- Linux SUID Sandbox Development
- Installation instructions for developers
- Try bots and waterfall
- Disabling the sandbox
- Installation instructions for “Raw builds of Chromium”
- System-wide installations of Chromium
- Linux SUID Sandbox Development
- Installation instructions for developers
- Try bots and waterfall
- Disabling the sandbox
- Installation instructions for “Raw builds of Chromium”
- System-wide installations of Chromium
- Linux suid sandbox development
- Installation instructions for developers
- Try bots and waterfall
- Disabling the sandbox
- Installation instructions for “Raw builds of Chromium”
- System-wide installations of Chromium
- Linux suid sandbox development
- Linux suid sandbox development
Linux SUID Sandbox Development
IMPORTANT NOTE: The Linux SUID sandbox is almost but not completely removed. See https://bugs.chromium.org/p/chromium/issues/detail?id=598454 This page is mostly out-of-date.
We need a SUID helper binary to turn on the sandbox on Linux.
In most cases, you can run build/update-linux-sandbox.sh and it’ll install the proper sandbox for you in /usr/local/sbin and tell you to update your .bashrc if needed.
Installation instructions for developers
If you have no setuid sandbox at all, you will see a message such as:
If your setuid binary is out of date, you will get messages such as:
Run the script mentioned above, or do something such as:
Build chrome_sandbox whenever you build chrome ( ninja -C xxx chrome chrome_sandbox instead of ninja -C xxx chrome )
After building, run something similar to (or use the provided update-linux-sandbox.sh ):
Put this line in your
/.bashrc (or .zshenv etc):
Try bots and waterfall
If you’re installing a new bot, always install the setuid sandbox (the instructions are different than for developers, contact the Chrome troopers). If something does need to run without the setuid sandbox, use the —disable-setuid-sandbox command line flag.
The SUID sandbox must be enabled on the try bots and the waterfall. If you don’t use it locally, things might appear to work for you, but break on the bots.
(Note: as a temporary, stop gap measure, setting CHROME_DEVEL_SANDBOX to an empty string is equivalent to —disable-setuid-sandbox )
Disabling the sandbox
If you are certain that you don‘t want the setuid sandbox, use —disable-setuid-sandbox . There should be very few cases like this. So if you’re not absolutely sure, run with the setuid sandbox.
Installation instructions for “Raw builds of Chromium”
If you’re using a “raw” build of Chromium, do the following:
You can also make such an installation more permanent by following the steps above and installing chrome_sandbox to a more permanent location.
System-wide installations of Chromium
The CHROME_DEVEL_SANDBOX variable is intended for developers and won’t work for a system-wide installation of Chromium. Package maintainers should make sure the setuid binary is installed.
Источник
Linux SUID Sandbox Development
IMPORTANT NOTE: The Linux SUID sandbox is almost but not completely removed. See https://bugs.chromium.org/p/chromium/issues/detail?id=598454 This page is mostly out-of-date.
We need a SUID helper binary to turn on the sandbox on Linux.
In most cases, you can run build/update-linux-sandbox.sh and it’ll install the proper sandbox for you in /usr/local/sbin and tell you to update your .bashrc if needed.
Installation instructions for developers
If you have no setuid sandbox at all, you will see a message such as:
If your setuid binary is out of date, you will get messages such as:
Run the script mentioned above, or do something such as:
Build chrome_sandbox whenever you build chrome ( ninja -C xxx chrome chrome_sandbox instead of ninja -C xxx chrome )
After building, run something similar to (or use the provided update-linux-sandbox.sh ):
Put this line in your
/.bashrc (or .zshenv etc):
Try bots and waterfall
If you’re installing a new bot, always install the setuid sandbox (the instructions are different than for developers, contact the Chrome troopers). If something does need to run without the setuid sandbox, use the —disable-setuid-sandbox command line flag.
The SUID sandbox must be enabled on the try bots and the waterfall. If you don’t use it locally, things might appear to work for you, but break on the bots.
(Note: as a temporary, stop gap measure, setting CHROME_DEVEL_SANDBOX to an empty string is equivalent to —disable-setuid-sandbox )
Disabling the sandbox
If you are certain that you don‘t want the setuid sandbox, use —disable-setuid-sandbox . There should be very few cases like this. So if you’re not absolutely sure, run with the setuid sandbox.
Installation instructions for “Raw builds of Chromium”
If you’re using a “raw” build of Chromium, do the following:
You can also make such an installation more permanent by following the steps above and installing chrome_sandbox to a more permanent location.
System-wide installations of Chromium
The CHROME_DEVEL_SANDBOX variable is intended for developers and won’t work for a system-wide installation of Chromium. Package maintainers should make sure the setuid binary is installed and defined in GYP as linux_sandbox_path .
Источник
Linux suid sandbox development
We need a SUID helper binary to turn on the sandbox on Linux.
In most cases, you can run build/update-linux-sandbox.sh and it’ll install the proper sandbox for you in /usr/local/sbin and tell you to update your .bashrc if needed.
Installation instructions for developers
- If you have no setuid sandbox at all, you will see a message such as:
- If your setuid binary is out of date, you will get messages such as:
Run the script mentioned above, or do something such as:
- Build chrome_sandbox whenever you build chrome (“ninja -C xxx chrome chrome_sandbox” instead of “ninja -C xxx chrome”)
- After building, run something similar to (or use the provided update-linux-sandbox.sh):
- Put this line in your
/.bashrc (or .zshenv etc):
Try bots and waterfall
If you’re installing a new bot, always install the setuid sandbox (the instructions are different than for developers, contact the Chrome troopers). If something does need to run without the setuid sandbox, use the —disable-setuid-sandbox command line flag.
The SUID sandbox must be enabled on the try bots and the waterfall. If you don’t use it locally, things might appear to work for you, but break on the bots.
(Note: as a temporary, stop gap measure, setting CHROME_DEVEL_SANDBOX to an empty string is equivalent to —disable-setuid-sandbox)
Disabling the sandbox
If you are certain that you don‘t want the setuid sandbox, use —disable-setuid-sandbox. There should be very few cases like this. So if you’re not absolutely sure, run with the setuid sandbox.
Installation instructions for “Raw builds of Chromium”
If you’re using a “raw” build of Chromium, do the following:
You can also make such an installation more permanent by following the steps above and installing chrome_sandbox to a more permanent location.
System-wide installations of Chromium
The CHROME_DEVEL_SANDBOX variable is intended for developers and won’t work for a system-wide installation of Chromium. Package maintainers should make sure the setuid binary is installed and defined in GYP as linux_sandbox_path.
Источник
Linux suid sandbox development
Copy raw contents
Linux SUID Sandbox Development
IMPORTANT NOTE: The Linux SUID sandbox is almost but not completely removed. See https://bugs.chromium.org/p/chromium/issues/detail?id=598454 This page is mostly out-of-date.
We need a SUID helper binary to turn on the sandbox on Linux.
In most cases, you can run build/update-linux-sandbox.sh and it’ll install the proper sandbox for you in /usr/local/sbin and tell you to update your .bashrc if needed.
Installation instructions for developers
If you have no setuid sandbox at all, you will see a message such as:
If your setuid binary is out of date, you will get messages such as:
Run the script mentioned above, or do something such as:
Build chrome_sandbox whenever you build chrome ( ninja -C xxx chrome chrome_sandbox instead of ninja -C xxx chrome )
After building, run something similar to (or use the provided update-linux-sandbox.sh ):
Put this line in your
/.bashrc (or .zshenv etc):
Try bots and waterfall
If you’re installing a new bot, always install the setuid sandbox (the instructions are different than for developers, contact the Chrome troopers). If something does need to run without the setuid sandbox, use the —disable-setuid-sandbox command line flag.
The SUID sandbox must be enabled on the try bots and the waterfall. If you don’t use it locally, things might appear to work for you, but break on the bots.
(Note: as a temporary, stop gap measure, setting CHROME_DEVEL_SANDBOX to an empty string is equivalent to —disable-setuid-sandbox )
Disabling the sandbox
If you are certain that you don’t want the setuid sandbox, use —disable-setuid-sandbox . There should be very few cases like this. So if you’re not absolutely sure, run with the setuid sandbox.
If you’re using a «raw» build of Chromium, do the following:
You can also make such an installation more permanent by following the steps above and installing chrome_sandbox to a more permanent location.
System-wide installations of Chromium
The CHROME_DEVEL_SANDBOX variable is intended for developers and won’t work for a system-wide installation of Chromium. Package maintainers should make sure the setuid binary is installed and defined in GYP as linux_sandbox_path .
Источник
Linux suid sandbox development
Copy raw contents
Linux SUID Sandbox Development
IMPORTANT NOTE: The Linux SUID sandbox is almost but not completely removed. See https://bugs.chromium.org/p/chromium/issues/detail?id=598454 This page is mostly out-of-date.
We need a SUID helper binary to turn on the sandbox on Linux.
In most cases, you can run build/update-linux-sandbox.sh and it’ll install the proper sandbox for you in /usr/local/sbin and tell you to update your .bashrc if needed.
Installation instructions for developers
If you have no setuid sandbox at all, you will see a message such as:
If your setuid binary is out of date, you will get messages such as:
Run the script mentioned above, or do something such as:
Build chrome_sandbox whenever you build chrome ( ninja -C xxx chrome chrome_sandbox instead of ninja -C xxx chrome )
After building, run something similar to (or use the provided update-linux-sandbox.sh ):
Put this line in your
/.bashrc (or .zshenv etc):
Try bots and waterfall
If you’re installing a new bot, always install the setuid sandbox (the instructions are different than for developers, contact the Chrome troopers). If something does need to run without the setuid sandbox, use the —disable-setuid-sandbox command line flag.
The SUID sandbox must be enabled on the try bots and the waterfall. If you don’t use it locally, things might appear to work for you, but break on the bots.
(Note: as a temporary, stop gap measure, setting CHROME_DEVEL_SANDBOX to an empty string is equivalent to —disable-setuid-sandbox )
Disabling the sandbox
If you are certain that you don’t want the setuid sandbox, use —disable-setuid-sandbox . There should be very few cases like this. So if you’re not absolutely sure, run with the setuid sandbox.
If you’re using a «raw» build of Chromium, do the following:
You can also make such an installation more permanent by following the steps above and installing chrome_sandbox to a more permanent location.
System-wide installations of Chromium
The CHROME_DEVEL_SANDBOX variable is intended for developers and won’t work for a system-wide installation of Chromium. Package maintainers should make sure the setuid binary is installed and defined in GYP as linux_sandbox_path .
Источник
