Hi, I had issues with both current versions of net-im/skypeforlinux (8.51.0.72 as well as 8.51.0.86) while 8.50.0.38 was not affected yet. 1.) Issue: skypeforlinux does not start. It exists immediately without a message, but dmesg shows this output: traps: skypeforlinux[27259] trap int3 ip:5611cc722847 sp:7ffcf6949500 error:0 in skypeforlinux[5611ca80d000+5016000] The log file at ~/.config/skypeforlinux/logs/skype-startup.log shows only this content: [27316:0821/195525.456083:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/skypeforlinux/chrome-sandbox is owned by root and has mode 4755. I encountered this issue on multiple systems, all with stable "amd64" profiles. 2.) Solution / Manual Fix: As root, go to /opt/skypeforlinux and do the following: chmod 4755 chrome-sandbox Then skypeforlinux works again (tested with 8.51.0.86) 3.) References: This issue and the workaround was also mentioned here: https://unix.stackexchange.com/questions/536260/skypeforlinux-wont-launch-anymore 4.) Permanent fix: The ebuild should incorporate the aforementioned chmod command.
Portage 2.3.69 (python 3.6.5-final-0, default/linux/amd64/17.1/desktop/plasma, gcc-8.3.0, glibc-2.29-r2, 5.2.9-gentoo x86_64) ================================================================= System uname: Linux-5.2.9-gentoo-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9550_@_2.83GHz-with-gentoo-2.6 KiB Mem: 8146480 total, 560892 free KiB Swap: 10485756 total, 10484220 free Timestamp of repository gentoo: Wed, 21 Aug 2019 17:30:01 +0000 Head commit of repository gentoo: bd9cefaf766cf5a04ecbd0244b68d0519ff81220 sh bash 4.4_p23-r1 ld GNU ld (Gentoo 2.32 p2) 2.32.0 app-shells/bash: 4.4_p23-r1::gentoo dev-java/java-config: 2.2.0-r4::gentoo dev-lang/perl: 5.28.2-r1::gentoo dev-lang/python: 2.7.15::gentoo, 3.6.5::gentoo dev-util/cmake: 3.14.6::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.6-r1::gentoo sys-apps/openrc: 0.41.2::gentoo sys-apps/sandbox: 2.13::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r4::gentoo sys-devel/automake: 1.16.1-r1::gentoo sys-devel/binutils: 2.32-r1::gentoo sys-devel/gcc: 8.3.0-r1::gentoo sys-devel/gcc-config: 2.0::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1-r4::gentoo sys-kernel/linux-headers: 5.2::gentoo (virtual/os-headers) sys-libs/glibc: 2.29-r2::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-verify-metamanifest: yes sync-rsync-verify-max-age: 24 sync-rsync-extra-opts: sync-rsync-verify-jobs: 1 localrepo location: /usr/local/portage masters: gentoo kde location: /var/lib/layman/kde masters: gentoo priority: 50 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=native -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=native -pipe" DISTDIR="/var/cache/distfiles" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="de_DE.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="de en ru" MAKEOPTS="-j2" PKGDIR="/var/cache/binpkgs" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X a52 aac acl acpi activities alsa amd64 bash-completion berkdb bluetooth branding browserplugin bzip2 cairo caps cdda cddb cdr cli consolekit crypt cups cxx dbus declarative dri dts dvd dvdr emboss encode epub exif fam farstream fbcondecor flac fortran g3dvl gbm gdbm gif git glamor gpg gphoto2 gpm iconv icq icu inotify ipod ipv6 jabber jingle jpeg kde kipi kolab kpathsea kwallet latex lcms lensfun libnotify libtirpc mad mercurial mikmod mmx mmxext mng mod mp3 mp4 mpeg multilib mythtv ncurses nls nptl nsplugin ogg opengl openmp opus oscar otr pam pango pch pcre pdf phonon plasma png policykit ppds pulseaudio qml qt5 raw rdesktop rdp readline rss scanner sdl seccomp semantic-desktop sip skype spell split-usr sse sse2 sse3 sse4_1 ssl ssse3 startup-notification svg taglib tcpd theora thumbnail tiff truetype udev udisks unicode upower usb v4l v4l2 vaapi vdpau video vlc vnc vorbis widgets wxwidgets x264 xattr xcb xcomposite xml xmpp xv xvid xvmc zip zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" CAMERAS="canon ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 sse3 sse4_1 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" L10N="de en ru" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" RUBY_TARGETS="ruby24 ruby25" SANE_BACKENDS="epson epson2" USERLAND="GNU" VIDEO_CARDS="radeon r600 dummy" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
I was affected by this and the following fixed it for me as well: # chmod 4755 /opt/skypeforlinux/chrome-sandbox
The same issue returned here today after installing the new (and sole) version 8.51.0.92 provided by portage. The permissions I set before manually were reverted / overwritten during install, resulting in the aforementioned error. I was able to fix it by simply performing the same "chmod" command again.
The ebuild should check for CONFIG_USER_NS kernel option. This would allow the chrome sandbox to work without altering the file permission (no need to SUID the binary, which is a security risk).
Hi Guillaume, thanks, that was the right advice! My kernel lacked support for CONFIG_USER_NS, and after enabling it, skypeforlinux works without the chmod command. Yes, the ebuild should check for the presence of this kernel config item, that would solve this issue for everyone.
Created attachment 588844 [details] Patched ebuild incorporating check for CONFIG_USER_NS kernel support This is a modified version of the current skypeforlinux-8.51.0.92 ebuild. It incorporates: - inherit linux-info - a pkg_setup() phase to detect missing CONFIG_USER_NS kernel support Works fine here :-)
Hi, is USER_NS the only requirement? chromium checks for a bunch more: ~PID_NS ~NET_NS ~SECCOMP_FILTER ~USER_NS ~ADVISE_SYSCALLS ~!COMPAT_VDSO ~!GRKERNSEC we can also use the chromium-2 eclass and let chromium folks handle it for us :) but that sounds a bit heavy.
Hi Jan, I like your point having all those dependencies in one single place. Inheriting from chromium-2 would simplify this ebuild and relieve from the duty of tracking those dependencies in the future. I would not call it "heavy", but in fact the better solution.
(In reply to Florian Evers from comment #8) > Hi Jan, > > I like your point having all those dependencies in one single place. > Inheriting from chromium-2 would simplify this ebuild and relieve from the > duty of tracking those dependencies in the future. I would not call it > "heavy", but in fact the better solution. sounds good to me then. Do you want to open a PR? otherwise I can do it.
Hi Jan, I just tried to modify the ebuild to inherit from chromium-2 but it didn't work as expected here. The detection of a missing CONFIG_USER_NS kernel config didn't trigger; likely I forgot something. If you are able to add that feature correctly and open a PR (pull request?), go ahead :) Regards, Florian
(In reply to Florian Evers from comment #10) > Hi Jan, > > I just tried to modify the ebuild to inherit from chromium-2 but it didn't > work as expected here. The detection of a missing CONFIG_USER_NS kernel > config didn't trigger; likely I forgot something. I don't think just inheriting the eclass is enough. Did you put the check call in pkg_setup? pkg_setup() { chromium_suid_sandbox_check_kernel_config } > If you are able to add that feature correctly and open a PR (pull request?), > go ahead :) sure, I will have some time towards the end of the week if you don't mind waiting. thanks, Jan
Created attachment 589498 [details] modified ebuild to use chromium kernel config checks Does this ebuild solve the issue?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e97c1bed5c82b487d53ae83eb31115f5997d83b2 commit e97c1bed5c82b487d53ae83eb31115f5997d83b2 Author: Jan Vesely <jano.vesely@gmail.com> AuthorDate: 2019-09-09 03:40:36 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2019-09-17 03:46:41 +0000 net-im/skypeforlinux: Bump version to 8.52.0.138 Add kernel configuration check for chromium sandbox. Bug: https://bugs.gentoo.org/692692 Signed-off-by: Jan Vesely <jano.vesely@gmail.com> Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-im/skypeforlinux/Manifest | 1 + .../skypeforlinux/skypeforlinux-8.52.0.138.ebuild | 106 +++++++++++++++++++++ 2 files changed, 107 insertions(+)
I'm still having this issue on 8.52.0.138-r1.
Is it safe to set USER_NS in the kernel ? Are there other pitfalls ? I have never set it in the config because nobody requires it (skypeforlinux just issues a warning when emerging) but with latest skype version [now 8.52.0.138-r1] the only way to have it working again is to chown 4755 /opt/skypeforlinux/chrome-sandbox. Just emerged today but I still need to apply chown to run it again
I can confirm the bug on an amd64 machine. Running # chmod 4755 /opt/skypeforlinux/chrome-sandbox solves the problem.
Forgot to add, this refers to the latest version at the time of writing, 8.52.0.138-r1.
(In reply to A. Person from comment #14) > I'm still having this issue on 8.52.0.138-r1. Did the ebuild show kernel config warnings? Did you follow them? (In reply to inasprecali from comment #16) > I can confirm the bug on an amd64 machine. Running > # chmod 4755 /opt/skypeforlinux/chrome-sandbox > solves the problem. That's not a solution, that's the problem user namespaces solve. From [0]: "In particular, a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace;" [0] http://man7.org/linux/man-pages/man7/user_namespaces.7.html
Still the same issue on net-im/skypeforlinux-8.57.0.116 and fixed by # chmod 4755 /opt/skypeforlinux/chrome-sandbox mode of '/opt/skypeforlinux/chrome-sandbox' changed from 0755 (rwxr-xr-x) to 4755 (rwsr-xr-x)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0cb2c9f251df9972f271b1094a970a89a54e4ea4 commit 0cb2c9f251df9972f271b1094a970a89a54e4ea4 Author: David Seifert <soap@gentoo.org> AuthorDate: 2020-03-17 18:05:39 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2020-03-17 18:05:39 +0000 net-im/skypeforlinux: Remove 'chrome-sandbox' binary * Users should enable the kernel options shown in pkg_setup() instead of relying on the deprecated suid sandbox. Closes: https://bugs.gentoo.org/692692 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: David Seifert <soap@gentoo.org> ...eforlinux-8.57.0.116.ebuild => skypeforlinux-8.57.0.116-r1.ebuild} | 4 ++++ 1 file changed, 4 insertions(+)
(In reply to Larry the Git Cow from comment #20) > The bug has been closed via the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=0cb2c9f251df9972f271b1094a970a89a54e4ea4 > > commit 0cb2c9f251df9972f271b1094a970a89a54e4ea4 > Author: David Seifert <soap@gentoo.org> > AuthorDate: 2020-03-17 18:05:39 +0000 > Commit: David Seifert <soap@gentoo.org> > CommitDate: 2020-03-17 18:05:39 +0000 > > net-im/skypeforlinux: Remove 'chrome-sandbox' binary > > * Users should enable the kernel options shown in > pkg_setup() instead of relying on the deprecated > suid sandbox. > > Closes: https://bugs.gentoo.org/692692 > Package-Manager: Portage-2.3.94, Repoman-2.3.21 > Signed-off-by: David Seifert <soap@gentoo.org> > > ...eforlinux-8.57.0.116.ebuild => skypeforlinux-8.57.0.116-r1.ebuild} | 4 > ++++ > 1 file changed, 4 insertions(+) Well, ebuild should refuse to install skypeforlinux then if the appropriate kernel options are not enabled, rather than happily install the package that cannot start. Especially given that pkg_setup message is old (it was saying that for over a year) and hardly definitive: * Checking for suitable kernel configuration options... * USER_NS is required for sandbox to work Not only this does not tell you that the whole package will not work, but also confusing given that chrome-sandbox is deleted. Imagine my frustration when I silently got nonworking setup one hour before delivering remote lecture, as we have to do now.