Hi folks. I am trying to run an AppImage. Permissions are set to Execute. This is the error I get, but I don't know exactly what needs to be done. The tmp folder referenced doesn't exist - I think it's created on the fly?
[1806686:1027/082007.981427:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_ledgerBa1Y1c/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap (core dumped)
(Usual disclaimer: please note that I'm just another Forum user here, I'm NOT an Ubuntu Developer and/or Ubuntu MATE Developer).
I think that error message - " (...) the SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. (..)" - that happens when trying to run an (electron-based) AppImage application - as I believe is the case of the "Ledger Live" app - is related to the following AppArmor bug, that was opened, in "Canonical Launchpad", on 18th December 2023 for the (then) development version of Ubuntu 24.04 LTS ("Noble Numbat"):
This problem has already been discussed here in the "Ubuntu MATE Community" in the following topic, that was started by @mikedabike on the 14th July of the current year (2024):
The --no-sandbox does work, but it introduces security risks. So I think I'll just run it in Docker and trust the Docker isolation. (Though my gut is telling me I might have issues with the AppImage recognizing my usb ledger device?)
Your tip did lead me down a rabbit hole approach of changing the permissions of the temporary mount points that the AppImage creates. This still has security issues, but slightly less of them.
Of course, I do have a Windows VM, which is a last resort.
For those interested, here was my rabbit hole approach. Create a .sh file with this code:
#!/bin/bash
appimage_path="./ledger-live-desktop-2.92.1-linux-x86_64.AppImage"
# Run the AppImage, allowing some time for the mount to complete
$appimage_path &
sleep 1
# Dynamically identify the mount point
mount_point=$(mount | grep ledger | awk '{print $3}')
# Fix permissions if the mount point exists
if [[ -n "$mount_point" ]]; then
sudo chmod 4755 "$mount_point/chrome-sandbox"
sudo chown root:root "$mount_point/chrome-sandbox"
fi
# Wait for the AppImage process to complete
wait
Then make executable and run:
$ chmod +x run_ledger.sh
$ ./run_ledger.sh
Nice to see you managed to circumvent the problem!
Let me disagree and share my opinion, please. I think that 'security risks' mentioned are in fact negligible.
Appimage sandboxing is intended to protect your system from an application and not vice-versa. I.e. sandboxing (somehow) protects your OS if the application in question is hijacked and/or infected and/or misbehaves.
Provided that you trust your ledger application to store sensitive info & credentials as well as make real transactions, the real risk is not in the absence of sandboxing leaving your computer unprotected from your ledger but in a possibility of hijacking your ledger application from outer world. And sandboxing does not protect from such the risk.
