`cursor-sandbox` binary missing setuid bit breaks extensions

Aaron_Smith · December 23, 2025, 5:07pm

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

Permission bits on the cursor-sandbox binary are missing the setuid bit.

-rwxr-xr-x 1 root root 2.8M Dec 18 22:41 /usr/share/cursor/resources/app/resources/helpers/cursor-sandbox*

Requires:

sudo chmod 4755 /usr/share/cursor/resources/app/resources/helpers/cursor-sandbox

WIthout setuid, Cursor is unable to start extensions like “Vim” and “Remote - SSH”. Instead, “Activating Extensions” is shown in the lower left corner of the window for a few seconds and nothing else happens. Remote files can’t be opened.

Steps to Reproduce

Install the latest Cursor via debian package on Ubuntu 24.10. Install the latest OS updates. This issue exists in versions as early as 2.2.17.

Expected Behavior

Cursor should be able to start extensions like “Vim” and “Remote - SSH”.

Operating System

Linux

Current Cursor Version (Menu → About Cursor → Copy)

Version: 2.2.43
VSCode Version: 1.105.1
Commit: 32cfbe848b35d9eb320980195985450f244b3030
Date: 2025-12-19T06:06:44.644Z
Electron: 37.7.0
Chromium: 138.0.7204.251
Node.js: 22.20.0
V8: 13.8.258.32-electron.0
OS: Linux x64 6.17.0-8-generic

Additional Information

Ubuntu has implemented stricter controls around sandboxed applications. In my case, I had to make the following system config changes in addition to setting the setuid bit as described above:

sudo sysctl -w kernel.unprivileged_userns_clone=1
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

I filed a bug with Ubuntu, but they do not plan to fix this directly. Instead, they are working on a better user notification system (aa-notify) to allow users to make a poilcy exception for individual apps. This is great, but it will not fix the issue unless Cursor modifies the bits I mentioned above.

Does this stop you from using Cursor

Yes - Cursor is unusable

Colin · December 23, 2025, 8:42pm

Hey @Aaron_Smith

Thanks for the investigation over here:

I’ve flagged this for the team!

Colin · December 23, 2025, 9:00pm

@Aaron_Smith could you give v2.3 a try? I would try it out myself, but being home for Christmas has not granted me great wi-fi to download an Ubuntu ISO.

Aaron_Smith · December 23, 2025, 9:54pm

@Colin The link to the 2.3 x64 deb package actually links to the 2.2.43 version I’m already running:

https://downloads.cursor.com/production/32cfbe848b35d9eb320980195985450f244b303d/linux/x64/deb/amd64/deb/cursor_2.2.43_amd64.deb

Colin · December 24, 2025, 1:05pm

Hey @Aaron_Smith

Sorry about that. 2.3 is announced but still rolling out slowly (and we’ve had a few misfires on updating the downloads page). It should be available soon.

Aaron_Smith · December 29, 2025, 5:56pm

The setuid bit is still missing in 2.2.44

Version: 2.2.44
VSCode Version: 1.105.1
Commit: 20adc1003928b0f1b99305dbaf845656ff81f5d0
Date: 2025-12-24T21:41:47.598Z
Electron: 37.7.0
Chromium: 138.0.7204.251
Node.js: 22.20.0
V8: 13.8.258.32-electron.0
OS: Linux x64 6.17.0-8-generic

~/ ll /usr/share/cursor/resources/app/resources/helpers/cursor-sandbox
-rwxr-xr-x 1 root root 2.8M Dec 24 13:52 /usr/share/cursor/resources/app/resources/helpers/cursor-sandbox*

Colin · December 29, 2025, 7:28pm

@Aaron_Smith If you could, try setting your update track (Cursor Settings > Beta) to Early Access, which should get you 2.3.

Aaron_Smith · December 29, 2025, 7:54pm

Thank you, @Colin . I downloaded the deb package and installed it:

Version: 2.3.10
VSCode Version: 1.105.1
Commit: af6d64e4848e6185e482a2de5bac040191c8d790
Date: 2025-12-29T03:56:22.219Z
Electron: 37.7.0
Chromium: 138.0.7204.251
Node.js: 22.20.0
V8: 13.8.258.32-electron.0
OS: Linux x64 6.17.0-8-generic

Although the setuid bit is still missing, this version works.

~/ ll /usr/share/cursor/resources/app/resources/helpers/cursor-sandbox
-rwxr-xr-x 1 root root 2.8M Dec 28 20:07 /usr/share/cursor/resources/app/resources/helpers/cursor-sandbox*

It does still require this configuration:

~/ sudo sysctl kernel.unprivileged_userns_clone kernel.apparmor_restrict_unprivileged_userns kernel.apparmor_restrict_unprivileged_unconfined
kernel.unprivileged_userns_clone = 1
kernel.apparmor_restrict_unprivileged_userns = 0
kernel.apparmor_restrict_unprivileged_unconfined = 0

It would be great if the package installed a per-application exception instead of requiring the system-wide setting. Thanks again!

Colin · December 29, 2025, 8:25pm

Thanks for the update @Aaron_Smith, and the feedback!

In the meantime, some users have been successful in defining their own AppArmor profile. Have you tried it? (github)

Aaron_Smith · December 30, 2025, 12:04am

Yes, I tried this today. The following profile worked for me:

~/ cat /etc/apparmor.d/cursor-system
abi <abi/4.0>,
include <tunables/global>
profile cursor-system “/usr/share/cursor/cursor” flags=(unconfined) {
userns,
include if exists <local/cursor>
}

system · January 21, 2026, 12:04am

This topic was automatically closed 22 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
"Activating Extensions" message, extensions don't work -- solution Guides java	16	317	February 4, 2026
Linux AppArmor regression after Cursor update: sandbox helper rename breaks Remote SSH Bug Reports installation , ssh , linux	2	247	February 14, 2026
AppArmor cursor-sandbox profile incomplete on Linux — sandbox does not work correctly (missing network, signal, userns) Bug Reports sandbox , installation , linux	2	100	March 4, 2026
2.4.22 AppArmor prevents remote SSH connection Bug Reports sandbox , ssh , linux	7	217	February 20, 2026
Terminal sandbox could not start Bug Reports sandbox , terminal , linux	8	780	March 6, 2026