 13 13:09:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

If you have a much older kernel it might be the reason why you need chrome-sandbox and show that the chrome-sandbox is not required on newer kernels.

[JimmyMD]

I checked the location of the 'chrome-sandbox" binary which is part of my Google Chrome install. It is located in: '/opt/google/chrome/chrome-sandbox" which means that the game does not look for it outside of its own folders.

My kernel version is: 4.14.94-1-MANJARO #1 SMP PREEMPT Fri Jan 18 17:55:41 UTC 2019 x86_64 GNU/Linux

But that should be unrelated to the chrome-sandbox binary.

[hhyyrylainen]

"But that should be unrelated to the chrome-sandbox binary."
For me the game runs fine even when I delete the binary and if it is the case that the game doesn't look outside its own folder then that confirms that on a newer kernel the sandbox binary is unnecessary.

So if this is only a problem with older kernels I'm going to consider this a lower priority and only make a basic script for changing the chrome-sandbox permissions and a note somewhere to run it if you get the sandbox loading error.

[JimmyMD]

I only reported the issues. i can't decide what you do with it. :)
At least its existence is now known.

[vladimiry]

This is not just because of old kernels but is related to the disabled User Namespace, so SUID sandbox is used as a fallback and it requires chrome-sandbox to be owned by root plus 4755 permissions.

On Arch Linux User Namespace is disabled by default even if your kernel is not old. But you can enable it by executing sudo sysctl kernel.unprivileged_userns_clone=1. See details here.

[Itzyaoni]

Hi. I has the same problem in Manjaro updating Station from 1.43 to 1.44 from the AUR with pamac. Once station was up to date, I tried to run it from terminal and this appears:
FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/station/chrome-sandbox is owned by root and has mode 4755.
trap' para punto de parada/seguimiento (core' generado)

I wrote: station --no-sandbox, and station starts, so I closed the app and I just went to /usr/lib/station/ in terminal and do sudo chmod 4755 chrome-sandbox, and station works normally without a problem.
Hope this can help.

[probonopd]

Where can the AppImage be downloaded?

[hhyyrylainen]

I'm assuming they are referring to the launcher's AppImage: https://github.com/Revolutionary-Games/Thrive-Launcher/releases
The game is not packaged as an AppImage.

[probonopd]

Ah, right, reminds me of AppImage/appimage.github.io#1628. Thanks.

[secur3gamer]

This is not just because of old kernels but is related to the disabled User Namespace, so SUID sandbox is used as a fallback and it requires chrome-sandbox to be owned by root plus 4755 permissions.

On Arch Linux User Namespace is disabled by default even if your kernel is not old. But you can enable it by executing sudo sysctl kernel.unprivileged_userns_clone=1. See details here.

For anyone else that stumbles here from Google, you can make this change permanent by editing the /etc/sysctl.d/YOUR-SYSCTL.conf file. Add the line,

kernel.unprivileged_userns_clone=1

to the file and it will load on boot.