[Bug]: Ubuntu The SUID sandbox helper binary was found, but is not configured correctly.

[andreas-bulling]

Guidelines

• I have encountered this bug in the latest release of FreeTube.
• I have encountered this bug in the official downloads of FreeTube.
• I have searched the issue tracker for open and closed issues that are similar to the bug report I want to file, without success.
• I have searched the documentation for information that matches the description of the bug I want to file, without success.
• This issue contains only one bug.

Describe the bug

1. Installed the latest version 0.22
2. Run on the console and look at output

2328249:1027/054053.089778:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/FreeTube/chrome-sandbox is owned by root and has mode 4755.
[1]    2328249 trace trap (core dumped)  freetube

Expected Behavior

freetube should start up as it did in previous versions

Issue Labels

causes crash, feature stopped working, usability issue

FreeTube Version

0.22

Operating System Version

Ubuntu 24.10

Installation Method

.deb

Primary API used

Local API

Last Known Working FreeTube Version (If Any)

0.21

Additional Information

No response

Nightly Build

• I have encountered this bug in the latest nightly build.

[ChunkyProgrammer]

There are some workarounds in the replies to this issue: #5199

[CrazzzzyChipmunk]

DISCLAMER: I don't understand what exactly I did. May be some steps below are stupid and/or actually unneccessary and/or unsafe. Please, report here, if I did something wrong!

---

I encountered the same bug. Then I've done the following (instead of changing "kernel.apparmor_restrict_unprivileged_userns"):

1. I created apparmor profile for "/usr/bin/freetube": I made a copy of "/etc/apparmor.d/chromium", named it as "/etc/apparmor.d/freetube" and edited that file (I replaced "chromium" with "freetube" everywhere in that file and specified the correct path to freetube binary).

2. I reproduced the Step 1 above for "/opt/FreeTube/chrome-sandbox" in the same way.

3. sudo systemctl restart apparmor.service

4. sudo chmod 4755 "/opt/FreeTube/chrome-sandbox"

Now I have freetube 0.22.0 Beta working!

---

My freetube apparmor profile file (example):

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

@{freetube} = freetube

profile freetube /usr/bin/freetube flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/freetube>
}

[efb4f5ff-1298-471a-8973-3d47447115dc]

Upstream issue that should be solved by electron-userland/electron-builder#8636

[darkstarfish1337]

I first thought I had this problem #5963 on 24.04. When trying the workaround I received the problem stated in this thread. The suggested chmod/chown fix didn't work for me. The only way I got going again is to install the previous version again.

[absidue]

@darkstarfish1337 Because of Ubuntu's strict security settings, you need to create an AppArmor profile for FreeTube. Ubuntu comes with preinstalled AppArmor profiles for popular apps like Chromium and Visual Studio code but understandably they don't include any for smaller apps like FreeTube.

Please follow the steps in CrazzzzyChipmunk's comment above.

[darkstarfish1337]

Woa, super quick reply!

Forgot to mention, that the profile didn't help, + also removing apparmor completely.

[CrazzzzyChipmunk]

@darkstarfish1337,

I first thought I had this problem #5963 on 24.04. When trying the workaround I received the problem stated in this thread. The suggested chmod/chown fix didn't work for me. The only way I got going again is to install the previous version again.

Hi! The workaround I proposed here #5952 (comment) is intended for one purpose only: to avoid using the global setting kernel.apparmor_restrict_unprivileged_userns=0, as it (I assume) may make the system more vulnerable.

I suspect there are some another reasons in your system (and/or environment) that prevent freetube to start. Try another old known workaround: #5199 (comment) . And if my assumption is correct, this workaround will not work for you too.

[plutocrat]

This happened to me after upgrade from .21 to .22 on Ubuntu 24. App wouldn't start, when launching from an icon.
I tried launching it from the command line, and got this error.
[15575:1101/104500.344527:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/FreeTube/chrome-sandbox is owned by root and has mode 4755. Trace/breakpoint trap (core dumped)
Following that advice allowed me to launch the app correctly: chmod 4755 chrome-sandbox

[nukeador]

I can confirm this issue is still present in the recent 0.22.1 beta on the site, after the installation on Ubuntu the apps breaks and you need to:

sudo chmod 4755 /opt/FreeTube/chrome-sandbox

[sicherist]

I would like to propose to mention this problem under "known issues" on the "releases" page so Ubuntu users would be aware before installation.

[RoestVrijStaal]

Can't the deb-package create an apparmor profile upon installation/update when installed on *buntu or when apparmor is present?

[CrazzzzyChipmunk]

Can't the deb-package create an apparmor profile upon installation/update when installed on *buntu or when apparmor is present?

And also apply the necessary chmod and chown somwhere from the [pre-|post-]installation script? Why not?

[dangbert]

I experience this issue everytime I update freetube on Ubuntu. It makes me reluctant to update

for example I update with

$ sudo dpkg -i freetube_0.23.1_amd64.deb

$ ls -al /opt/FreeTube/chrome-sandbox 
-rwxr-xr-x 1 root 38K Feb  1 04:00 /opt/FreeTube/chrome-sandbox*

$ stat -c %a /opt/FreeTube/chrome-sandbox 
755

# now I fix the problem
sudo chmod 4755 /opt/FreeTube/chrome-sandbox 

$ stat -c %a /opt/FreeTube/chrome-sandbox
4755

[plutocrat]

A bit hacky, but using this script so I don't have to come back here every time to remember the command!

#!/bin/bash 
DOWNLOAD=$( curl -s "https://freetubeapp.io/#download" | grep "amd64.deb" | head -n 1 | awk -F  '"' '{print $2}' )
echo "Getting $DOWNLOAD"
wget -O freetube-latest.deb "$DOWNLOAD"

echo "Installing"
sudo apt install ./freetube-latest.deb

echo "Fixing permissions"
sudo chmod 4755 /opt/FreeTube/chrome-sandbox

rm freetube-latest.deb

[CrazzzzyChipmunk]

A bit hacky, but using this script so I don't have to come back here every time to remember the command!

All what you suggest is already implented, but In fact it does not work. Let's ask the devs – why?

Another question for developers looks much more interesting: why doesn't the postinst script do what it should? (the content is attached below)

Devs, can you rewrite the postinst script so that it does what is expected of it?

---

freetube_0.23.2_amd64.deb > control.tar.gz > postinst

#!/bin/bash

if type update-alternatives 2>/dev/null >&1; then
    # Remove previous link if it doesn't use update-alternatives
    if [ -L '/usr/bin/freetube' -a -e '/usr/bin/freetube' -a "`readlink '/usr/bin/freetube'`" != '/etc/alternatives/freetube' ]; then
        rm -f '/usr/bin/freetube'
    fi
    update-alternatives --install '/usr/bin/freetube' 'freetube' '/opt/FreeTube/freetube' 100 || ln -sf '/opt/FreeTube/freetube' '/usr/bin/freetube'
else
    ln -sf '/opt/FreeTube/freetube' '/usr/bin/freetube'
fi

# Check if user namespaces are supported by the kernel and working with a quick test:
if ! { [[ -L /proc/self/ns/user ]] && unshare --user true; }; then
    # Use SUID chrome-sandbox only on systems without user namespaces:
    chmod 4755 '/opt/FreeTube/chrome-sandbox' || true # 👈 🤔🔍
else
    chmod 0755 '/opt/FreeTube/chrome-sandbox' || true
fi

if hash update-mime-database 2>/dev/null; then
    update-mime-database /usr/share/mime || true
fi

if hash update-desktop-database 2>/dev/null; then
    update-desktop-database /usr/share/applications || true
fi

[kmille]

Hey,
I installed FreeTube on Arch Linux using AUR. I can't start it:

kmille@linbox:~ /usr/bin/freetube
[61606:0306/121235.719613:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/FreeTube/chrome-sandbox is owned by root and has mode 4755.
zsh: trace trap (core dumped)  /usr/bin/freetube

If I set the setuid bit, it works. But my question is: Why do you need root permissions? I would like to understand before I give a browser root permission. Couldn't find something about it.

Also the Arch package did not set the setuid flag.

[absidue]

Can you rewrite the postinst script so that it does what is expected of it?

@CrazzzzyChipmunk Simple answer, no. We don't do the packaging ourselves, we use an external tool to do that for us.

Also the Arch package did not set the setuid flag.

@kmille As mentioned in the README the AUR packages are not maintained by the FreeTube team so any changes you want made to them need to be reported to their respective maintainers.

Why do you need root permissions? I would like to understand before I give a browser root permission. Couldn't find something about it.

Because to be able to setup up the sandbox to properly isolate the individual processes at the OS level, it has to talk to the kernel and it can only do that with root permissions. In other words so that everything else can have less permissions and be more secure one specific part needs more permissions.

[carnendil]

I can report the same problem happening in Ubuntu Unity 24.04 and Lubuntu 24.04.

The last version that did not crash on launch like this, for me, was 0.21.3.

The solution proposed in #5952 (comment) works fine, but it would be better if the .deb installer took care of that.

[efb4f5ff-1298-471a-8973-3d47447115dc]

fixed by #7084

[trevorpburke]

fixed by #7084

i downloaded the source code for latest release, 0.23.4, and it's showing "^25.1.8" for electron-builder in packages.json. not ^26.0.12

[absidue]

@trevorpburke That's because it's a hotfix release and those only include the changes that are absolutely necessary so that they can go out quicker, if you look at the changelog you'll only notice two things.

[trevorpburke]

@absidue ah sorry i understand now. 0.23.4 was a hotfix release.

looks like I should try out: https://github.com/FreeTubeApp/FreeTube/actions/runs/14129256891