Brave-browser: Add instructions on how to run on Debian

You can workaround it by enabling user sandboxes with sudo sysctl kernel.unprivileged_userns_clone=1 and to make it permanent echo kernel.unprivileged_userns_clone = 1 | sudo tee /etc/sysctl.d/00-local-userns.conf via me in https://github.com/brave/browser-laptop/issues/15279#issuecomment-429657488.

CC: @bsclifton this is still happening, I just also experienced this on Debian Buster/testing where I didn't have Brave installed before.

Also happens on Manjaro with Linux 4.19.1 and Brave version 0.56.12 installed with this package

The workaround that @Mikaela commented also works.

[11991:11991:1114/225404.179905:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.
Trace/breakpoint trap (core dumped)

+1 (2 seperate users) from Community:
https://community.brave.com/t/brave-browser-wont-open-on-debian-64bit/38203/5

@Mikaela Appears to have fixed the issue, however I will keep this issue open.

Since most users don't utilize the Terminal very often. An easy to use solution should be reached or these commands need to be added to documentation.

Thanks for reminding me about this issue, I had written this note, but I don't think I ever remembered to ask it anywhere.

About user namespaces, after they are enabled, the browser starts and about:sandbox seems OK. But all instructions for namespaces say that users should be assigned more uids in some file which is a step I am skipping.

What are the implications of this? Do Chromium-based browsers on all users claim to be properly userns-sandboxed while being sandboxed into uid of the current user and being able to do everything that the user can do, thus providing weaker security than the setuid sandbox it replaces?

I am feeling too tired for researching this more by myself at the moment and it's not very high priority on my todo list.

however I will keep this issue open.

:+1: I believe that there is no valid reason for a web browser to demand me changing my kernel configuration, especially if I am running the stock configuration of my distribution, and if I did made my own kernel configuration changes, I expect a lot more apps would be breaking over it.

+1 from brave/browser-laptop#15320

Related: #1899 (same for Arch Linux)

I think this should be renamed into "No usable sandbox" or "Requires userns namespaces" or something similar and that made a duplicate of this one as I understand both are the same issue.

I would like to bring this thread aware of what @veox said there (https://github.com/brave/brave-browser/issues/1899#issuecomment-440024104):

A commonly-quoted workaround is enabling unprivileged user namespaces using
sudo sysctl kernel.unprivileged_userns_clone=1

However, before doing that, see this reply on arch-general for why it's not enabled by default.

Note also that (from the link above):

   Moreover there are many applications that use this feature to provide or enhance security
   Among them are:
   lxc, systemd-nspawn, docker, flatpak, bubblewrap, firejail, firefox, chromium

There's one well-written sandbox there (Chromium's usage) and it doesn't require this feature.
Which is true: Chromium works just fine on Arch with the defaults, so I don't see a reason why Brave shouldn't.

+1 from Community:
https://community.brave.com/t/various-bugs-on-arch-or-manjaro-linux/38521/3

I would like to add on here. There should be no reason to lower the security settings of the kernel as a workaround. Here is what the Arch documentation writes about this:

Unprivileged usage is disabled by default unless the kernel.unprivileged_userns_clone sysctl 1 is set to 1 , since it greatly increases the attack surface for local privilege escalation.

https://wiki.archlinux.org/index.php/security

This seems like a significant security issue and it is very bad that many people are being told to reduce their kernel security. We need to solve the internal sandbox issue within Brave.

We require user namespaces because Chromium's builtin setuid sandbox is being deprecated: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux_suid_sandbox.md

In the nearish future, Chromium linux users will also need to enable userns.

EDIT: see https://groups.google.com/a/chromium.org/forum/m/#!topic/security-dev/t5Zu0i3PbYE and https://bugs.chromium.org/p/chromium/issues/detail?id=312380 for more details

Here are more details on why chrome is dropping the setuid sandbox: https://bugs.chromium.org/p/chromium/issues/detail?id=312380

we should port https://github.com/brave/muon/pull/171 over to this repo to make the error message more helpful

We require user namespaces because Chromium's builtin setuid sandbox is being deprecated: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux_suid_sandbox.md

If docs are being linked, then perhaps the slightly more higher-level Linux Sandboxing explanation is in order; or even the generic Sandbox overview.

(EDIT: The three links are basically the doc tree on sandboxing in reverse.)

my main question for those who support enabling the setuid sandbox is this any different then what docker requires?

Here are more details on why chrome is dropping the setuid sandbox: https://bugs.chromium.org/p/chromium/issues/detail?id=312380

Maybe I'm not understanding something but this thread started in 2013 and only last responses are from this year and July the second was marked as fixed.

"chrome is dropping" suggest present or near feature while the fix was done a half year ago and Chrome/Chromium is not having this issue, at least not in a visible way.

@michaldybczak from 2017: https://groups.google.com/a/chromium.org/forum/m/#!topic/security-dev/t5Zu0i3PbYE

+1 from twitter https://twitter.com/plus530/status/1073957916560973824

+1 from twitter https://twitter.com/plus530/status/1073957916560973824

I think that might actually be something with https://github.com/snapcrafters/brave/pull/21 as I think Ubuntu defaults to enabling user namespaces, but I am not entirely sure if that was the case with Ubuntu 16.04 LTS.

It is the case that it is enabled yes!

On Tue, Dec 18, 2018 at 10:21 PM Mikaela Suomalainen <
[email protected]> wrote:

+1 from twitter https://twitter.com/plus530/status/1073957916560973824

I think that might actually be something with snapcrafters/brave#21
https://github.com/snapcrafters/brave/pull/21 as I think Ubuntu
defaults to enabling user namespaces, but I am not entirely sure if that
was the case with Ubuntu 16.04 LTS.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/brave/brave-browser/issues/1986#issuecomment-448482996,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAxN27xOz4DnMAkju6U5AqwOaEbSiltiks5u6drfgaJpZM4YNw9W
.

>

4045076749
Alex Newman

I'm concerned about the way in which this Issue was closed... User name spaces are explicitly disabled in many Linux distros, because they increase the risk for local kernel escalation. Again, see my post from the Arch Linux docs:

Unprivileged usage is disabled by default unless the kernel.unprivileged_userns_clone sysctl 1 is set to 1 , since it greatly increases the attack surface for local privilege escalation.

Simply telling people to lower the security of their OS seems irresponsible and concerning. Is there no other real solution in the works?

I'm concerned about the way in which this Issue was closed... User name spaces are explicitly disabled in many Linux distros, because they increase the risk for local kernel escalation. Again, see my post from the Arch Linux docs:

Unprivileged usage is disabled by default unless the kernel.unprivileged_userns_clone sysctl 1 is set to 1 , since it greatly increases the attack surface for local privilege escalation.

Simply telling people to lower the security of their OS seems irresponsible and concerning. Is there no other real solution in the works?

wait a sec. we are goin to aal this trouble for safe browser and it needs us to g down to the lowest level and disable security that apps like facebook come with standard?

Where in that command is the attempt to put a hole in our security. cn you explain thaa command to me. I know it is asking alot but I am intrigued.

[curl -s https://brave-browser-apt-dev.s3.brave.com/brave-core-nightly.asc | sudo apt-key --keyring /etc/apt/trusted.gpg.d/brave-browser-dev.gpg add -

source /etc/os-release

echo "deb [arch=amd64] https://brave-browser-apt-dev.s3.brave.com/ $UBUNTU_CODENAME main" | sudo tee /etc/apt/sources.list.d/brave-browser-dev-${UBUNTU_CODENAME}.list

sudo apt update

sudo apt install brave-browser-dev]

then theres the key

told the authors to put the review pieces on this app on hold. until major issues fixed.

i like honey but the pots aint for our protection. no worries we have enough in our screen, ad infinitum boards. no legit human safety force has any excuse for such flaws. they dont need.

@jacobcantele i closed this because the original issue was someone asking how to run Brave on Debian which is now solved; let's move discussion of potential userns sandbox alternatives to https://github.com/brave/brave-browser/issues/3420

cn you explain thaa command to me. I know it is asking alot but I am intrigued.

This first command:

curl -s https://brave-browser-apt-dev.s3.brave.com/brave-core-nightly.asc | sudo apt-key --keyring /etc/apt/trusted.gpg.d/brave-browser-dev.gpg add -

does two things:

1. It downloads a copy of the Brave public key (curl -s ...) which is used to sign the packages that we distribute.
2. It adds this signing key to a new keyring (/etc/apt/trusted.gpg.d/brave-browser-dev.gpg) that the OS' package manager can use to ensure that downloaded brave-browser packages come from Brave Software.

The next line reads version information from the operating system:

source /etc/os-release

in order to detect the correct packages to use for your OS.

For example, on my Ubuntu 18.04 machine, that file contains the following:

NAME="Ubuntu"
VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

Then the next line adds the Brave package repository from which the signed packages can be downloaded:

echo "deb [arch=amd64] https://brave-browser-apt-dev.s3.brave.com/ $UBUNTU_CODENAME main" | sudo tee /etc/apt/sources.list.d/brave-browser-dev-${UBUNTU_CODENAME}.list

The extra repository is added in a file like /etc/apt/sources.list.d/brave-browser-dev-bionic.list (that's the example for Ubuntu 18.04).

After adding the extra repository, we need to update the OS' list of available packages:

sudo apt update

before installing the brave-browser and brave-keyring packages:

sudo apt install brave-browser-dev brave-keyring

The brave-browser package is the web browser itself. The brave-keyring package is currently empty, but it will be used in the future to automatically update the signing key that was added in the first step.

In other words, once you are done following these instructions, you end up with four things:

• a brave-browser package is installed
• a brave-keyring package is installed
• a new repository is enabled in /etc/apt/sources.list.d/brave-browser-dev-bionic.list
• a new signing key is enabled in /etc/apt/trusted.gpg.d/brave-browser-dev.gpg

I'm sorry but why this was closed if there is still no instruction how to install on debian (and still not working?)
On debian the instruction provided are not working
I'm getting these errors:

Err:8 https://brave-browser-apt-dev.s3.brave.com stretch InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0B31DBA06A8A26F9
...
...
Reading package lists... Done
W: GPG error: https://brave-browser-apt-dev.s3.brave.com stretch InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0B31DBA06A8A26F9
E: The repository 'https://brave-browser-apt-dev.s3.brave.com stretch InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

@palutz Since you seem to have a few leftovers from a previous attempt at getting this to work, I would suggest you remove all of the Brave-related things from your system first by deleting the following files:

• /etc/apt/sources.list.d/brave-browser*
• /etc/apt/trusted.gpg.d/brave-browser*

and then removing any signing keys:

sudo apt-key del D8BAD4DE7EE17AF52A834B2D0BB75829C2D4E821
sudo apt-key del 9228DBCE20DDE5EC46488DE90B31DBA06A8A26F9

and any packages that may still be installed:

sudo apt purge brave-browser brave-browser-beta brave-browser-dev brave-browser-nightly brave-keyring

We will soon be changing the way we do our packages to better accommodate Debian, but in the meantime, try these instructions to install Brave on Debian. That's what I use on my Debian machine and it works well.

Thanks.
Ok, so now my brave is back. Despite I lost ALL my session!!
Still not getting why you'd have done something like that since the system before was working (even if deprecated or deprecating) and the new one (clearly) not ready yet.
PS: I'm (maybe I should say I was, not really keen to keep using this now) on the stable channel, on Debian one of the most stable and slow updating distro. So, again, don't understand the rush with a half backed solution like this one.

@palutz Brave browser keeps a different profile for you depending on what version you use (release, beta, dev, nightly). You can see them in ~/.config/BraveSoftware/.

I suspect that your old browser profile is not lost, but rather you installed a different version of Brave than the one you were running before. From the error messages in https://github.com/brave/brave-browser/issues/1986#issuecomment-484452485, I think you were running brave-browser-dev (i.e. the "dev" version) instead of brave-browser (i.e. the "release" version).

If you want to reinstall the dev version, follow the development channel installation instructions instead of the release channel ones.

If this thread clearly explains How to install brave on Debian stretch, I missed it.
is there a clear instruction page somewhere I can link to?

@scribnermj have you checked https://brave-browser.readthedocs.io/en/latest/installing-brave.html ?

@scribnermj Have a look at https://community.brave.com/t/unable-to-install-brave-browser-in-my-debian-os-distro/43891/5?u=fmarier. I got it to work successfully, both on Debian unstable/sid and Debian stable/stretch.

sudo apt install brave

sudo apt install brave
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package brave
????

Not Install Why?

sudo apt install brave

This tries to install the snap package of muon which is deprecated. Please follow the instructions at https://brave-browser.readthedocs.io/en/latest/installing-brave.html. Once you have added the source list you need to install using sudo apt install brave-browser

sudo apt install brave

sudo apt install brave
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package brave
????

Not Install Why?

You can install using sudo apt install brave-browser

Hello,

I tried different ways by following the different topics covered but I still can't launch Brave.
I run a Debian Sid on an Asus C301 chromebook with the Mate desktop using crouton. It works perfectly.
I would like to use the Beta version
I install this way:

I add:
deb [arch=amd64] https://brave-browser-apt-beta.s3.brave.com/ bionic main
in

/etc/apt/sources.list.d/brave.list

and do a:
curl -s https://brave-browser-apt-beta.s3.brave.com/brave-core-nightly.asc | sudo apt-key --keyring /etc/apt/trusted.gpg.d/brave-browser-beta.gpg add -

I do an update and then install
sudo apt install brave-browser-beta

Then I also added

kernel.unprivileged_userns_clone = 1
in
/etc/sysctl.d/00-local-userns.conf

I also tried

echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf

As for Brave, here is the error message when launching Brave :

(sid)rom@localhost:~$ brave-browser-beta [24276:24276:0712/114139.882425:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! You probably need to enable user namespaces in your kernel. See https://brave-browser.readthedocs.io/en/latest/installing-brave.html#linux for more information. Trappe pour point d'arrêt et de trace (core dumped)

Could someone help me and and explain to me where I'm wrong

Thank you very much
Rom

@BlockHackTk After adding the line to /etc/sysctl.d/00-local-userns.conf, you'll have to either reboot, or run sysctl -p /etc/sysctl.d/00-local-userns.conf.

https://github.com/brave/brave-browser.wiki.git

Unable to download brave on 19.10 ubuntu due to unsigned ppa? does anyone else faces the same issue?

@MohakChugh See https://github.com/brave/brave-browser/issues/6522#issuecomment-545672208.

In case you wondered, the source for Brave that causes this error is not in the usual location, but here (enough to comment it out to repair apt-get update):

$ cat /etc/apt/sources.list.d/brave-browser-release-bionic.list 
# deb [arch=amd64] https://brave-browser-apt-release.s3.brave.com/ bionic main