Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 692692 - net-im/skypeforlinux-8.51.0.86 fails to start due to chrome-sandbox permission issues
Summary: net-im/skypeforlinux-8.51.0.86 fails to start due to chrome-sandbox permissio...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: Gino McCarty
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2019-08-21 18:10 UTC by Florian Evers
Modified: 2020-03-21 23:34 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patched ebuild incorporating check for CONFIG_USER_NS kernel support (skypeforlinux-8.51.0.92.ebuild,3.64 KB, text/plain)
2019-09-02 18:35 UTC, Florian Evers
Details
modified ebuild to use chromium kernel config checks (skypeforlinux-8.51.0.92.ebuild,3.28 KB, text/plain)
2019-09-09 03:44 UTC, Jan Vesely
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Evers 2019-08-21 18:10:33 UTC
Hi,

I had issues with both current versions of net-im/skypeforlinux (8.51.0.72 as well as 8.51.0.86) while 8.50.0.38 was not affected yet. 

1.) Issue:
skypeforlinux does not start. It exists immediately without a message, but dmesg shows this output:

traps: skypeforlinux[27259] trap int3 ip:5611cc722847 sp:7ffcf6949500 error:0 in skypeforlinux[5611ca80d000+5016000]

The log file at ~/.config/skypeforlinux/logs/skype-startup.log shows only this content:

[27316:0821/195525.456083:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/skypeforlinux/chrome-sandbox is owned by root and has mode 4755.

I encountered this issue on multiple systems, all with stable "amd64" profiles.

2.) Solution / Manual Fix:
As root, go to /opt/skypeforlinux and do the following:

chmod 4755 chrome-sandbox

Then skypeforlinux works again (tested with 8.51.0.86)

3.) References:

This issue and the workaround was also mentioned here:

https://unix.stackexchange.com/questions/536260/skypeforlinux-wont-launch-anymore

4.) Permanent fix:

The ebuild should incorporate the aforementioned chmod command.
Comment 1 Florian Evers 2019-08-21 18:12:50 UTC
Portage 2.3.69 (python 3.6.5-final-0, default/linux/amd64/17.1/desktop/plasma, gcc-8.3.0, glibc-2.29-r2, 5.2.9-gentoo x86_64)
=================================================================
System uname: Linux-5.2.9-gentoo-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9550_@_2.83GHz-with-gentoo-2.6
KiB Mem:     8146480 total,    560892 free
KiB Swap:   10485756 total,  10484220 free
Timestamp of repository gentoo: Wed, 21 Aug 2019 17:30:01 +0000
Head commit of repository gentoo: bd9cefaf766cf5a04ecbd0244b68d0519ff81220
sh bash 4.4_p23-r1
ld GNU ld (Gentoo 2.32 p2) 2.32.0
app-shells/bash:          4.4_p23-r1::gentoo
dev-java/java-config:     2.2.0-r4::gentoo
dev-lang/perl:            5.28.2-r1::gentoo
dev-lang/python:          2.7.15::gentoo, 3.6.5::gentoo
dev-util/cmake:           3.14.6::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.6-r1::gentoo
sys-apps/openrc:          0.41.2::gentoo
sys-apps/sandbox:         2.13::gentoo
sys-devel/autoconf:       2.13-r1::gentoo, 2.69-r4::gentoo
sys-devel/automake:       1.16.1-r1::gentoo
sys-devel/binutils:       2.32-r1::gentoo
sys-devel/gcc:            8.3.0-r1::gentoo
sys-devel/gcc-config:     2.0::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.2.1-r4::gentoo
sys-kernel/linux-headers: 5.2::gentoo (virtual/os-headers)
sys-libs/glibc:           2.29-r2::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-verify-metamanifest: yes
    sync-rsync-verify-max-age: 24
    sync-rsync-extra-opts: 
    sync-rsync-verify-jobs: 1

localrepo
    location: /usr/local/portage
    masters: gentoo

kde
    location: /var/lib/layman/kde
    masters: gentoo
    priority: 50

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=native -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=native -pipe"
DISTDIR="/var/cache/distfiles"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="de_DE.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="de en ru"
MAKEOPTS="-j2"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi activities alsa amd64 bash-completion berkdb bluetooth branding browserplugin bzip2 cairo caps cdda cddb cdr cli consolekit crypt cups cxx dbus declarative dri dts dvd dvdr emboss encode epub exif fam farstream fbcondecor flac fortran g3dvl gbm gdbm gif git glamor gpg gphoto2 gpm iconv icq icu inotify ipod ipv6 jabber jingle jpeg kde kipi kolab kpathsea kwallet latex lcms lensfun libnotify libtirpc mad mercurial mikmod mmx mmxext mng mod mp3 mp4 mpeg multilib mythtv ncurses nls nptl nsplugin ogg opengl openmp opus oscar otr pam pango pch pcre pdf phonon plasma png policykit ppds pulseaudio qml qt5 raw rdesktop rdp readline rss scanner sdl seccomp semantic-desktop sip skype spell split-usr sse sse2 sse3 sse4_1 ssl ssse3 startup-notification svg taglib tcpd theora thumbnail tiff truetype udev udisks unicode upower usb v4l v4l2 vaapi vdpau video vlc vnc vorbis widgets wxwidgets x264 xattr xcb xcomposite xml xmpp xv xvid xvmc zip zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" CAMERAS="canon ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 sse3 sse4_1 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" L10N="de en ru" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" RUBY_TARGETS="ruby24 ruby25" SANE_BACKENDS="epson epson2" USERLAND="GNU" VIDEO_CARDS="radeon r600 dummy" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 2 A. Person 2019-08-24 12:24:15 UTC
I was affected by this and the following fixed it for me as well:

# chmod 4755 /opt/skypeforlinux/chrome-sandbox
Comment 3 Florian Evers 2019-08-31 17:28:29 UTC
The same issue returned here today after installing the new (and sole) version 8.51.0.92 provided by portage. The permissions I set before manually were reverted / overwritten during install, resulting in the aforementioned error. I was able to fix it by simply performing the same "chmod" command again.
Comment 4 Guillaume Castagnino 2019-09-01 13:07:02 UTC
The ebuild should check for CONFIG_USER_NS kernel option. This would allow the chrome sandbox to work without altering the file permission (no need to SUID the binary, which is a security risk).
Comment 5 Florian Evers 2019-09-02 16:45:01 UTC
Hi Guillaume,

thanks, that was the right advice! My kernel lacked support for CONFIG_USER_NS, and after enabling it, skypeforlinux works without the chmod command. Yes, the ebuild should check for the presence of this kernel config item, that would solve this issue for everyone.
Comment 6 Florian Evers 2019-09-02 18:35:30 UTC
Created attachment 588844 [details]
Patched ebuild incorporating check for CONFIG_USER_NS kernel support

This is a modified version of the current skypeforlinux-8.51.0.92 ebuild.

It incorporates:
- inherit linux-info
- a pkg_setup() phase to detect missing CONFIG_USER_NS kernel support

Works fine here :-)
Comment 7 Jan Vesely 2019-09-02 19:37:14 UTC
Hi, is USER_NS the only requirement?

chromium checks for a bunch more:
~PID_NS ~NET_NS ~SECCOMP_FILTER ~USER_NS ~ADVISE_SYSCALLS ~!COMPAT_VDSO ~!GRKERNSEC

we can also use the chromium-2 eclass and let chromium folks handle it for us :)
but that sounds a bit heavy.
Comment 8 Florian Evers 2019-09-02 20:34:51 UTC
Hi Jan,

I like your point having all those dependencies in one single place. Inheriting from chromium-2 would simplify this ebuild and relieve from the duty of tracking those dependencies in the future. I would not call it "heavy", but in fact the better solution.
Comment 9 Jan Vesely 2019-09-02 22:26:41 UTC
(In reply to Florian Evers from comment #8)
> Hi Jan,
> 
> I like your point having all those dependencies in one single place.
> Inheriting from chromium-2 would simplify this ebuild and relieve from the
> duty of tracking those dependencies in the future. I would not call it
> "heavy", but in fact the better solution.

sounds good to me then. Do you want to open a PR? otherwise I can do it.
Comment 10 Florian Evers 2019-09-03 20:33:55 UTC
Hi Jan,

I just tried to modify the ebuild to inherit from chromium-2 but it didn't work as expected here. The detection of a missing CONFIG_USER_NS kernel config didn't trigger; likely I forgot something.

If you are able to add that feature correctly and open a PR (pull request?), go ahead :)

Regards,
Florian
Comment 11 Jan Vesely 2019-09-04 04:06:27 UTC
(In reply to Florian Evers from comment #10)
> Hi Jan,
> 
> I just tried to modify the ebuild to inherit from chromium-2 but it didn't
> work as expected here. The detection of a missing CONFIG_USER_NS kernel
> config didn't trigger; likely I forgot something.


I don't think just inheriting the eclass is enough. Did you put the check call in pkg_setup?


pkg_setup() {
   chromium_suid_sandbox_check_kernel_config
}

> If you are able to add that feature correctly and open a PR (pull request?),
> go ahead :)

sure, I will have some time towards the end of the week if you don't mind waiting.

thanks,
Jan
Comment 12 Jan Vesely 2019-09-09 03:44:59 UTC
Created attachment 589498 [details]
modified ebuild to use chromium kernel config checks

Does this ebuild solve the issue?
Comment 13 Larry the Git Cow gentoo-dev 2019-09-17 03:47:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e97c1bed5c82b487d53ae83eb31115f5997d83b2

commit e97c1bed5c82b487d53ae83eb31115f5997d83b2
Author:     Jan Vesely <jano.vesely@gmail.com>
AuthorDate: 2019-09-09 03:40:36 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2019-09-17 03:46:41 +0000

    net-im/skypeforlinux: Bump version to 8.52.0.138
    
    Add kernel configuration check for chromium sandbox.
    
    Bug: https://bugs.gentoo.org/692692
    Signed-off-by: Jan Vesely <jano.vesely@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-im/skypeforlinux/Manifest                      |   1 +
 .../skypeforlinux/skypeforlinux-8.52.0.138.ebuild  | 106 +++++++++++++++++++++
 2 files changed, 107 insertions(+)
Comment 14 A. Person 2019-09-22 11:59:18 UTC
I'm still having this issue on 8.52.0.138-r1.
Comment 15 Andrea (Ben) Benini 2019-09-23 09:58:25 UTC
Is it safe to set USER_NS in the kernel ? Are there other pitfalls ?
I have never set it in the config because nobody requires it (skypeforlinux just issues a warning when emerging) but with latest skype version [now 8.52.0.138-r1] the only way to have it working again is to chown 4755 /opt/skypeforlinux/chrome-sandbox.  Just emerged today but I still need to apply chown to run it again
Comment 16 inasprecali 2019-09-28 17:06:23 UTC
I can confirm the bug on an amd64 machine. Running
# chmod 4755 /opt/skypeforlinux/chrome-sandbox
solves the problem.
Comment 17 inasprecali 2019-09-28 17:08:31 UTC
Forgot to add, this refers to the latest version at the time of writing, 8.52.0.138-r1.
Comment 18 Jan Vesely 2019-09-30 20:54:24 UTC
(In reply to A. Person from comment #14)
> I'm still having this issue on 8.52.0.138-r1.

Did the ebuild show kernel config warnings? Did you follow them?

(In reply to inasprecali from comment #16)
> I can confirm the bug on an amd64 machine. Running
> # chmod 4755 /opt/skypeforlinux/chrome-sandbox
> solves the problem.

That's not a solution, that's the problem user namespaces solve.
From [0]: "In particular, a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace;"

[0] http://man7.org/linux/man-pages/man7/user_namespaces.7.html
Comment 19 Massimo Burcheri 2020-03-17 08:17:56 UTC
Still the same issue on net-im/skypeforlinux-8.57.0.116 and fixed by
# chmod 4755 /opt/skypeforlinux/chrome-sandbox
mode of '/opt/skypeforlinux/chrome-sandbox' changed from 0755 (rwxr-xr-x) to 4755 (rwsr-xr-x)
Comment 20 Larry the Git Cow gentoo-dev 2020-03-17 18:05:55 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0cb2c9f251df9972f271b1094a970a89a54e4ea4

commit 0cb2c9f251df9972f271b1094a970a89a54e4ea4
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2020-03-17 18:05:39 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2020-03-17 18:05:39 +0000

    net-im/skypeforlinux: Remove 'chrome-sandbox' binary
    
    * Users should enable the kernel options shown in
      pkg_setup() instead of relying on the deprecated
      suid sandbox.
    
    Closes: https://bugs.gentoo.org/692692
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: David Seifert <soap@gentoo.org>

 ...eforlinux-8.57.0.116.ebuild => skypeforlinux-8.57.0.116-r1.ebuild} | 4 ++++
 1 file changed, 4 insertions(+)
Comment 21 pogosyan 2020-03-21 23:34:55 UTC
(In reply to Larry the Git Cow from comment #20)
> The bug has been closed via the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=0cb2c9f251df9972f271b1094a970a89a54e4ea4
> 
> commit 0cb2c9f251df9972f271b1094a970a89a54e4ea4
> Author:     David Seifert <soap@gentoo.org>
> AuthorDate: 2020-03-17 18:05:39 +0000
> Commit:     David Seifert <soap@gentoo.org>
> CommitDate: 2020-03-17 18:05:39 +0000
> 
>     net-im/skypeforlinux: Remove 'chrome-sandbox' binary
>     
>     * Users should enable the kernel options shown in
>       pkg_setup() instead of relying on the deprecated
>       suid sandbox.
>     
>     Closes: https://bugs.gentoo.org/692692
>     Package-Manager: Portage-2.3.94, Repoman-2.3.21
>     Signed-off-by: David Seifert <soap@gentoo.org>
> 
>  ...eforlinux-8.57.0.116.ebuild => skypeforlinux-8.57.0.116-r1.ebuild} | 4
> ++++
>  1 file changed, 4 insertions(+)

Well, ebuild should refuse to install skypeforlinux then if the appropriate kernel options are not enabled, rather than happily install the package that cannot start. Especially given that pkg_setup message is old (it was saying that for over a year) and hardly definitive: 
 * Checking for suitable kernel configuration options...
 *   USER_NS is required for sandbox to work

Not only this does not tell you that the whole package will not work, but also confusing given that chrome-sandbox is deleted. Imagine my frustration when I silently got nonworking setup one hour before delivering remote lecture, as we have to do now.