"Plugin Sandboxing is not Supported" (Log Warning)

Summary

The Mattermost log indicates a problem with plugin sandboxing. I have verified that user namespace sandboxing is available on the Ubuntu server.

Steps to reproduce

Mattermost version 4.8.1, Ubuntu 16.04 Server.

The problem is logged when the mattermost service starts up or plugin support is disabled and then re-enabled.

Expected behavior

Plugins run properly in user namespace sandbox.

Observed behavior

Log output:

[2018/04/17 17:32:32 EDT] [INFO] Loaded system translations for 'en' from '/opt/mattermost/i18n/en.json'
[2018/04/17 17:32:32 EDT] [INFO] Server is initializing...
[2018/04/17 17:32:32 EDT] [INFO] Pinging SQL master database
[2018/04/17 17:32:32 EDT] [EROR] SMTP server settings do not appear to be configured properly err=Failed to authenticate on SMTP server details=unencrypted connection
[2018/04/17 17:32:32 EDT] [INFO] Current version is 4.8.1 (4.8.1/Thu Apr 5 21:17:10 UTC 2018/6dc9fa885dfd5448fb6910bfb0cb4f1179139ff8/none)
[2018/04/17 17:32:32 EDT] [INFO] Enterprise Enabled: false
[2018/04/17 17:32:32 EDT] [INFO] Current working directory is /opt/mattermost
[2018/04/17 17:32:32 EDT] [INFO] Loaded config file from /opt/mattermost/config/config.json
[2018/04/17 17:32:32 EDT] [INFO] Able to write files to local storage.
[2018/04/17 17:32:32 EDT] [INFO] Starting up plugins
[2018/04/17 17:32:32 EDT] [WARN] unable to create user namespace: fork/exec /proc/self/exe: permission denied
[2018/04/17 17:32:32 EDT] [WARN] plugin sandboxing is not supported. plugins will run with the same access level as the server
[2018/04/17 17:32:32 EDT] [INFO] Starting Server...
[2018/04/17 17:32:32 EDT] [INFO] Server is listening on [::]:443
[2018/04/17 17:32:32 EDT] [INFO] API version 3 is scheduled for deprecation. Please see https://api.mattermost.com for details.
[2018/04/17 17:32:32 EDT] [INFO] Starting 8 websocket hubs
[2018/04/17 17:32:32 EDT] [INFO] Starting workers
[2018/04/17 17:32:32 EDT] [INFO] Starting schedulers.

This happens even when no plugins are activated.

Ideas? Thanks in advance.

Hi @sagansapien,

What permissions do you have on /proc/<MMPID>/exe where MMPID is the Mattermost process ID? Also does the user running Mattermost own the mattermost/ directory and all its contents?

There is also some more sandboxing documentation here if you haven’t seen it https://developers.mattermost.com/extend/plugins/security/

Hi jwilander, thanks for the suggestions. The permissions look good as far as I can tell, please verify that I checked correctly. Here is the output:

USER@mattermost:/opt/mattermost$ sudo systemctl status mattermost.service
● mattermost.service - Mattermost
   Loaded: loaded (/lib/systemd/system/mattermost.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2018-04-25 17:26:13 EDT; 1min 2s ago
 Main PID: 44916 (platform)
    Tasks: 18
   Memory: 60.1M
      CPU: 1.469s
   CGroup: /system.slice/mattermost.service
           ├─44916 /opt/mattermost/bin/platform
           └─44930 plugins/com.github.moussetc.mattermost.plugin.giphy/plugin.exe

Apr 25 17:26:13 mattermost systemd[1]: Started Mattermost.
USER@mattermost:/opt/mattermost$ sudo ls -l /proc/44916/exe
lrwxrwxrwx 1 root root 0 Apr 25 17:26 /proc/44916/exe -> /opt/mattermost/bin/platform
USER@mattermost:/opt/mattermost$ sudo ls -l /proc/44930/exe
lrwxrwxrwx 1 mattermost mattermost 0 Apr 25 17:26 /proc/44930/exe -> /opt/mattermost/plugins/com.github.moussetc.mattermost.plugin.giphy/plugin.exe
USER@mattermost:/opt/mattermost$ sudo ls -l /opt/mattermost
total 224
drwxrwxr-x  2 mattermost mattermost   4096 Apr 13 16:35 bin
drwxrwxr-x  7 mattermost mattermost   4096 Apr 13 16:40 client
drwxrwxr-x  2 mattermost mattermost   4096 Apr 17 17:32 config
drwxrwxr-x 27 mattermost mattermost   4096 Apr 25 17:26 data
drwxrwxr-x  2 mattermost mattermost   4096 Apr 13 16:35 fonts
drwxrwxr-x  2 mattermost mattermost   4096 Apr 13 16:35 i18n
drwxrwxr-x  2 mattermost mattermost   4096 Apr 20 05:47 logs
-rw-rw-r--  1 mattermost mattermost   1239 Apr 13 16:35 MIT-COMPILED-LICENSE.md
-rw-rw-r--  1 mattermost mattermost 177082 Apr 13 16:35 NOTICE.txt
drwxrw-r--  5 mattermost mattermost   4096 Apr 25 17:26 plugins
-rw-rw-r--  1 mattermost mattermost   5181 Apr 13 16:35 README.md
drwxrwxr-x  2 mattermost mattermost   4096 Apr 13 16:35 templates

Thanks

Hmmm that all looks good. Only other guess I have is that maybe it’s something in your service file but I’m not sure