Latest Chromium - "--no-sandbox" error

After this morning’s update to the 880 packages, Chromium, after starting up, displays an error on the parameter “–no-sandbox” which is found in /usr/bin/chromium. If I remove the parameter, chromium doesn’t start at all. Anyone else experiencing this.

BTW, if I ignore the error all seems to be fine.

I get the same problem with the current chromium build on Tumbleweed X86_64

Sandboxing is completely disabled it seems, since that option seems to be given as a default upon starting chromium.

chrome://sandbox/ (inside chromium address bar)

SUID Sandbox	No
PID name spaces	No
Network namespaces	No
Seccomp sandbox	No

You are not adequately sandboxed!

chromium --version

sh-4.2$ chromium --version
Chromium 16.0.880.0

uname -a

sh-4.2$ uname -a
Linux rmk2 3.0.4-43-desktop #1 SMP PREEMPT Wed Aug 31 09:30:44 UTC 2011 (a432f18) x86_64 x86_64 x86_64 GNU/Linux

chromium

sh-4.2$ chromium
[7777:7777:340624416602:ERROR:renderer_main.cc(213)] Running without renderer sandbox
[7781:7781:340624518232:ERROR:renderer_main.cc(213)] Running without renderer sandbox
[7786:7786:340624822789:ERROR:renderer_main.cc(213)] Running without renderer sandbox
[7793:7793:340625144241:ERROR:renderer_main.cc(213)] Running without renderer sandbox
[7797:7797:340625297951:ERROR:renderer_main.cc(213)] Running without renderer sandbox
[7803:7803:340625503219:ERROR:renderer_main.cc(213)] Running without renderer sandbox
[7807:7807:340625599170:ERROR:renderer_main.cc(213)] Running without renderer sandbox
[7811:7811:340625853320:ERROR:renderer_main.cc(213)] Running without renderer sandbox
[7815:7815:340625980465:ERROR:renderer_main.cc(213)] Running without renderer sandbox

Mhm…

Sorry for double-posting, but I cannot edit the other post anymore.

Anyway…here is what seems to solve the problem for me, ymmv.

check the permissions of /usr/lib/chrome-sandbox, that’s what it looked like for me

sh-4.2$ dir /usr/lib/ | grep sand
-rwxr-xr-x   1 root root  15K Sep 16 11:33 chrome_sandbox*

Upon removing the “–no-sandbox” part from /usr/lib64/chromium/chromium-generic, I got the following error:

sh-4.2$ chromium 
[8869:8869:342043092542:FATAL:zygote_host_linux.cc(141)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/chrome_sandbox is owned by root and has mode 4755.
Aborted

So what I ended up doing is:

sh-4.2$ sudo chmod 4755 /usr/lib/chrome_sandbox
sh-4.2$ dir /usr/lib/ | grep sand
-rwsr-xr-x   1 root root  15K Sep 16 11:33 chrome_sandbox*

Afterwards, I removed the “-no-sandbox” switch from /usr/lib64/chromium/chromium-generic (after a backup)

sh-4.2$ cat /usr/lib64/chromium/chromium-generic | grep exec
  exec $LIBDIR/$APPNAME "--no-sandbox" "--password-store=detect" "--enable-experimental-extension-apis" "--enable-plugins" "--enable-extensions" "--enable-user-scripts" "--enable-printing" "--enable-sync" "--auto-ssl-client-auth" "$@"

Upon starting chromium next, sandboxing is enabled again and I have yet to encounter any further problems.

chrome://version/

Chromium	16.0.880.0 (Developer Build 0)
OS	Linux
WebKit	535.3 (Unknown URL@0)
JavaScript	V8 3.6.2
Flash	11.0 d1
User Agent	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.3 (KHTML, like Gecko) Chrome/16.0.880.0 Safari/535.3 SUSE/16.0.880.0
Command Line	 /usr/lib64/chromium/chromium --password-store=detect --enable-experimental-extension-apis --enable-plugins --enable-extensions --enable-user-scripts --enable-printing --enable-sync --auto-ssl-client-auth --enable-seccomp-sandbox --flag-switches-begin --show-composited-layer-borders --no-pings --flag-switches-end
Executable Path	/usr/lib64/chromium/chromium
Profile Path	~/.config/chromium/Default

chrome://sandbox/

Sandbox Status

SUID Sandbox	Yes
PID name spaces	Yes
Network namespaces	Yes
Seccomp sandbox	No
You are adequately sandboxed.

(Seccomp is different anyway and has to be enabled seperately by another command-line switch, so it is not important for this matter)

As this applies to Tumbleweed, it is possible that Tumbleweed has not updated to the new network repository; I don’t get this problem with chromium from the network repo.

You’re so very right: I posted in the Applications forums, not knowing whether this was due to a general package error, or just to the Tumbleweed version. Yet my packages come from the network:chromium:Tumbleweed repo. The old repo does not serve updated packages anymore.

Edit: I applied the chmod 4755, editted /usr/bin/chromium with exactly the same results as mentioned above by @rmk2. Chromium running smoothly, sandbox error gone.

I am using the same repository. And it’s good that the problem seems to be the same. Gives at least some consistency… :wink:

I guess the question remains though what causes this problem, but without more people either having the problem or the update working fine, it’s hard to tell. The question also remains why Chromium for Tumbleweed starts with the “–no-sandbox” switch enabled by default. It might be a leftover from testing before compiling or resolving issues. But at least it is easily fixable. I guess it’s hard to tell if it is Tumbleweed by itself, has to do with architecture or some more general things…

On Tue, 20 Sep 2011 19:06:03 GMT john hudson wrote:

> As this applies to Tumbleweed, it is possible that Tumbleweed has not
> updated to the new network repository; I don’t get this problem with
> chromium from the network repo.

I recognized the same with this repo:

http://download.opensuse.org/repositories/network:/chromium/openSUSE_11.4/

Therefore i don’t think it is the repo and i start it this way:

/etc/alternatives/chromium -> /usr/lib/chromium/chromium-generic

Perhaps the problems don’t happens with chromium-kde or chromium-gnome.

chromium-generic is basically just a shell-script that checks a couple of enviromental variables and looks for meego, then executes chromium with a list of command-line switches. It also prints some warnings if /tmp isn’t accessible etc.

it’s basically a string of soft links: /usr/bin/chromium → /etc/alternatives/chromium → /usr/lib(64)/chromium/chromium-generic, whereas the last one in the end calls the chromium binary /usr/lib(64)/chromium/chromium like so:

exec $LIBDIR/$APPNAME "--no-sandbox" "--password-store=detect" "--enable-experimental-extension-apis" "--enable-plugins" "--enable-extension\
   s" "--enable-user-scripts" "--enable-printing" "--enable-sync" "--auto-ssl-client-auth" "$@"

As stated earlier, the “–no-sandbox”-switch is what causes this problem. It is safe to change this script, since all it does is give a number of options to the actual binary. The whole problem described in this thread isn’t related to chromium’s binary, but rather to its startup script.

As to why the script is used, I suppose it makes it easier to start chromium regardless of the underlying platform and to pass a number of (default or custom) command-line switches…

You can also circumvent the script by calling the binary /usr/lib(64)/chromium directly…

On Wed, 21 Sep 2011 12:46:03 GMT rmk2 wrote:

> chromium-generic is basically just a shell-script that checks a couple
> of enviromental variables and looks for meego, then executes chromium
> with a list of command-line switches. It also prints some warnings if
> /tmp isn’t accessible etc.

Yes i know this and i even edit this file because chromium has no
config gui to set the cache directory or the proxy (under lxde). :slight_smile:

But still again there is the the question why john hudson said that all
works fine for him and if i start chromium directly i got this:

/usr/lib/chromium/chromium

[9131:9131:900918771:FATAL:zygote_host_linux.cc(141)] The SUID sandbox
helper binary was found, but is not configured correctly. Rather than
run without sandboxing I’m aborting now. You need to make sure
that /usr/lib/chrome_sandbox is owned by root and has mode 4755.
Abgebrochen

Just in case someone happens to come across this problem with the new version, 30.0.1599.66 (225456), I couldn’t start chromium and got this output when I tried to do it from a shell:

[14072:14072:1018/230354:FATAL:zygote_host_impl_linux.cc(142)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib64/chromium/chrome-sandbox is owned by root and has mode 4755.
Aborted

Doing this solved the issue (same logic as suggested by rmk2 above):

sudo chmod 4755 /usr/lib64/chromium/chrome-sandbox

I raised a bug on this issue a while ago, I was notified that it was fixed this week

https://bugzilla.novell.com/show_bug.cgi?id=835171

https://bugzilla.novell.com/show_bug.cgi?id=779448