Arch Linux User Repository

@Zoddo: Thanks for bringing this to my attention! But now I am obliged to check that the chrome-sandbox binary coming in the binary package I'm using in this recipe, is the clean one that deserves to be run as root. And it's even more tough, because the release package uses such an old electron build (15.3.0). So I have to choose between suid'ing an old and unknown wrapper app or limiting the package to be only used in not strict configured environments regarding user namespaces.

I think for now, I will go with the first variant, but with a bad taste in my mouth.

@kolewu: It's not Chrome itself, but the sandbox helper that needs to run as root. This happens if you disable unprivileged user namespace with sysctl (kernel.unprivileged_userns_clone=0) which is a recommended hardening method to enable.

The SUID flag is already set on official packages such as chromium or electron so you should be fine to set it :)

Thanks Necoro. I finally have managed to merge your changes. Sorry for the delay.

MrGamy: With the above changes unzip is no longer necessary.

Zoddo: Cannot reproduce your issue. It should absolutely never be necessary to start something like Chrome as root!

please add unzip as a dependency

sieve-app.desktop[2145953]: [2145953:1227/193709.667530:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/sieve-app/chrome-sandbox is owned by root and has mode 4755.

Looks like you are missing a chmod u+s "${pkgdir}/opt/${_appname}/chrome-sandbox"

Hi kolewu,

I updated the PKGBUILD to fix the following shortcomings: * Invalid license name * Missing required dependencies * Instead of using unzip (which would add another dependency), rely on builtin extraction

You can find the PKGBUILD at https://git.necoro.dev/aur/sieve-app-bin.git, which can also be directly used for pulling/merging.