3

Every flatpak app fails with this message:

$ flatpak run org.mozilla.firefox 
bwrap: Unexpected capabilities but not setuid, old file caps config?
error: ldconfig failed, exit status 256

Ubuntu Mantic, flatpak installed with apt.

It must be something with bubblewrap or with the way it’s used, because:

$ bwrap 
bwrap: Unexpected capabilities but not setuid, old file caps config?
$ sudo bwrap 
usage: bwrap [OPTIONS...] [--] COMMAND [ARGS...]

--help                       Print this help
--version                    Print version
...

More info for commenters:

$ type -a bwrap 
bwrap is /bin/bwrap
bwrap is /usr/bin/bwrap
bwrap is /bin/bwrap
$ ls -l /usr/bin/bwrap /bin/bwrap 
.rwxr-xr-x 72k root 28 Feb 10:38 /usr/bin/bwrap
.rwxr-xr-x 72k root 28 Feb 10:38 /bin/bwrap
$ sudo flatpak repair
[21/23] Verifying flathub:app/com.google.Chrome/x86_64/stable…
Checking remotes...
Pruning objects
Erasing .removed

$ unshare --map-root-user 
$ whoami
root
$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1

I tried to set setuid for bwrap:

$ sudo chmod 4755 /usr/bin/bwrap

That makes flatpaks run, but with an ugly warning. I don’t think that’s a correct solution.

enter image description here

pacholik
  • 89
  • Please add to your question how Flatpak is installed and which release of Ubuntu you are running. – noisefloor Oct 15 '23 at 17:59
  • I cannot reproduce this problem. – vanadium Oct 16 '23 at 08:56
  • Please add the output of type -a bwrap and ls -l /usr/bin/bwrap /bin/bwrap – Raffa Oct 18 '23 at 10:39
  • Also, please run sudo flatpak repair and add it's output to your question as well. – Raffa Oct 18 '23 at 11:17
  • You should not need setuid, so remove it sudo chmod -s /usr/bin/bwrap … But you need the owner to be root, so change it sudo chown root:root /usr/bin/bwrap – Raffa Oct 18 '23 at 12:52
  • User namespaces are enabled by default on recent kernels, so you shouldn’t need to do any of the other instructions printed in your terminal screenshot either. – Raffa Oct 18 '23 at 12:55
  • sudo chmod 0755 /usr/bin/bwrap is another way of removing setuid bit as well if you prefer it. – Raffa Oct 18 '23 at 12:58
  • By the way ... You are running the default Ubuntu kernel, aren't you? – Raffa Oct 18 '23 at 13:32
  • Yes, I did 0755. Yes, default kernel. – pacholik Oct 18 '23 at 14:06
  • 1
    setuid might be needed only if the kernel user namespaces is disabled ... See https://askubuntu.com/a/1475718 and check please. – Raffa Oct 18 '23 at 14:12
  • That works fine, see edit. – pacholik Oct 18 '23 at 14:23
  • That leaves flatpak itself as a potential culprit ... Try sudo dpkg-reconfigure flatpak and check ... If not fixed, try sudo apt install --reinstall flatpak ... If not, then be prepared to uninstall all flatpak apps with flatpak uninstall --all then purge the package manager itself with sudo apt purge flatpak ... Then, install it again sudo apt install flatpak ... SAVE YOUR DATA FIRST that might be handled by or saved under currently installed flatpak applications BEFORE PURGING FLATPAK – Raffa Oct 18 '23 at 14:48
  • Don't remove Bubblewrap ... Sorry, Many reverse dependencies, so not a good idea .. But a reinstall should be safe sudo apt install --reinstall bubblewrap – Raffa Oct 18 '23 at 14:52
  • I tried all of that. – pacholik Oct 19 '23 at 07:29
  • It's obvious what is happening, but not why it's happening ... Therefore, I added some notes that hopefully will help ... As a side note for encouragement, I think it's solvable and rather simple to do so, but I can't recommend thing like e.g. purging Bubblewrap then reinstalling it as it has many reverse dependencies and requires a certain level of care (the at your own risk kind) :-) – Raffa Oct 19 '23 at 07:46

1 Answers1

1

Not an answer, but important notes that don't fit into comments and will most likely help you or others trying to help solve this issue.

Note #1

This:

$ bwrap 
bwrap: Unexpected capabilities but not setuid, old file caps config?

Can be reproduced (on other systems with default normal functioning bwrap command) when nesting containers within other containers and asking for all capabilities to be used with e.g. --cap-add ALL like for example:

$ bwrap --bind / / --cap-add ALL -- bwrap --bind / / -- bash
bwrap: Unexpected capabilities but not setuid, old file caps config?

... Bubblewrap drops all capabilities within a sandbox and the child tasks cannot gain greater privileges than their parent. That's how it works, but I can't go into detail about how that might be causing this.

Now, why this is happening depends on what you have done either deliberately by hand or unknowingly by some script/package you installed ... So, only you can guess what.

Probable causes might be that you have enabled persistent user namespaces/sandboxes or something like it related to Bublewrap configuration/settings.

Note #2

$ type -a bwrap 
bwrap is /bin/bwrap
bwrap is /usr/bin/bwrap
bwrap is /bin/bwrap

... should print bwrap is /bin/bwrap only once unless there are two routs leading to it ... Find out why and fix it.

Note #3

The kernel feature allowing unprivileged users namespaces is enabled by default in recent Ubuntu kernels ... That is a requirement for Bubblewrap to work without the setuid bit (the default) or otherwise the setuid bit on the executable binary file i.e. /usr/bin/bwrap might be required.

Note #4

The default ownership and permissions on the executable /usr/bin/bwrap should be:

$ ls -l /usr/bin/bwrap
-rwxr-xr-x 1 root root 72160 Feb 25  2022 /usr/bin/bwrap

... those can be restored with first setting ownership:

sudo chown root:root /usr/bin/bwrap

... then setting permissions:

sudo chmod 0755 /usr/bin/bwrap

or both actions at once with:

sudo dpkg-statoverride --update --add root root 0755 /usr/bin/bwrap
Raffa
  • 32,237
  • It's weird having two /bin/bwrap files, how is that possible? Is one a link? – pbhj Oct 19 '23 at 18:32
  • 1
    @pbhj Given how type works and that the -a option searches every entry/directory in the user's search PATH, it could be as benign as a repeated /bin entry e.g. do PATH="${PATH}:/bin" and then do type -a bwrap to see how that is reflected in the output, but this case isn't common or expected (indicating some tinkering done by the user) and also it could be something else as well so I thought I'd mention it. – Raffa Oct 19 '23 at 19:03
  • That’s the case. I’ve got export PATH="$CARGO_HOME/bin:$PATH" while $CARGO_HOME being undeclared. – pacholik Oct 20 '23 at 08:29