TL, DR
If you’ve ever tried running an AppImage on Ubuntu only to be greeted with a frustrating error message, you’re not alone. The error about the “SUID sandbox helper binary” has become increasingly common, especially with newer Ubuntu versions like 24.04. Today, I’ll walk you through the best solution to fix this issue while maintaining your system’s security.New security features in Ubuntu 23.04 and following may prevent you to launch AppImages from the command line and from .deskop file from launching. You have several methods to overcome this, with
Understanding the Problem
The error typically looks something like this:
[7927:0809/180444.456767:FATAL:sandbox/linux/suid/client/setuid_sandbox_host.cc:169] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount_LM-StuPW2X85/chrome-sandbox is owned by root and has mode 4755.This occurs because many AppImages use Electron, which requires specific sandbox configurations to run securely. Ubuntu 24.04 introduced stricter AppArmor policies that prevent these applications from creating the necessary sandbox environment.
While there are several workarounds (like running with --no-sandbox), they compromise security. The best solution is to create a proper AppArmor profile that allows the application to use unprivileged user namespaces while maintaining security boundaries.
Why the AppArmor Solution is Best
Creating an AppArmor profile is the most secure approach because it:
- Follows Ubuntu’s security best practices
- Maintains sandboxing capabilities
- Only affects the specific application
- Doesn’t compromise overall system security
- Provides a permanent fix
Step-by-Step Guide: Creating an AppArmor Profile
Follow these steps to create a custom AppArmor profile for your AppImage:
Step 1: Identify Your AppImage Path
First, locate where you’ve stored your AppImage file. For this example, let’s assume it’s in your Downloads folder:
~/Downloads/YourAppImage.AppImageStep 2: Create the AppArmor Profile File
Open a terminal and create a new profile file using nano (or your preferred text editor):
sudo nano /etc/apparmor.d/yourappimageStep 3: Add the Profile Configuration
Paste the following content into the file. Remember to replace /path/to/your/AppImage.AppImage with the actual path to your AppImage:
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/3.0>,
include <tunables/global>
profile yourappimage /path/to/your/AppImage.AppImage flags=(default_allow) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/yourappimage>
}For example, if your AppImage is in your Downloads folder, you would replace /path/to/your/AppImage.AppImage with /home/username/Downloads/YourAppImage.AppImage.
Step 4: Save and Exit
In nano, press Ctrl+X, then Y to confirm, and Enter to save.
Step 5: Reload AppArmor
Apply the new profile by reloading AppArmor:
sudo systemctl reload apparmor.serviceIf this command doesn’t work or you encounter any issues, simply reboot your system.
Step 6: Run Your AppImage
Now you should be able to run your AppImage without any errors:
/path/to/your/AppImage.AppImageAlternative for Specific Applications
Some applications have default AppArmor profiles that you can utilize. For example, if you’re running Obsidian:
- Create the directory structure:
sudo mkdir -p /opt/Obsidian- Move your AppImage there:
sudo mv /path/to/Obsidian.AppImage /opt/Obsidian/obsidian- Make it executable:
sudo chmod +x /opt/Obsidian/obsidianThis works because there’s already a default profile for Obsidian that expects the binary to be at /opt/Obsidian/obsidian.
Other Solutions (Not Recommended)
While the AppArmor solution is best, here are other approaches you might encounter:
The –no-sandbox Flag
./YourAppImage.AppImage --no-sandboxThis disables all sandboxing, reducing security.
Direct Permission Fix
./YourAppImage.AppImage --appimage-extract
cd squashfs-root
sudo chown root chrome-sandbox
sudo chmod 4755 chrome-sandbox
./AppRunThis is temporary and needs to be repeated for each session.
System-Wide Configuration
This involves creating system-wide changes that disable sandboxing for all AppImages, which isn’t recommended for security reasons. An example is enabling Unpriviledged User Namespaces
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
echo 'kernel.apparmor_restrict_unprivileged_userns = 0' | sudo tee /etc/sysctl.d/20-apparmor-donotrestrict.confTroubleshooting
If you encounter issues after creating the profile:
- Reboot your system if the reload didn’t work properly.
- Check for typos in the profile file, especially the path to your AppImage.
- Verify the profile loaded with:
sudo aa-status - Check AppArmor logs in:
journalctl -t apparmor
Conclusion
The AppArmor profile solution provides the best balance between functionality and security when dealing with AppImage sandbox errors on Ubuntu. While it requires a few more steps than quick workarounds, it ensures your applications run as intended without compromising your system’s security.
Remember to create a new profile for each AppImage that encounters this issue, using the specific path to each application. With this approach, you can enjoy the convenience of AppImages while maintaining a secure Ubuntu system.
Related links
- AskUbunt link
Do you like our content? Check more of our posts in our blog!
