XDG_RUNTIME_DIR not set inside of sandbox #4372

1kjo · 2021-08-18T14:23:06Z

Linux distribution and version

Gentoo with the Sway Wayland compositor

Flatpak version

I tried both Flatpak 1.10.2 and 1.11.1 and they don't work.

Description of the problem

I have XDG_RUNTIME_DIR set to something other than /run/user/<UID>.

When running an application with Flatpak, it seems like it correctly sets up the sockets in /run/user/<UID> for the application but it also inherits my XDG_RUNTIME_DIR when it should instead set it to /run/user/<UID>. This breaks Wayland in the sandbox.

It can be seen by looking at the environment variables inside the sandbox by starting a shell:

$ echo $XDG_RUNTIME_DIR
/run/xdg-runtime-dir
$ flatpak run --user --command=sh org.mozilla.Thunderbird
[...]
[📦 org.mozilla.Thunderbird ~]$ echo $XDG_RUNTIME_DIR
/run/xdg-runtime-dir
[📦 org.mozilla.Thunderbird ~]$ ls $XDG_RUNTIME_DIR
ls: cannot access '/run/xdg-runtime-dir': No such file or directory
[📦 org.mozilla.Thunderbird ~]$ ls /run/user/1000
Xauthority  app  at-spi-bus  bus  flatpak-info	p11-kit  pulse	wayland-1

Steps to reproduce

I think running the following commands on a Wayland session should work to reproduce the issue. The application inside of the sandbox won't connect to the Wayland socket because the XDG_RUNTIME_DIR environment variable is not set correctly. Here I've chosen Thunderbird. For some reason, not all apps don't work: for instance, Firefox can still connect to the Wayland socket.

Setup

$ old_xdr="$XDG_RUNTIME_DIR"
$ export XDG_RUNTIME_DIR="$(mktemp -d)"
$ ln -s "$old_xdr/$WAYLAND_DISPLAY" "$XDG_RUNTIME_DIR/"

This command fails ...

$ flatpak run --nosocket=x11 --nosocket=fallback-x11 --env=MOZ_ENABLE_WAYLAND=1 org.mozilla.Thunderbird

... but not this one

$ flatpak run --nosocket=x11 --nosocket=fallback-x11 --env=MOZ_ENABLE_WAYLAND=1 --env=XDG_RUNTIME_DIR=/run/user/1000 org.mozilla.Thunderbird

The text was updated successfully, but these errors were encountered:

smcv · 2021-08-18T14:34:45Z

I have XDG_RUNTIME_DIR set to something other than /run/user/<UID>.

Pragmatically, I'd recommend not doing that, if possible.

Flatpak is already meant to force it to /run/user/<UID> in the sandbox, but perhaps there's some inheritance happening in the wrong order...

smcv · 2021-08-18T14:40:47Z

Specifically, flatpak_run_setup_base_argv() in common/flatpak-run.c adds "--setenv", "XDG_RUNTIME_DIR", run_dir, to the bwrap command-line. It's possible that this is unintentionally getting overwritten as a result of the changes I made to resolve CVE-2021-21261.

If you run flatpak run with -vv, then that might help to indicate where this is going wrong.

Adding {"XDG_RUNTIME_DIR", NULL} to default_exports[] in common/flatpak-run.c might help?

1kjo · 2021-08-18T14:57:11Z

Specifically, flatpak_run_setup_base_argv() in common/flatpak-run.c adds "--setenv", "XDG_RUNTIME_DIR", run_dir, to the bwrap command-line. It's possible that this is unintentionally getting overwritten as a result of the changes I made to resolve CVE-2021-21261.

If you run flatpak run with -vv, then that might help to indicate where this is going wrong.

Yes, it seems like bwrap command line gets two arguments for setting XDG_RUNTIME_DIR.

$ flatpak run -vv --nosocket=x11 org.mozilla.Thunderbird
[...]
F: bwrap --args 36 = ...
[...]
F:     --dir
F:     /run/user/1000
F:     --setenv
F:     XDG_RUNTIME_DIR
F:     /run/user/1000
F:     --symlink
F:     ../run
F:     /var/run
[...]
F:     --setenv
F:     XDG_DATA_HOME
F:     /home/greg/.var/app/org.mozilla.Thunderbird/data
F:     --setenv
F:     XDG_RUNTIME_DIR
F:     /run/xdg-runtime-dir
[...]
F: Running 'bwrap --args 36 thunderbird'

Adding {"XDG_RUNTIME_DIR", NULL} to default_exports[] in common/flatpak-run.c might help?

Yes, with that change the second one is gone and the issue is fixed.

smcv · 2021-08-18T15:38:45Z

Minimal reproducer:

$ mkdir ~/tmp/xrd
$ XDG_RUNTIME_DIR=$HOME/tmp/xrd flatpak run --command=bash org.gnome.Recipes -c 'echo $XDG_RUNTIME_DIR'
/home/smcv/tmp/xrd

should output something like /run/user/1000 instead.

We use `bwrap --setenv XDG_RUNTIME_DIR` to set it to `/run/user/UID`, regardless of what it is on the host system, but the changes made to resolve CVE-2021-21261 unintentionally broke this by overwriting it with the user's XDG_RUNTIME_DIR. In practice this worked for most people, who either have XDG_RUNTIME_DIR set to the same value we use (which is the conventional setup from systemd-logind and elogind), or entirely unset (if they do not have systemd-logind or elogind). However, it broke Wayland and other XDG_RUNTIME_DIR-based protocols for people who intentionally set up an XDG_RUNTIME_DIR that is different. Resolves: flatpak#4372 Signed-off-by: Simon McVittie <smcv@collabora.com>

We use `bwrap --setenv XDG_RUNTIME_DIR` to set it to `/run/user/UID`, regardless of what it is on the host system, but the changes made to resolve CVE-2021-21261 unintentionally broke this by overwriting it with the user's XDG_RUNTIME_DIR. In practice this worked for most people, who either have XDG_RUNTIME_DIR set to the same value we use (which is the conventional setup from systemd-logind and elogind), or entirely unset (if they do not have systemd-logind or elogind). However, it broke Wayland and other XDG_RUNTIME_DIR-based protocols for people who intentionally set up an XDG_RUNTIME_DIR that is different. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4372 Signed-off-by: Simon McVittie <smcv@collabora.com>

We use `bwrap --setenv XDG_RUNTIME_DIR` to set it to `/run/user/UID`, regardless of what it is on the host system, but the changes made to resolve CVE-2021-21261 unintentionally broke this by overwriting it with the user's XDG_RUNTIME_DIR. In practice this worked for most people, who either have XDG_RUNTIME_DIR set to the same value we use (which is the conventional setup from systemd-logind and elogind), or entirely unset (if they do not have systemd-logind or elogind). However, it broke Wayland and other XDG_RUNTIME_DIR-based protocols for people who intentionally set up an XDG_RUNTIME_DIR that is different. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: #4372 Signed-off-by: Simon McVittie <smcv@collabora.com>

We use `bwrap --setenv XDG_RUNTIME_DIR` to set it to `/run/user/UID`, regardless of what it is on the host system, but the changes made to resolve CVE-2021-21261 unintentionally broke this by overwriting it with the user's XDG_RUNTIME_DIR. In practice this worked for most people, who either have XDG_RUNTIME_DIR set to the same value we use (which is the conventional setup from systemd-logind and elogind), or entirely unset (if they do not have systemd-logind or elogind). However, it broke Wayland and other XDG_RUNTIME_DIR-based protocols for people who intentionally set up an XDG_RUNTIME_DIR that is different. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: flatpak#4372 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d3e6e71)

We use `bwrap --setenv XDG_RUNTIME_DIR` to set it to `/run/user/UID`, regardless of what it is on the host system, but the changes made to resolve CVE-2021-21261 unintentionally broke this by overwriting it with the user's XDG_RUNTIME_DIR. In practice this worked for most people, who either have XDG_RUNTIME_DIR set to the same value we use (which is the conventional setup from systemd-logind and elogind), or entirely unset (if they do not have systemd-logind or elogind). However, it broke Wayland and other XDG_RUNTIME_DIR-based protocols for people who intentionally set up an XDG_RUNTIME_DIR that is different. Fixes: 6d1773d "run: Convert all environment variables into bwrap arguments" Resolves: #4372 Signed-off-by: Simon McVittie <smcv@collabora.com> (cherry picked from commit d3e6e71)

smcv mentioned this issue Aug 18, 2021

run: Don't let XDG_RUNTIME_DIR from user override the value we set #4373

Merged

smcv mentioned this issue Aug 18, 2021

[1.10.x] run: Don't let XDG_RUNTIME_DIR from user override the value we set #4374

Merged

alexlarsson closed this as completed in #4373 Aug 20, 2021

smcv mentioned this issue Oct 11, 2021

Backport regression fixes from 1.10.3 into 1.8.x #4474

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XDG_RUNTIME_DIR not set inside of sandbox #4372

XDG_RUNTIME_DIR not set inside of sandbox #4372

1kjo commented Aug 18, 2021 •

edited

smcv commented Aug 18, 2021

smcv commented Aug 18, 2021

1kjo commented Aug 18, 2021 •

edited

smcv commented Aug 18, 2021

XDG_RUNTIME_DIR not set inside of sandbox #4372

XDG_RUNTIME_DIR not set inside of sandbox #4372

Comments

1kjo commented Aug 18, 2021 • edited

Linux distribution and version

Flatpak version

Description of the problem

Steps to reproduce

Setup

This command fails ...

... but not this one

smcv commented Aug 18, 2021

smcv commented Aug 18, 2021

1kjo commented Aug 18, 2021 • edited

smcv commented Aug 18, 2021

1kjo commented Aug 18, 2021 •

edited

1kjo commented Aug 18, 2021 •

edited