Session desktop on linux complains about sandbox and refuses to open

[Kreyren]

kreyren@leonid:~/Downloads$ ./session-desktop-linux-x86_64-1.4.4.AppImage 
[14361:0104/021934.369875:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_sessiopQVxT7/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap

Assuming it being relevant to electron/electron#17972

Steps to reproduce

1. Download sessions from https://github.com/loki-project/session-desktop/releases/download/v1.4.4/session-desktop-linux-x86_64-1.4.4.AppImage
2. Make it executable
3. Try to run the AppImage

System info

OS: Devuan GNU/Linux 4 (chimaera/ceres) x86_64
Host: 20089 Lenovo G770 
Kernel: 5.9.0-5-amd64 
Shell: bash 5.1.0 
DE: Xfce 4.14 
WM: Xfwm4 
WM Theme: Clearlooks-Phenix-Cinnabar 
Theme: Clearlooks-Phenix-Cinnabar [GTK2], Adwaita [GTK3] 
Icons: Cinnabar [GTK2], Adwaita [GTK3] 
Terminal: xfce4-terminal 
Terminal Font: Monospace 12 
CPU: Intel i7-2620M (4) @ 3.400GHz 
GPU: AMD ATI Radeon HD 6630M/6650M/6750M/7670M/7690M 
GPU: Intel 2nd Generation Core Processor Family 
Memory: 4630MiB / 15958MiB 

[majestrate]

you want the session-desktop issue tracker instead: https://github.com/loki-project/session-desktop/issues

and for the record i think the flag to fix this is --no-sandbox

[Kreyren]

@majestrate can't you transfer the issue then?

[majestrate]

i don't seem to have permission to transfer the issue to that repo.

[Kreyren]

Using the --no-sandbox makes the application to launch, but the sandbox is preferred.

[beantaco]

There was a similar issue with Signal Desktop. Signal introduced a hack by adding --no-sandbox argument when Signal Desktop is invoked disabling the client's sandbox.
signalapp#3536
signalapp@1ca0d82

This hack is not a solution, it is a hack that avoids the problem. Disabling the sandbox is a security concern, and Signal has yet to address the issue properly.
signalapp#3573

Session Desktop ships with setuid set on the sandbox (notice the s permission in the Session sandbox). Note: This is the .deb package of Session, not AppImage.

user$ ls -l /opt/Signal/chrome-sandbox 
-rwxr-xr-x 1 root root 6259104 [redacted] /opt/Signal/chrome-sandbox
user$ ls -l /opt/Session/chrome-sandbox
-rwsr-xr-x 1 root root 6259104 [redacted] /opt/Session/chrome-sandbox

Can the AppImage (or users) add setuid with something like the following?

root# chmod 4755 <path>/chrome-sandbox

However, from comments I have read, adding setuid has its own security issues. I'm not qualified to comment further about this.

Another workaround is to add another sandbox, like firejail with a suitably-configured profile:

user$ firejail /opt/Session/chrome-sandbox --no-sandbox

[majestrate]

does session even use any of the features provided by the chrome SUID sandbox?