From 355db70054f519a019e9738f6f3280cd2d45b730 Mon Sep 17 00:00:00 2001 From: Paul d'Aoust Date: Wed, 22 May 2024 14:20:23 -0700 Subject: [PATCH 1/8] add instructions for fixing security error in Ubuntu 24.04 --- src/pages/get-started/3-forum-app-tutorial.md | 10 +++++++++ src/pages/get-started/install-advanced.md | 22 ++++++++++++++++++- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/src/pages/get-started/3-forum-app-tutorial.md b/src/pages/get-started/3-forum-app-tutorial.md index 77e0658b0..39a9209d9 100644 --- a/src/pages/get-started/3-forum-app-tutorial.md +++ b/src/pages/get-started/3-forum-app-tutorial.md @@ -795,6 +795,16 @@ Before you get started editing the UI, it's helpful to be able to actually run t ## 8. Run your application in dev mode +!!! info "Warning for Ubuntu 24.04 and later +Ubuntu Linux 24.04 [introduces security policy changes](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that cause the next command to fail. Here's a simple fix. In your terminal, run this command: + +```shell +chmod 4755 node_modules/electron/dist/chrome-sandbox && sudo chown root:root node_modules/electron/dist/chrome-sandbox +``` + +You can find out more [here](/install-advanced/#fixing-the-suid-sandbox-error-in-ubuntu-24-04). +!!! + At this stage, we'll incorporate some of the UI components that have been scaffolded by the scaffolding tool into our main application interface. Our aim here is to make all the functionality of our forum application accessible from a single, unified interface. We'll use Svelte to accomplish this, as it is the framework that we have chosen for the UI layer of our application. Start the forum hApp in develop mode from the command line: go to your terminal and, from the root folder (`my_forum_app/`), enter: diff --git a/src/pages/get-started/install-advanced.md b/src/pages/get-started/install-advanced.md index 97bea8ecc..3d42ec0a5 100644 --- a/src/pages/get-started/install-advanced.md +++ b/src/pages/get-started/install-advanced.md @@ -265,4 +265,24 @@ rm -rf /nix rm ~/.nix-profile ``` -[Detailed uninstallation instructions for macOS](https://gist.github.com/chriselsner/3ebe962a4c4bd1f14d39897fc5619732#uninstalling-nix) \ No newline at end of file +[Detailed uninstallation instructions for macOS](https://gist.github.com/chriselsner/3ebe962a4c4bd1f14d39897fc5619732#uninstalling-nix) + +## Fixing the SUID sandbox error in Ubuntu 24.04 + +Ubuntu 24.04 [introduced an AppArmor security policy](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that causes `hc spin`, which is used to test applications and their UIs, to fail with a fatal error: + +``` +[FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /node_modules/electron/dist/chrome-sandbox is owned by root and has mode 4755. +``` + +Following those instructions by entering the following command in your project's root directory will fix the issue: + +```shell +chmod 4755 node_modules/electron/dist/chrome-sandbox && sudo chown root:root node_modules/electron/dist/chrome-sandbox +``` + +There are other fixes [outlined in the Ubuntu 24.04 release notes](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that can solve the problem; if you'd like to learn more, read through them all and choose the one that feels most appropriate for you. + +### Redistributable applications created with [`holochain-kangaroo-electron`](https://github.com/holochain-apps/holochain-kangaroo-electron) are also affected + +Because the template repo `holochain-kangaroo-electron` also bundles Electron's chrome-sandbox in the binary that you'd distribute, your users will see the same error message when they try to run your application if you've used this repo. We're still researching the best solution, but since Ubuntu is recommending it, we recommend applying the first situation in the release notes, which involves creating an AppArmor profile for your app. This profile could then be distributed and installed alongside it. (Note: this won't work with portable application packages that aren't installed as root, such as `AppImage`s.) \ No newline at end of file From c6ac8e9e8f9a64bfc25d76804f9d899ac0a46335 Mon Sep 17 00:00:00 2001 From: Paul d'Aoust Date: Wed, 22 May 2024 14:22:08 -0700 Subject: [PATCH 2/8] add dictionary exceptions --- .cspell/custom-words.txt | 2 ++ .cspell/words-that-should-exist.txt | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.cspell/custom-words.txt b/.cspell/custom-words.txt index 006f8e820..6eab388eb 100644 --- a/.cspell/custom-words.txt +++ b/.cspell/custom-words.txt @@ -27,6 +27,8 @@ QUIC rustc rustflags rustup +setgid +setuid subl Tauri Ulhaq diff --git a/.cspell/words-that-should-exist.txt b/.cspell/words-that-should-exist.txt index f0303fc5a..97c97ed7f 100644 --- a/.cspell/words-that-should-exist.txt +++ b/.cspell/words-that-should-exist.txt @@ -15,8 +15,10 @@ howtos interoperating permissioned permissivity +redistributable runtimes sandboxed +sandboxing scaffolder spacebar todo From cb79493659e3fa02a7180dc39bf7e2a2e9bafe63 Mon Sep 17 00:00:00 2001 From: Paul d'Aoust Date: Wed, 22 May 2024 14:25:11 -0700 Subject: [PATCH 3/8] fix broken links --- src/pages/get-started/2-hello-world.md | 11 +++++++++++ src/pages/get-started/3-forum-app-tutorial.md | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/pages/get-started/2-hello-world.md b/src/pages/get-started/2-hello-world.md index 8a5e8ea04..1456dc0d0 100644 --- a/src/pages/get-started/2-hello-world.md +++ b/src/pages/get-started/2-hello-world.md @@ -30,6 +30,17 @@ nix develop ```shell npm install ``` + +!!! info "Warning for Ubuntu 24.04 and later +Ubuntu Linux 24.04 [introduces security policy changes](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that cause the next command to fail. Here's a simple fix. In your terminal, run this command: + +```shell +chmod 4755 node_modules/electron/dist/chrome-sandbox && sudo chown root:root node_modules/electron/dist/chrome-sandbox +``` + +You can find out more [here](/get-started/install-advanced/#fixing-the-suid-sandbox-error-in-ubuntu-24-04). +!!! + ```shell npm start ``` diff --git a/src/pages/get-started/3-forum-app-tutorial.md b/src/pages/get-started/3-forum-app-tutorial.md index 39a9209d9..cbc033e7e 100644 --- a/src/pages/get-started/3-forum-app-tutorial.md +++ b/src/pages/get-started/3-forum-app-tutorial.md @@ -802,7 +802,7 @@ Ubuntu Linux 24.04 [introduces security policy changes](https://discourse.ubuntu chmod 4755 node_modules/electron/dist/chrome-sandbox && sudo chown root:root node_modules/electron/dist/chrome-sandbox ``` -You can find out more [here](/install-advanced/#fixing-the-suid-sandbox-error-in-ubuntu-24-04). +You can find out more [here](/get-started/install-advanced/#fixing-the-suid-sandbox-error-in-ubuntu-24-04). !!! At this stage, we'll incorporate some of the UI components that have been scaffolded by the scaffolding tool into our main application interface. Our aim here is to make all the functionality of our forum application accessible from a single, unified interface. We'll use Svelte to accomplish this, as it is the framework that we have chosen for the UI layer of our application. From b6f6ea7a9e59b841974f22333c48070a12316cf6 Mon Sep 17 00:00:00 2001 From: Paul d'Aoust Date: Fri, 24 May 2024 09:19:11 -0700 Subject: [PATCH 4/8] add note that Ubuntu fix has to be applied (only) once per new proj --- src/pages/get-started/2-hello-world.md | 2 +- src/pages/get-started/3-forum-app-tutorial.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pages/get-started/2-hello-world.md b/src/pages/get-started/2-hello-world.md index 1456dc0d0..b2bc09194 100644 --- a/src/pages/get-started/2-hello-world.md +++ b/src/pages/get-started/2-hello-world.md @@ -38,7 +38,7 @@ Ubuntu Linux 24.04 [introduces security policy changes](https://discourse.ubuntu chmod 4755 node_modules/electron/dist/chrome-sandbox && sudo chown root:root node_modules/electron/dist/chrome-sandbox ``` -You can find out more [here](/get-started/install-advanced/#fixing-the-suid-sandbox-error-in-ubuntu-24-04). +You'll need to do this once (but only once) for every new project you scaffold. You can find out more [here](/get-started/install-advanced/#fixing-the-suid-sandbox-error-in-ubuntu-24-04). !!! ```shell diff --git a/src/pages/get-started/3-forum-app-tutorial.md b/src/pages/get-started/3-forum-app-tutorial.md index cbc033e7e..3c6bc5ac0 100644 --- a/src/pages/get-started/3-forum-app-tutorial.md +++ b/src/pages/get-started/3-forum-app-tutorial.md @@ -802,7 +802,7 @@ Ubuntu Linux 24.04 [introduces security policy changes](https://discourse.ubuntu chmod 4755 node_modules/electron/dist/chrome-sandbox && sudo chown root:root node_modules/electron/dist/chrome-sandbox ``` -You can find out more [here](/get-started/install-advanced/#fixing-the-suid-sandbox-error-in-ubuntu-24-04). +You'll need to do this once (but only once) for every new project you scaffold. You can find out more [here](/get-started/install-advanced/#fixing-the-suid-sandbox-error-in-ubuntu-24-04). !!! At this stage, we'll incorporate some of the UI components that have been scaffolded by the scaffolding tool into our main application interface. Our aim here is to make all the functionality of our forum application accessible from a single, unified interface. We'll use Svelte to accomplish this, as it is the framework that we have chosen for the UI layer of our application. From b4361e9b882fbf2988cd0de38b2a7c4d0c85f34f Mon Sep 17 00:00:00 2001 From: Paul d'Aoust Date: Fri, 24 May 2024 09:30:23 -0700 Subject: [PATCH 5/8] edits to Ubuntu help on advanced page --- src/pages/get-started/install-advanced.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/pages/get-started/install-advanced.md b/src/pages/get-started/install-advanced.md index 3d42ec0a5..e3b02adea 100644 --- a/src/pages/get-started/install-advanced.md +++ b/src/pages/get-started/install-advanced.md @@ -269,18 +269,20 @@ rm ~/.nix-profile ## Fixing the SUID sandbox error in Ubuntu 24.04 -Ubuntu 24.04 [introduced an AppArmor security policy](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that causes `hc spin`, which is used to test applications and their UIs, to fail with a fatal error: +Ubuntu 24.04 [introduced an AppArmor security policy](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that causes `hc spin`, which is used to test applications and their UIs, to fail with a fatal error. If you have a `package.json` that lists `@holochain/hc-spin` as a dev dependency, you may see this error message: ``` [FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /node_modules/electron/dist/chrome-sandbox is owned by root and has mode 4755. ``` -Following those instructions by entering the following command in your project's root directory will fix the issue: +You can fix the issue by entering the following command in your project's root directory: ```shell chmod 4755 node_modules/electron/dist/chrome-sandbox && sudo chown root:root node_modules/electron/dist/chrome-sandbox ``` +You'll have to do this for every project that uses `@holochain/hc-spin`. + There are other fixes [outlined in the Ubuntu 24.04 release notes](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that can solve the problem; if you'd like to learn more, read through them all and choose the one that feels most appropriate for you. ### Redistributable applications created with [`holochain-kangaroo-electron`](https://github.com/holochain-apps/holochain-kangaroo-electron) are also affected From fc8ba9aba9598a21124a61df778017cdf9678774 Mon Sep 17 00:00:00 2001 From: Paul d'Aoust Date: Fri, 24 May 2024 09:33:14 -0700 Subject: [PATCH 6/8] tiny changes to ubuntu guidance --- src/pages/get-started/2-hello-world.md | 2 +- src/pages/get-started/3-forum-app-tutorial.md | 2 +- src/pages/get-started/install-advanced.md | 4 +++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/pages/get-started/2-hello-world.md b/src/pages/get-started/2-hello-world.md index b2bc09194..c89371017 100644 --- a/src/pages/get-started/2-hello-world.md +++ b/src/pages/get-started/2-hello-world.md @@ -32,7 +32,7 @@ npm install ``` !!! info "Warning for Ubuntu 24.04 and later -Ubuntu Linux 24.04 [introduces security policy changes](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that cause the next command to fail. Here's a simple fix. In your terminal, run this command: +Ubuntu Linux 24.04 [introduces security policy changes](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that cause the following command to fail. Here's a simple fix. In your terminal, run this command: ```shell chmod 4755 node_modules/electron/dist/chrome-sandbox && sudo chown root:root node_modules/electron/dist/chrome-sandbox diff --git a/src/pages/get-started/3-forum-app-tutorial.md b/src/pages/get-started/3-forum-app-tutorial.md index 3c6bc5ac0..22001f43a 100644 --- a/src/pages/get-started/3-forum-app-tutorial.md +++ b/src/pages/get-started/3-forum-app-tutorial.md @@ -796,7 +796,7 @@ Before you get started editing the UI, it's helpful to be able to actually run t ## 8. Run your application in dev mode !!! info "Warning for Ubuntu 24.04 and later -Ubuntu Linux 24.04 [introduces security policy changes](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that cause the next command to fail. Here's a simple fix. In your terminal, run this command: +Ubuntu Linux 24.04 [introduces security policy changes](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that cause the following command to fail. Here's a simple fix. In your terminal, run this command: ```shell chmod 4755 node_modules/electron/dist/chrome-sandbox && sudo chown root:root node_modules/electron/dist/chrome-sandbox diff --git a/src/pages/get-started/install-advanced.md b/src/pages/get-started/install-advanced.md index e3b02adea..44f296309 100644 --- a/src/pages/get-started/install-advanced.md +++ b/src/pages/get-started/install-advanced.md @@ -271,9 +271,11 @@ rm ~/.nix-profile Ubuntu 24.04 [introduced an AppArmor security policy](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that causes `hc spin`, which is used to test applications and their UIs, to fail with a fatal error. If you have a `package.json` that lists `@holochain/hc-spin` as a dev dependency, you may see this error message: +::: output-block ``` [FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /node_modules/electron/dist/chrome-sandbox is owned by root and has mode 4755. ``` +::: You can fix the issue by entering the following command in your project's root directory: @@ -281,7 +283,7 @@ You can fix the issue by entering the following command in your project's root d chmod 4755 node_modules/electron/dist/chrome-sandbox && sudo chown root:root node_modules/electron/dist/chrome-sandbox ``` -You'll have to do this for every project that uses `@holochain/hc-spin`. +You'll have to do this for every hApp project that uses `@holochain/hc-spin`. There are other fixes [outlined in the Ubuntu 24.04 release notes](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that can solve the problem; if you'd like to learn more, read through them all and choose the one that feels most appropriate for you. From eb19d1904d04e329eeea9e8413e9a8b4ead76985 Mon Sep 17 00:00:00 2001 From: Paul d'Aoust Date: Fri, 24 May 2024 10:54:20 -0700 Subject: [PATCH 7/8] ugh, typos --- src/pages/get-started/2-hello-world.md | 2 +- src/pages/get-started/3-forum-app-tutorial.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pages/get-started/2-hello-world.md b/src/pages/get-started/2-hello-world.md index c89371017..a7b73da18 100644 --- a/src/pages/get-started/2-hello-world.md +++ b/src/pages/get-started/2-hello-world.md @@ -31,7 +31,7 @@ nix develop npm install ``` -!!! info "Warning for Ubuntu 24.04 and later +!!! info Warning for Ubuntu 24.04 and later Ubuntu Linux 24.04 [introduces security policy changes](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that cause the following command to fail. Here's a simple fix. In your terminal, run this command: ```shell diff --git a/src/pages/get-started/3-forum-app-tutorial.md b/src/pages/get-started/3-forum-app-tutorial.md index 22001f43a..575fca00a 100644 --- a/src/pages/get-started/3-forum-app-tutorial.md +++ b/src/pages/get-started/3-forum-app-tutorial.md @@ -795,7 +795,7 @@ Before you get started editing the UI, it's helpful to be able to actually run t ## 8. Run your application in dev mode -!!! info "Warning for Ubuntu 24.04 and later +!!! info Warning for Ubuntu 24.04 and later Ubuntu Linux 24.04 [introduces security policy changes](https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15) that cause the following command to fail. Here's a simple fix. In your terminal, run this command: ```shell From 370fec7599adba9b254a20e7e7301a10a1a86413 Mon Sep 17 00:00:00 2001 From: Paul d'Aoust Date: Fri, 24 May 2024 10:58:30 -0700 Subject: [PATCH 8/8] nother typo --- src/pages/get-started/install-advanced.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/get-started/install-advanced.md b/src/pages/get-started/install-advanced.md index 44f296309..513877b3a 100644 --- a/src/pages/get-started/install-advanced.md +++ b/src/pages/get-started/install-advanced.md @@ -289,4 +289,4 @@ There are other fixes [outlined in the Ubuntu 24.04 release notes](https://disco ### Redistributable applications created with [`holochain-kangaroo-electron`](https://github.com/holochain-apps/holochain-kangaroo-electron) are also affected -Because the template repo `holochain-kangaroo-electron` also bundles Electron's chrome-sandbox in the binary that you'd distribute, your users will see the same error message when they try to run your application if you've used this repo. We're still researching the best solution, but since Ubuntu is recommending it, we recommend applying the first situation in the release notes, which involves creating an AppArmor profile for your app. This profile could then be distributed and installed alongside it. (Note: this won't work with portable application packages that aren't installed as root, such as `AppImage`s.) \ No newline at end of file +Because the template repo `holochain-kangaroo-electron` also bundles Electron's chrome-sandbox in the binary that you'd distribute, your users will see the same error message when they try to run your application if you've used this repo. We're still researching the best solution, but since Ubuntu is recommending it, we recommend applying the first solution in the release notes, which involves creating an AppArmor profile for your app. This profile could then be distributed and installed alongside it. (Note: this won't work with portable application packages that aren't installed as root, such as `AppImage`s.) \ No newline at end of file