Simplenote-electron: Sandbox error on Linux app launch

Interesting, this might be an electron issue. Please continue to use the previous version until we can get this resolved.

Cool, thank you for such a useful FOSS project I will use a previous version. Please message me if there is any way I can help. I don't know any programming but I can bumble around in the command line.

I am experiencing the same problem on Debian 10. Simple workaround for now (without downgrading) is to use the --no-sandbox flag:

./Simplenote-linux-1.15.1-x86_64.AppImage --no-sandbox

Thanks ralf-meyer I will try this on the App image when I get home tonight. I will report back if it works or not.

Simple note 1.15.1 is working in my Linux machine using the --no-sandbox flag. Thank you!

Seems like the latest version (1.15.1) needs some tweaking. After installing the package on Debian 10:

$ simplenote 
[10014:0411/124608.457450:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Simplenote/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap

This one's because of a Chromium bug and something to do with Linux's permission.

Successful workaround with:

sudo chown root:root /opt/Simplenote/chrome-sandbox

sudo chmod 755 -R /opt/Simplenote/chrome-sandbox

sudo chmod 4755 /opt/Simplenote/chrome-sandbox

Source:
https://www.vivaolinux.com.br/topico/Suporte/Simplenote-Nao-abre/

Should be fixed by https://github.com/Automattic/simplenote-electron/pull/2102, which will be in version 1.19

Closing, please let us know if there are still any issues with the latest version!

The issue is still there, for Debian 10, as of today:

:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_Simple*/chrome-sandbox is owned by root and has mode 4755.

Just downloaded release 2.0.0 AppImage.

I've just tested this with the latest version 2.4.0 on Debian 10 and everything installed and ran as expected.
Closing for now but please reopen again if you do notice the same again.

I've just tested this with the latest version 2.4.0 on Debian 10 and everything installed and ran as expected.
Closing for now but please reopen again if you do notice the same again.

Hi @sandymcfadden

I am trying to run this file:

https://github.com/Automattic/simplenote-electron/releases/download/v2.4.0/Simplenote-linux-2.4.0-x86_64.AppImage

and the error is still the same:

./Simplenote-linux-2.4.0-x86_64.AppImage
[5631:0116/143550.453734:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_SimpleG33BaW/chrome-sandbox is owned by root and has mode 4755.

As a comparison, version 1.14.0 still runs without issues, I removed and reinstalled it again, to be sure.

My version of Debian (no particular tweak as far as I know):

lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster

cat /etc/debian_version
10.7

Okay, I have an idea about what's going wrong.

Installing simpleapp (or any electron package) under "root" using "sudo" sets appropriate permissions. But if one tries to run the appimage version, they'll face the error. This can be resolved by passing the flag --no-sandbox to the AppImage.

I'm using AppImage for version 2.4.0, and I can confirm that I'm able to run the app without passing the --no-sandbox flag. Prior to this, I needed to set the flag.

Okay, I have an idea about what's going wrong.

Installing simpleapp (or any electron package) under "root" using "sudo" sets appropriate permissions. But if one tries to run the appimage version, they'll face the error. This can be resolved by passing the flag --no-sandbox to the AppImage.

I'm using AppImage for version 2.4.0, and I can confirm that I'm able to run the app without passing the --no-sandbox flag. Prior to this, I needed to set the flag.

Hi @ajyotirmay

I am not sure I understood, I am/was trying to run the 2.4.0 as well. Using the --no-sandbox flag or install the AppImage as root doesn't look ideal to me.

@spanderman, no no, don't install AppImage as root. I was talking about installing a distro specific package (like .deb or .rpm) from official repos.

Yeah, I know running it by passing the flag isn't ideal, but looks like electron's changes weren't kept in line with the usage patterns of AppImages, since sandboxing requires root access on Linux.

However, I'm no expert, but so far looks like it's an issue with Electron.js

Yeah, you're right. Some discussion in Electron here: https://github.com/electron/electron/issues/17972 . --no-sandbox seems to be the officially recommended workaround.

It's possible we can remediate that with another Electron upgrade on our end, but that thread seemed to imply it might require the --no-sandbox argument regardless, depending on your system.

Yeah, if we're talking about doing it for Appimages. But wherever the installation happens with the help of a root account, e.g. using "sudo apt install..." it's totally possible to setup up right permissions for the electron runtime, but otherwise it's a huge challenge that isn't fixable by even a simple script (as an update to the app might break it)

@ajyotirmay If this is possible for us to fix by adjusting the options in the Electron builder script, I'm happy to make any changes you suggest. I obviously don't want to be encouraging folks to install apps with sudo by default.

A bit more spelunking suggests there might be a fix in electron-builder (we're overdue for a dependencies update unfortunately). Does this read to you like it would fix the problem? https://github.com/electron-userland/electron-builder/pull/4496

It seems like all that does is allow us to pass --no-sandbox by default for AppImages; is that a safe default?

@codebykat I'm looking for a possible solution. I'll be back with whatever I'm able to find