fix: don't setuid chrome-sandbox when not required

This is not necessary in many environments, so we now test for whether this is required and then enable it only when necessary.
electron-userland · Jul 22, 2024 · 2c890cd · 2c890cd
1 parent b3073f5
commit 2c890cd
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/.changeset/purple-terms-sing.md b/.changeset/purple-terms-sing.md
@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+fix: don't setuid chrome-sandbox when not required
diff --git a/packages/app-builder-lib/templates/linux/after-install.tpl b/packages/app-builder-lib/templates/linux/after-install.tpl
@@ -10,8 +10,13 @@ else
     ln -sf '/opt/${sanitizedProductName}/${executable}' '/usr/bin/${executable}'
 fi
 
-# SUID chrome-sandbox for Electron 5+
-chmod 4755 '/opt/${sanitizedProductName}/chrome-sandbox' || true
+# Check if user namespaces are supported by the kernel and working with a quick test:
+if ! { [[ -L /proc/self/ns/user ]] && unshare --user true; }; then
+    # Use SUID chrome-sandbox only on systems without user namespaces:
+    chmod 4755 '/opt/${sanitizedProductName}/chrome-sandbox' || true
+else
+    chmod 0755 '/opt/${sanitizedProductName}/chrome-sandbox' || true
+fi
 
 if hash update-mime-database 2>/dev/null; then
     update-mime-database /usr/share/mime || true