Blame - docs/linux_suid_sandbox_development.md - chromium/src

blob: 950460dbaeb386fc501e3cbe9310e6b9b61f3952 [file] [log] [blame] [view]

andybons	3322f76	2015-08-24 21:37:09	[diff] [blame^]	1	(For context see [LinuxSUIDSandbox](http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox))
				2
				3	We need a SUID helper binary to turn on the sandbox on Linux.
				4
				5	In most cases, you can run build/update-linux-sandbox.sh and it'll install the proper sandbox for you in /usr/local/sbin and tell you to update your .bashrc if needed.
				6
				7	### Installation instructions for developers
				8
				9	* If you have no setuid sandbox at all, you will see a message such as:
				10	```
				11	Running without the SUID sandbox!
				12	```
				13	* If your setuid binary is out of date, you will get messages such as:
				14	```
				15	The setuid sandbox provides API version X, but you need Y
				16	```
				17	```
				18	You are using a wrong version of the setuid binary!
				19	```
				20
				21	Run the script mentioned above, or do something such as:
				22
				23	* Build chrome\_sandbox whenever you build chrome ("ninja -C xxx chrome chrome\_sandbox" instead of "ninja -C xxx chrome")
				24	* After building, run something similar to (or use the provided update-linux-sandbox.sh):
				25	```
				26	sudo cp out/Debug/chrome_sandbox /usr/local/sbin/chrome-devel-sandbox #needed if you build on NFS!
				27	sudo chown root:root /usr/local/sbin/chrome-devel-sandbox
				28	sudo chmod 4755 /usr/local/sbin/chrome-devel-sandbox
				29	```
				30
				31	* Put this line in your ~/.bashrc (or .zshenv etc):
				32	```
				33	export CHROME_DEVEL_SANDBOX=/usr/local/sbin/chrome-devel-sandbox
				34	```
				35
				36	### Try bots and waterfall
				37
				38	If you're installing a new bot, always install the setuid sandbox (the instructions are different than for developers, contact the Chrome troopers). If something does need to run without the setuid sandbox, use the --disable-setuid-sandbox command line flag.
				39
				40	The SUID sandbox must be enabled on the try bots and the waterfall. If you don't use it locally, things might appear to work for you, but break on the bots.
				41
				42	(Note: as a temporary, stop gap measure, setting CHROME\_DEVEL\_SANDBOX to an empty string is equivalent to --disable-setuid-sandbox)
				43
				44	### Disabling the sandbox
				45
				46	If you are certain that you don't want the setuid sandbox, use --disable-setuid-sandbox. There should be very few cases like this.
				47	So if you're not absolutely sure, run with the setuid sandbox.
				48
				49	### Installation instructions for "[Raw builds of Chromium](https://commondatastorage.googleapis.com/chromium-browser-continuous/index.html)"
				50
				51	If you're using a "raw" build of Chromium, do the following:
				52	```
				53	sudo chown root:root chrome_sandbox && sudo chmod 4755 chrome_sandbox && export CHROME_DEVEL_SANDBOX="$PWD/chrome_sandbox"
				54	./chrome
				55	```
				56
				57	You can also make such an installation more permanent by following the [steps above](#Installation_instructions_for_developers.md) and installing chrome\_sandbox to a more permanent location.
				58
				59	### System-wide installations of Chromium
				60
				61	The CHROME\_DEVEL\_SANDBOX variable is intended for developers and won't work for a system-wide installation of Chromium. Package maintainers should make sure the setuid binary is installed and defined in GYP as linux\_sandbox\_path.