Why do some appimages require "--no-sandbox" to run?

[koulaxizis]

Hello! Some Appimages on Puppy require a "--no-sandbox" attribution to run.

What does that mean for the app and how does it affect the user?

[mikewalsh]

@koulaxizis :-

99 times out of 100, all it means - in real terms - is that they don't like Puppy's 'run-as-root' model.......and are expecting to run as a "normal" user in a mainstream, multi-user distro, complete with restricted privileges.

Usually, the AppImages that give this complaint are Electron-based - meaning built around a stripped-back Chromium browser - and the "--no-sandbox" switch is the way that the Chromium Project (a.k.a Big Brother Google) lets you run without the above-mentioned "user" restrictions.....naturally, it's all at your own risk, of course.

In real terms, it makes no noticeable difference, TBH.

Mike.

[Flash]

How does an app even know that it's running as root?

[6502coder]

It's easy for an app to check if the root user is running it. There are standard system calls in C like getuid() that will do this.

[williams2]

And in a shell script:

Code: Select all

# echo $UID 
0
# su spot
$ echo $UID 
502
$ 

[mikeslr]

And from the foregoing you might have guessed that rather than including the argument "--no-sandbox", you can often/always? call the executable with the argument "run-as-spot"; although doing so may not always get you Spot's restriction of only being able to read-from/write to Spot's folder.

[dancytron]

Electron apps run so well in Puppy/Dogs with those little adjustments.

We should have a sticky with the ways to run them.

[mikewalsh]

Electron apps run so well in Puppy/Dogs with those little adjustments.

We should have a sticky with the ways to run them.

^^^ Yeah; this I agree with. We should. Wouldn't be a bad idea at all.....

Mike.

[wiak]

And from the foregoing you might have guessed that rather than including the argument "--no-sandbox", you can often/always? call the executable with the argument "run-as-spot";

although doing so may not always get you Spot's restriction of only being able to read-from/write to Spot's folder.

That last part is an important point. What I do in my own use on WDL_Arch64 (when not logging in as a normal user (which is now actually my usual practice for many reasons) is to modify the permissions on what is effectively my /mnt/home directory to be user: weedog; group: weedog. That's my major partition, so with that alteration, my normal user 'weedog' can read and write anything not only into /home/weedog (its home folder) but also into anything on /mnt/home. WDL_Arch64 is of course a full multiuser system so I can have as many different 'normal' users as I wish (and either give them similar rights or not, or put them into sudo group to simplify their use of root privileges anyway).

Nowadays, so many apps (and various daemons, such as pulseaudio) complain if you try to run them as root user, and who knows, 'maybe' one day Chromium-based distros (and other web-browsers) will no longer allow running under --no-sandbox option. Best to prepare for that since there may end up being no easy work-around anyway.

wiak