You are not logged in.

#1 2021-08-30 07:27:55

Dayan
Member
From: תל־אביב-יפו
Registered: 2021-08-28
Posts: 7

[SOLVED] AppImage of electron application

There is an AppImage I like to use which is from an Electron built application. However, in Debian and many Debian based distributions AppImages of electron applications can't run without "--no-sandbox" appended to it. As far as I understand it from what I've been reading is that in Debian, AppImages based on Electron require the kernel to be configured in a certain way to allow for its sandboxing to work as intended (specifically, the kernel needs to be allowed to provide “unprivileged namespaces”).

Is this a security issue to run an AppImage with "--no-sandbox"? Is it a security issue to enable unprivileged namespaces so the AppImage can run without the "--no-sandbox" parameter?

https://github.com/ramboxapp/community- … /tag/0.7.9

Would it be better to build the application from source? Only thing is, is I don't know how to keep an application built from source updated or how to cleanly remove it if I ever would want to.

Last edited by Dayan (2021-09-04 06:04:26)

Offline

#2 2021-08-30 09:30:53

rbh
Moderator
From: Sweden/Vasterbotten/Rusfors
Registered: 2016-08-11
Posts: 1,182

Re: [SOLVED] AppImage of electron application

Dayan wrote:

in Debian and many Debian based distributions AppImages of electron applications can't run without "--no-sandbox" appended to it. As far as I understand it from what I've been reading is that in Debian, AppImages based on Electron require the kernel to be configured in a certain way to allow for its sandboxing to work as intended (specifically, the kernel needs to be allowed to provide “unprivileged namespaces”).

You can temporarily enable unprivileged namespaces with command:

sudo sysctl -w kernel.unprivileged_userns_clone=1 

or permanently allow it. See https://docs.appimage.org/user-guide/tr … oxing.html

Is this a security issue to run an AppImage with "--no-sandbox"? Is it a security issue to enable unprivileged namespaces so the AppImage can run without the "--no-sandbox" parameter?

Yes. "a sandbox is a security mechanism for separating running programs," https://en.wikipedia.org/wiki/Sandbox_( … _security)

https://github.com/ramboxapp/community- … /tag/0.7.9
Would it be better to build the application from source? Only thing is, is I don't know how to keep an application built from source updated or how to cleanly remove it if I ever would want to.

You can allow the Appimage to run without sanbox. Or you can install the ramboxapp deb from your link. You can make a deb from source. When source is updated, you create a new deb.


// Regards rbh

Please read before requesting help: Guide to getting help,
Introduction to the Bunsenlabs Lithium Desktop and other help topics under "Help Resources" on the BunsenLabs menu

Offline

#3 2021-09-02 12:29:15

rbh
Moderator
From: Sweden/Vasterbotten/Rusfors
Registered: 2016-08-11
Posts: 1,182

Re: [SOLVED] AppImage of electron application

@Dayan do you need more help with the subjectorisit solved?

If it is solved, can you edit the subjetctline in the first postand prepende: [Solved]?
Ev, summarize the solution.


// Regards rbh

Please read before requesting help: Guide to getting help,
Introduction to the Bunsenlabs Lithium Desktop and other help topics under "Help Resources" on the BunsenLabs menu

Offline

Board footer

Powered by FluxBB