PSA (Linux): Chromium won't start without a setuid sandbox installed!

[Julien Tinnes]

TL;DR: if you see "ERROR:browser_main_loop.cc(135)] Running without
the SUID sandbox!" when starting Chromium, run
build/update-linux-sandbox.sh.

Sadly, the Linux sandbox requires a setuid binary. When that setuid
binary is not present, we currently start Chromium nevertheless.

This leads to developers testing code without the sandbox on and to
hard-to-catch security regressions (crbug.com/245376).

This error will become fatal soon (hopefully next week). Developers
who really don't want the setuid sandbox on should install it but pass
--disable-setuid-sandbox.

If a bot is in your care and you see this error message, please open a
bug and mark it as blocking crbug.com/245376.

Julien

[Lei Zhang]

How does this affect testers and users who for whatever reason chooses
to run out continuous builds instead of a real Chromium package?
Rather than outputting "run build/update-linux-sandbox.sh," can we
redirect those who see the message to a webpage on chromium.org that
explains what's going on?

> --
> --
> Chromium Developers mailing list: chromi...@chromium.org
> View archives, change email options, or unsubscribe:
> http://groups.google.com/a/chromium.org/group/chromium-dev
>
>
>

[Christian Biesinger]

Is update-linux-sandbox.sh a one-time thing, or do we have to run it
each time we build?

-christian

On Thu, Jun 13, 2013 at 3:42 PM, Julien Tinnes <j...@chromium.org> wrote:

[Julien Tinnes]

On Thu, Jun 13, 2013 at 3:53 PM, Lei Zhang <the...@chromium.org> wrote:
> How does this affect testers and users who for whatever reason chooses
> to run out continuous builds instead of a real Chromium package?
> Rather than outputting "run build/update-linux-sandbox.sh," can we
> redirect those who see the message to a webpage on chromium.org that
> explains what's going on?

That's what it does. The full message is:
[12204:12204:0613/161215:ERROR:browser_main_loop.cc(135)] Running
without the SUID sandbox! See
https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment
for more information on developing with the sandbox on.

This has been here for a while.

Julien

[Julien Tinnes]

On Thu, Jun 13, 2013 at 3:56 PM, Christian Biesinger
<cbies...@chromium.org> wrote:
> Is update-linux-sandbox.sh a one-time thing, or do we have to run it
> each time we build?

Yes, it's a one-time thing. Unless we update the setuid sandbox API
version, but this never happens in practice.

[Lei Zhang]

Very good. I thought the message changed to literally "run
build/update-linux-sandbox.sh."

This only affects Chromium right? What about other multi-process
binaries like content_shell and browser_tests?

[Julien Tinnes]

On Thu, Jun 13, 2013 at 4:16 PM, Lei Zhang <the...@chromium.org> wrote:
> Very good. I thought the message changed to literally "run
> build/update-linux-sandbox.sh."
>
> This only affects Chromium right? What about other multi-process
> binaries like content_shell and browser_tests?

No, they are affected as well. Having the setuid sandbox really is (an
unfortunate) requirement to having a proper "build". The goal is to
make it a conscious decision to run without the setuid sandbox.

[Julien Tinnes]

This happened! (r208133).

Nothing seems red on the waterfall. If some bots outside of the
waterfall are failing, please fix them by following instructions at
https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment.
It's a bug in how the bot is installed or configured!

Julien

[alanc...@chromium.org]

+blink-dev

[Justin TerAvest]

Where's the right place to document this?
https://code.google.com/p/chromium/wiki/LinuxBuildInstructions ?

I was helping someone get a chromium checkout and build together, and
we ran into sandbox-related problems when running "browser_tests".

It wasn't immediately obvious what was going wrong (or what should be
fixed) from the errors that were being printed.

[Paweł Hajdan, Jr.]

On Fri, Aug 30, 2013 at 2:25 PM, Justin TerAvest <tera...@chromium.org> wrote:

Where's the right place to document this?
https://code.google.com/p/chromium/wiki/LinuxBuildInstructions ?

Sounds good, just make sure to link to https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment instead of duplicating content.

 

I was helping someone get a chromium checkout and build together, and
we ran into sandbox-related problems when running "browser_tests".

It wasn't immediately obvious what was going wrong (or what should be
fixed) from the errors that were being printed.

I'm surprised by this. Of course this being obvious to me doesn't imply that it's obvious to everyone else.

For reference, here's the message I'm thinking about (let me know if you've seen a different one):

    static const char no_suid_error[] = "Running without the SUID sandbox! See "
        "https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment "
        "for more information on developing with the sandbox on.";

Paweł

[Chris Hopman]

I just hit this and did not get a helpful error message. It was:

[15417:15417:0910/183110:FATAL:zygote_host_impl_linux.cc(128)] The SUID sandbox helper binary is missing: /usr/local/sbin/chrome-devel-sandbox Aborting now.

Should we update that one?

--

[Paweł Hajdan, Jr.]

Makes sense to me, submitted https://codereview.chromium.org/24117002/

Paweł