This article describes that, in certain instances, the FortiClient Linux GUI fails to load when /tmp is mounted with the noexec option.
Scope
FortiClient Linux GUI.
Solution
FortiClient for Linux requires the execution of binary codes within a temporary directory to display the graphical user interface. It is a common security measure across various industries, and a critical compliance requirement, to mount the /tmp directory with the noexec option.
Should the /tmp directory be mounted as noexec, and the user’s environment variables are not configured properly, the FortiClient graphical user interface may fail to launch or the process may be interrupted.
Under these circumstances, users may encounter error messages similar to the following, or in some instances, merely a blank screen upon executing the ‘forticlient gui’ command in the terminal.
ERROR MESSAGE THAT APPEARS ON THE TERMINAL WITH 'FORTICLIENT GUI' COMMAND: A JavaScript error occurred in the main process Uncaught Exception: Error: Cannot open /opt/forticlient/gui/FortiClient-linux-x64/resources/app.asar/assets/js/keytar.node: Error: /tmp/.org.chromium.Chromium.ojnWEa: failed to map segment from shared object at Object.<anonymous> (/opt/forticlient/gui/FortiClient-linux-x64/resources/app.asar/assets/js/main.js:29:159022) at Object.<anonymous> (/opt/forticlient/gui/FortiClient-linux-x64/resources/app.asar/assets/js/main.js:29:159060) at n (/opt/forticlient/gui/FortiClient-linux-x64/resources/app.asar/assets/js/main.js:1:124) at Object.<anonymous> (/opt/forticlient/gui/FortiClient-linux-x64/resources/app.asar/assets/js/main.js:15:113896) at n (/opt/forticlient/gui/FortiClient-linux-x64/resources/app.asar/assets/js/main.js:1:124) at Module.<anonymous>
To address this issue, append the following script to the /etc/profile file (“sudo vi /etc/profile”). This script will record its operations in the system logger, which can be examined using the command ‘journalctl | grep FTNT’.
To verify that this solution pertains to the specific problem, users should execute ‘TMPDIR=$XDG_RUNTIME_DIR forticlient gui’ in a terminal. The script’s relevance could be confirmed if the GUI launches without any issues.
set proper environment for FortiClient GUI if [ -d "/tmp" ] && ! mount | grep '/tmp' | grep -q 'noexec'; then logger "#FTNT 1 /tmp is available and not mounted as noexec. No need to set TMPDIR." else # If /tmp is not available or is mounted as noexec if [ -n "$XDG_RUNTIME_DIR" ] && [ -d "$XDG_RUNTIME_DIR" ]; then # If XDG_RUNTIME_DIR is defined, set TMPDIR to it export TMPDIR=$XDG_RUNTIME_DIR logger "FTNT 2 TMPDIR is set to XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR" else # If XDG_RUNTIME_DIR is not defined, set TMPDIR to a new directory in HOME mkdir -p "$HOME/mytmp" export TMPDIR="$HOME/mytmp" logger "FTNT 3 TMPDIR is set to $HOME/mytmp" fi fi
The script will be available to all current and new local system users. The changes can be applied by either rebooting the system (accessing a login shell) or executing the ‘source /etc/profile’ command in a bash terminal (in case of an interactive shell).
To verify the environment variables and their values, use the ‘printenv’ command, or ‘echo $TMPDIR’, or ‘echo $XDG_RUNTIME_DIR’.
The following Linux commands can help users with a better understanding of their mount points and options:
lsblk findmnt mount df -Th
In case there is a /tmp mounted but it is not set inside the /etc/fstab, then it is most probably managed by systemd.