Chromium sandboxing on Linux and Windows

[tSc]

In Linux builds of Chromium downloaded from the below link, the address chrome:sandbox shows that various sandboxing features are not enabled.
http://commondatastorage.googleapis.com/chromium-browser-continuous/index.html

There also is no chrome-sandbox process running in the OS. A command line switch will get the seccomp sandbox running, but how can the others be enabled? Here is a picture of what I'm referring to.
http://i46.tinypic.com/14axxue.png

Does no chrome-sandbox running process mean that Chromium is not sandboxing anything at all? Entering that address in a Windows installation of Chrome or Chromium returns 'page not found'. Is there any other way of checking this?

Thanks.

[Torne (Richard Coles)]

The setuid sandbox can only be enabled if the chrome-sandbox binary is present in the correct location, owned by root, and is setuid. This won't be the case if you just untar the build as a normal user. There should be a loud capitalised message on stderr at startup telling you why the setuid sandbox could not be used :)

--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

--
Torne (Richard Coles)
to...@google.com

[tSc]

Thanks Richard. I extract the chrome-linux tarball to /opt and do a chmod 750 -R for permissions. Everything is root owned with user read access.

How do I set the chrome-sandbox binary to setuid? Is there a switch that should be attached to it? I don't even have chrome-sandbox running at this point, so it seems I've got no sandboxing whatsoever. Is this correct?

I've never seen any message on startup related to setuid and I don't know what stderr stands for. Can you elaborate please? I'd also like to get the namespaces sandboxes enabled, too.

[Torne (Richard Coles)]

I suggest you google for setuid, stderr, and other unix terms... this is not chromium-specific. The setuid sandbox helper will enable PID and network namespacing if your kernel supports it, which modern distro kernels will. It cannot run if it's not setuid, which is why it's not running.

--

Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

[tSc]

If I chmod 4750 chrome-sandbox to set the suid bit and keep the root ownership, I still have no suid sandbox and no running zygote for chrome-sandbox. The exact permissions for chrome-sandbox are "-rwsr-x---", so it's clearly set to use suid.

Stderr is just an error output and I have no error or dialogue if I launch chrome-wrapper from the terminal, nor in the GUI. The kernel is 3.2 in Debian Testing and installing Chromium from any distro repository results in the suid stuff working fine, so the kernel isn't the problem.

For the tarball I'm working with, I've tried it, and a few newer ones on other Debian and Ubuntu installs and all are unsuccessful. They launch and otherwise run fine, but not with the suid sandboxing enabled. From this page,
https://code.google.com/p/chromium/wiki/LinuxSUIDSandbox

it talks about specifying the sandbox path when building, so it seems that when using a Chromium tarball from the commondatastorage index, it doesn't come with suid sandboxing enabled.

Is this correct?

[Torne (Richard Coles)]

The sandbox binary needs to be 4755 (otherwise nobody but root can run it), but yes, it looks like the builds from the continuous integration system haven't compiled in a sandbox path and thus will only be sandboxed if you set CHROME_DEVEL_SANDBOX to the right path in the environment. Adding --enable-logging=stderr will show you the relevant errors; I forgot these are disabled by default on release builds.

--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss