Re: ungoogled-chromium aborts on foreign distro via LTSP (Linux Terminal Server Project)
Giovanni Biscuolo writes: >>> The chromium binary from Debian 10 on the same LTSP environment does not >>> have the same problem, it works > > so the Debian binary is working without user namespaces? Chromium has another sandboxing method that relies on a setuid binary, which is what Debian uses. signature.asc Description: PGP signature
Re: ungoogled-chromium aborts on foreign distro via LTSP (Linux Terminal Server Project)
Hello Marius, Thanks! the issue was related to lack of user namaspaces Marius Bakke writes: > Giovanni Biscuolo writes: [...] >> The same updated version of ungoogled-chromium from Guix on a Debian 10 >> laptop does not have this problem, so it's specific to the LTSP >> environment I guess no: my laptop had user namespaces enabled :-) >> The chromium binary from Debian 10 on the same LTSP environment does not >> have the same problem, it works so the Debian binary is working without user namespaces? >> Any suggestion on where to look for problems here, please? > > The (ungoogled-) Chromium sandbox relies on user namespaces support in > the kernel. I guess `guix environment -C` does not work either? no, "guix environment -C" was not working and *still* does not work... but I'm almost sure it depends on something else, more on this in another thread > Debian disables user namespaces by default, try this command to enable > it: > > sudo sysctl -w kernel.unprivileged_userns_clone=1 it worked, I made it persistent also [1] Thanks again! Gio' [1] sudo su -c "echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf" -- Giovanni Biscuolo Xelera IT Infrastructures signature.asc Description: PGP signature
Re: ungoogled-chromium aborts on foreign distro via LTSP (Linux Terminal Server Project)
Giovanni Biscuolo writes: > if I run the last ungoogled-chromium Guix version in my terminal session > [1] on a Debian 10 server, I get SIGABRT: > > --8<---cut here---start->8--- > [14913:14913:0110/113833.689067:FATAL:zygote_host_impl_linux.cc(116)] No > usable sandbox! Update your kernel or see > https://chromium.9oo91esource.qjz9zk/chromium/src/+/master/docs/linux_suid_sandbox_development.md > for more information on developing with the SUID sandbox. If you want to > live dangerously and need an immediate workaround, you can try using > --no-sandbox. > #0 0x561fb4b09f09 base::debug::CollectStackTrace() > > Received signal 6 > #0 0x561fb4b09f09 base::debug::CollectStackTrace() > r8: r9: 7ffc91ca6500 r10: 0008 r11: > 0246 > r12: 7ffc91ca7750 r13: 0170 r14: 7ffc91ca7910 r15: > 7ffc91ca6780 > di: 0002 si: 7ffc91ca6500 bp: 7ffc91ca6740 bx: > 0006 > dx: ax: cx: 7fee29c227fa sp: > 7ffc91ca6578 > ip: 7fee29c227fa efl: 0246 cgf: 002b0033 erf: > > trp: msk: cr2: > [end of stack trace] > Calling _exit(1). Core file will not be generated. > --8<---cut here---end--->8--- > > If I run ungoogled-chromium with --no-sandbox it works, but I'd like not > to browse with the sandbox off (I'm going to study how to run my > browsers in a guix container, but it't not the solution AFAIU) > > The same updated version of ungoogled-chromium from Guix on a Debian 10 > laptop does not have this problem, so it's specific to the LTSP > environment I guess > > The chromium binary from Debian 10 on the same LTSP environment does not > have the same problem, it works > > Any suggestion on where to look for problems here, please? The (ungoogled-) Chromium sandbox relies on user namespaces support in the kernel. I guess `guix environment -C` does not work either? Debian disables user namespaces by default, try this command to enable it: sudo sysctl -w kernel.unprivileged_userns_clone=1 signature.asc Description: PGP signature