From 15813ca11fdac2bd7b0270a0d610caf46446ea8a Mon Sep 17 00:00:00 2001
From: JoshuaVlantis <joshuavlantis@users.noreply.github.com>
Date: Sat, 9 May 2026 14:06:55 +0200
Subject: [PATCH 1/2] fix(rpm): set chrome-sandbox suid via %attr instead of
 %post chmod (#539)

Move the suid bit on chrome-sandbox into the rpm spec's %files section
via %attr(4755, root, root). The previous %post chmod 4755 only ran on
fresh installs and silently regressed when the scriptlet was skipped
(e.g., --noscripts), leaving a non-suid chrome-sandbox that breaks
sandboxing on every launch.

Also add an assert_setuid helper to tests/test-artifact-common.sh and
wire it up in test-artifact-rpm.sh so a future spec regression to the
old %post pattern fails CI rather than shipping silently.

Verified: built rpm in fedora:42 container, installed via dnf,
ls confirms -rwsr-xr-x on chrome-sandbox, %post no longer chmods.
---
 scripts/packaging/rpm.sh      |  9 +--------
 tests/test-artifact-common.sh |  8 ++++++++
 tests/test-artifact-rpm.sh    | 10 +++++++---
 3 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/scripts/packaging/rpm.sh b/scripts/packaging/rpm.sh
index b4685b6..094e301 100755
--- a/scripts/packaging/rpm.sh
+++ b/scripts/packaging/rpm.sh
@@ -233,14 +233,6 @@ install -Dm 755 $staging_dir/claude-desktop %{buildroot}/usr/bin/claude-desktop
 # Update desktop database for MIME types
 update-desktop-database /usr/share/applications &> /dev/null || true
 
-# Set correct permissions for chrome-sandbox
-SANDBOX_PATH="/usr/lib/$package_name/node_modules/electron/dist/chrome-sandbox"
-if [ -f "\$SANDBOX_PATH" ]; then
-    echo "Setting chrome-sandbox permissions..."
-    chown root:root "\$SANDBOX_PATH" || echo "Warning: Failed to chown chrome-sandbox"
-    chmod 4755 "\$SANDBOX_PATH" || echo "Warning: Failed to chmod chrome-sandbox"
-fi
-
 %postun
 # Update desktop database after removal
 update-desktop-database /usr/share/applications &> /dev/null || true
@@ -248,6 +240,7 @@ update-desktop-database /usr/share/applications &> /dev/null || true
 %files
 %defattr(-, root, root, 0755)
 %attr(755, root, root) /usr/bin/claude-desktop
+%attr(4755, root, root) /usr/lib/$package_name/node_modules/electron/dist/chrome-sandbox
 /usr/lib/$package_name
 /usr/share/applications/claude-desktop.desktop
 /usr/share/icons/hicolor/*/apps/claude-desktop.png
diff --git a/tests/test-artifact-common.sh b/tests/test-artifact-common.sh
index 7d09f25..876514f 100644
--- a/tests/test-artifact-common.sh
+++ b/tests/test-artifact-common.sh
@@ -38,6 +38,14 @@ assert_executable() {
 	fi
 }
 
+assert_setuid() {
+	if [[ -u $1 ]]; then
+		pass "Setuid bit set: $1"
+	else
+		fail "Setuid bit not set: $1"
+	fi
+}
+
 assert_contains() {
 	local file="$1" pattern="$2" desc="${3:-}"
 	if grep -q "$pattern" "$file" 2>/dev/null; then
diff --git a/tests/test-artifact-rpm.sh b/tests/test-artifact-rpm.sh
index 60b2a3a..958cf58 100644
--- a/tests/test-artifact-rpm.sh
+++ b/tests/test-artifact-rpm.sh
@@ -41,9 +41,13 @@ electron_path='/usr/lib/claude-desktop/node_modules/electron/dist/electron'
 assert_file_exists "$electron_path"
 assert_executable "$electron_path"
 
-# chrome-sandbox
-assert_file_exists \
-	'/usr/lib/claude-desktop/node_modules/electron/dist/chrome-sandbox'
+# chrome-sandbox: setuid bit must be set by the rpm spec's %files
+# %attr(4755, ...) entry, not by a %post chmod (#539). The check
+# guards against regressing the spec to the old %post chmod pattern,
+# which leaves chrome-sandbox unsuid'd if the scriptlet is skipped.
+chrome_sandbox='/usr/lib/claude-desktop/node_modules/electron/dist/chrome-sandbox'
+assert_file_exists "$chrome_sandbox"
+assert_setuid "$chrome_sandbox"
 
 # --- Desktop entry validation ---
 desktop_file='/usr/share/applications/claude-desktop.desktop'

From cf085711f2742eb91715450912a940c39ed0bb7e Mon Sep 17 00:00:00 2001
From: JoshuaVlantis <joshuavlantis@users.noreply.github.com>
Date: Mon, 11 May 2026 07:32:12 +0200
Subject: [PATCH 2/2] docs(test): broaden chrome-sandbox suid guard comment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reframe the assert_setuid comment from "guards against the old %post
chmod pattern" to "guards against any regression that strips the suid
bit" — including but not limited to a %post chmod revert.

The assertion itself catches any loss of the setuid bit on
chrome-sandbox, not just the specific %post chmod regression path.
Per review feedback on #595.
---
 tests/test-artifact-rpm.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tests/test-artifact-rpm.sh b/tests/test-artifact-rpm.sh
index 958cf58..072a7b5 100644
--- a/tests/test-artifact-rpm.sh
+++ b/tests/test-artifact-rpm.sh
@@ -43,8 +43,9 @@ assert_executable "$electron_path"
 
 # chrome-sandbox: setuid bit must be set by the rpm spec's %files
 # %attr(4755, ...) entry, not by a %post chmod (#539). The check
-# guards against regressing the spec to the old %post chmod pattern,
-# which leaves chrome-sandbox unsuid'd if the scriptlet is skipped.
+# guards against any regression that strips the suid bit — including
+# (but not limited to) reverting to a %post chmod, which silently
+# no-ops if the scriptlet is skipped (--noscripts, layered images).
 chrome_sandbox='/usr/lib/claude-desktop/node_modules/electron/dist/chrome-sandbox'
 assert_file_exists "$chrome_sandbox"
 assert_setuid "$chrome_sandbox"