-
Notifications
You must be signed in to change notification settings - Fork 569
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some AppImages break, "Permission denied" #2690
Comments
May related to #2671. |
@probonopd firejail 0.9.49 is old, have you try it with the lastest firejail version? |
Yes:
|
Why is this? We also have the same issue with PhotoGIMP now. |
=> |
Apparently the permissions for non-root users are missing in the squashfs image. What is interesting, though, is that the native AppImage implementation (using squashfuse) can still use those, but Firejail cannot. Is this because Firejail uses the kernel to mount the squashfs image? |
How to make permissions in the right way? Currently:chmod 755 Defined in:This produces the following permissions:
Teorically at least
|
@sudo-give-me-coffee (nice name 😉) |
I understood, so for now, the ideal is to mount the AppImage outside the sandbox? |
I wonder why some AppImages have the wrong permissions there (most AppImages are correct). In any case, it looks like Firejail is behaving correctly. |
Actually, I would say that firejail does the wrong thing here. First a surprising (at least to me) example. I took the tutanota appimage which also has this issue (#2831), and exctracted the squashfs image from the appimage. Then I mounted it with squashfuse:
So, mounting with squashfuse as a normal user, I can access the contents of the root of the squashfs directory, even though the permissions on the directory clearly indicate it shouldn't be allowed!
If I mount via fuse but as root, a normal user cannot access the contents of the root of the squashfs directory, and strangely can not even get information on the directory itself!
When mounting via loopback using the squashfs kernel fs module, things work as expected. Ok, this is important because appimage will use fuse to mount the embedded squashfs as the invoking user (in this case a regular user). However, firejail will mount the squashfs using the squashfs kernel module. While it might seem like a security issue for the permissions to be ignored when using fuse and accessing the squashfs root directory, I don't believe there's a problem because the files are all read only. So I'm thinking that firejail should instead use the appimage binary to fuse mount itself. Using strace on the appimage shows that first |
So I would say the FUSE-based AppImage runtime is actually doing the wrong thing. |
@probonopd, so if I understand you correctly, you're saying that the permissions should not be ignored by the fuse fs. Correct me if I'm wrong. If that's what you want then the AppImage runtime should be changed to add You can test that From
The annoying thing is that we'll have to get offending appimage builders to build a fixed appimage, which may or may not even be feasible (in the case of abandoned appimages with this issue). And I don't see this as actually adding any extra security. On the brightside, it seems that not a lot of appimages have this issue. Relatedly, we may still want to make the modifications I suggested because I think it would be a way to future proof our appimage mounting code. We should be letting appimage figure out how to mount itself, rather than us emulating appimage code. So when AppImage Type 3 comes out with the next best compressed filesystem, we won't have to make any code modifications. |
@crass thanks for your detailed analysis.
Yes, I think that would produce the same errors that we see with Firejail now in non-Firejail setups as well, hopefully leading to application developers seeing and fixing those permissions errors, resulting in less issues when using AppImages with Firejail. At least that was my line of thinking.
You have a point there, but doesn't it mean it would reduce performance? |
I think moving forward it would be great for AppImage to more strictly enforce perms. But I'm not sure how long it'll take all the offending appimage builders to incorporate the change. In the meantime, we can make it less painful for users wanting to use these appimages (and less issues for us!). If there was a security issue, then I'd be much less accommodating.
What's your thinking on where the performance reduction would be coming from? As I see it, there will be a negligible hit to performance. The place I see for the most performance degradation would be from all file access needing to go through FUSE. But that's what native appimage currently does. Both appimage and firejail have some impact on performance (both seem unnoticeable in my experience). So what I'm proposing would performance-wise look like the performance impact of appimage + impact of firejail, which I suspect will be negligible. Maybe I'm missing something though. |
After looking at fuse a bit more, its not possible to use the appimage to mount itself using the So I see two roads forward here:
Ok, I think I've convinced myself that its not worth the trouble to change firejail for the moment. Perhaps it'll be worth using the appimage to mount itself if there become a lot of appimage types in the future. |
I have this problem with onlyoffice, may I know, how to fix it? thanks. |
@bdantas offers new insights into this in AppImage/appimage.github.io#1909 (comment):
Can you confirm? Is this something that could be fixed in Firejail? |
@probonopd Yes, we can fix this by conditionally blacklisting ${PATH}/fusermount via ?HASAPPIMAGE: trickery in disable-common.inc:
#3249 also mentions needing to noblacklist ${PATH}/nc. |
@probonopd Just unblacklisting fusermount is not enough. I've done much more extensive testing since that post, and things are much more clear now. Please see here: #3249 EDIT: Sorry, it seems that after even more testing I Ianded right back here on this permissions issue. |
Is there a workaround for this? How do we get the appropriate permissions? I don't mind taking an even more manual approach (e.g., creating the squashfs archive in one step, ensuring appropriate permissions, then adding the runtime as a separate step). |
It seems appimagetool may be to blame. |
Thx for digging into it. Fixing it in appimagetool would be appreciated as fixing it in firejail as shown in #2690 (comment) is quite complicated. |
@shoogle found out that when used with Firejail, the mount point for the AppImage is firejail/src/firejail/appimage.c Lines 98 to 102 in dc12ce6
may be the culprit? What would happen if we would use |
@probonopd see #2690 (comment), the irrational think is that some AppImages work with firejail and other not. @netblue30 any reason why this is owned by root and 7000? Maybe also here: firejail/src/firejail/appimage.c Line 107 in dc12ce6
|
Maybe we found out why: Some AppImages have all files inside the squashfs owned by root and some don't. @bdantas showed in AppImage/AppImageKit#1032 that it works when the files are not owned by root, and it fails when the files are owned by root. |
It seem two conditions make same appimages broken:
It's interesting that initial appimage support used 755 permissions and was changed later to 700 without much explanation. Maybe restoring initial mode will fix this? EDIT: here are some explanations for above change, although not explicitly about 700 vs 755. |
I just tried, unfortunately it doesn't help. Also since 3740f37 we don't pass these options any more to the squashfs mount, to work around a regression in the kernel. |
So what's the fix? |
Some AppImages break with
Permission denied
:For example:
References:
The text was updated successfully, but these errors were encountered: