Appimage release: '--install' fails to set caps due to fuse-mount permissions

Question

Appimage release: '--install' fails to set caps due to fuse-mount permissions

Opened this issue 3 months ago · 3 comments

v-evets commented 3 months ago

Is there an existing issue for this?

I have searched the existing issues

Is your issue described in the documentation?

I have read the documentation

Is your issue present in the latest beta/pre-release?

This issue is present in the latest pre-release

Describe the Bug

Following the documentation WRT the latest prerelease appimage:

$ ./sunshine.AppImage --install
Password:
KERNEL=="uinput", SUBSYSTEM=="misc", OPTIONS+="static_node=uinput", TAG+="uaccess"
KERNEL=="uhid", TAG+="uaccess"
Failed to set capabilities on file '/tmp/.mount_sunshiH3L3t0/usr/bin/sunshine-v2024.930.214046': Permission denied

Appimage fuse mounts do not allow other users by default, and that includes root.

$ sudo ./sunshine.AppImage --install
KERNEL=="uinput", SUBSYSTEM=="misc", OPTIONS+="static_node=uinput", TAG+="uaccess"
KERNEL=="uhid", TAG+="uaccess"
Failed to set capabilities on file '/tmp/.mount_sunshiCkDmP5/usr/bin/sunshine-v2024.930.214046': Read-only file system

Appimage fuse mounts are read-only, because appimage is a squashfs. Nobody actually tested any of this, did they?

Expected Behavior

Installation steps in the documentation work as described for the appimage release. (./sunshine.AppImage --install, sudo setcap cap_sys_admin+p $(readlink -f $(which sunshine))

Additional Context

Bonus bug, while filing out this report:
'/tmp/.mount_sunshivHk1IP/usr/bin/sunshine-v2024.930.214046 --help' says:
'--version | print the version of sunshine'

'/tmp/.mount_sunshivHk1IP/usr/bin/sunshine-v2024.930.214046 --version' says:
...Several things, none of which is the version number.

Host Operating System

Linux

Operating System Version

Gentoo Linux 2.15

Architecture

64 bit

Sunshine commit or version

2024.930.214046

Package

Linux - AppImage

GPU Type

AMD

GPU Model

RX 6700 XT

GPU Driver/Mesa Version

24.1.7

Capture Method

KMX (Linux)

Config

fps = [10,30,60,75]
resolutions = [
    352x240,
    480x360,
    858x480,
    1280x720,
    1920x1080
]
capture = kms
channels = 2
back_button_timeout = 1000
min_log_level = 3
origin_web_ui_allowed = pc
encoder = vaapi

Apps

No response

Relevant log output

Irrelevant, issue pertains to installation.

Answer 1 · 2024-10-03T12:38:50.000Z

This is a known issue, although I don't think it was in our bug tracker. Thanks for reporting.

Unfortunately I don't know how to fix. This was one idea, but I don't think it's the right approach. #2300

Answer 2 · 2024-10-04T12:31:49.000Z

AFAICT the only "right" approaches are a: Don't use appimage or b: Don't use funky permissions. i.e. AppImageKit/issues/881
Much the same applies regarding flatpak, e.g. flatpak/issues/3858

You're trying to evade fairly sensible security restrictions, with both packaging formats and the use of cap_sys_admin in general. This is going to keep causing problems.

Answer 3 · 2024-10-04T12:54:14.000Z

Would be nice to not have to use setcap, but our current wayland implementation requires it (X11 doesn't). You're welcome to submit a PR migrating wayland to the new flavor of desktop capture. #2955 (comment)