Google Chrome complains that its SUID sandbox isn't configured correctly

[8573]

Describe the bug
I installed Google Chrome from nixpkgs, but, when I tried to run it, it exits with the following messages:

[31563:31563:0606/041236.148772:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /nix/store/pd6zf53b5150pk2qlvf15a7ddwxv2mgy-google-chrome-83.0.4103.61/share/google/chrome/chrome-sandbox is owned by root and has mode 4755.
[1]    31563 trace trap (core dumped)  .nix-profile/bin/google-chrome-stable
[0606/041236.670612:ERROR:nacl_helper_linux.cc(308)] NaCl helper process running without a sandbox!                                                                                                                 
Most likely you need to configure your SUID sandbox correctly

The above is the entirety of its output (other than the core-dump). For the file /nix/store/pd6zf53b5150pk2qlvf15a7ddwxv2mgy-google-chrome-83.0.4103.61/share/google/chrome/chrome-sandbox about which it complains, ls -l gives the following output:

-r-xr-xr-x 2 root root 258856 Jan  1  1970 /nix/store/pd6zf53b5150pk2qlvf15a7ddwxv2mgy-google-chrome-83.0.4103.61/share/google/chrome/chrome-sandbox

I normally use Chromium, but I was trying Google Chrome per #89512 (comment).

For Chromium, I have a NixOS option security.chromiumSuidSandbox.enable = true. Does Chrome need some equivalent of this?

To Reproduce

$ nix-env -iA nixos.google-chrome
$ ~/.nix-profile/bin/google-chrome-stable

Notify maintainers
@msteen

Metadata

• system: "x86_64-linux"
• host os: Linux 5.4.43-hardened, NixOS, 20.09pre228204.467ce5a9f45 (Nightingale)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.3.5
• channels(root): "nixos-20.09pre228204.467ce5a9f45"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute: [google-chrome]
# a list of nixos modules affected by the problem
module: []

[primeos]

Interesting, I guess this is due to security.chromiumSuidSandbox.enable = true. The legacy SUID sandbox is deprecated (AFAIK) and we should document this better in security.chromiumSuidSandbox.enable. IIRC some strange use cases are still left but as long as chrome://sandbox/ displays You are adequately sandboxed. without the SUID sandbox it should not be used anymore.

Could you test if Google Chrome runs fine without security.chromiumSuidSandbox.enable = true?

Upstream documentation:

• https://bugs.chromium.org/p/chromium/issues/detail?id=598454
• https://chromium.googlesource.com/chromium/src.git/+/master/docs/linux/suid_sandbox.md
• https://chromium.googlesource.com/chromium/src.git/+/master/docs/linux/suid_sandbox_development.md

[wamserma]

A similar issue occurred here: #89482 (comment) - when unpacking from the deb the mode for the chrome-sandbox binary could not be set to 4755. Also setting suid with chmod fails. I wonder if this is some deeper issue with Nix or stdenv...

[8573]

@primeos:

Could you test if Google Chrome runs fine without security.chromiumSuidSandbox.enable = true?

If I remove that setting from my NixOS configuration and rebuild, then both Google Chrome and now Chromium crash on startup with an error message such as—

[31341:31341:0611/040512.056408:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /nix/store/98a01h4pabdqsbf6ghny3chzgpp3z5h4-chromium-83.0.4103.97-sandbox/bin/__chromium-suid-sandbox is owned by root and has mode 4755.

(The numbers at the beginning vary — I guess they're an address in memory or something?)

Let S abbreviate security.chromiumSuidSandbox.enable = true. I observe that—

1. if I run a Chromium from a system generation without S in a system generation without S, Chromium crashes as shown;
2. if I run a Chromium from a system generation with S in a system generation without S, Chromium crashes as shown;
3. if I run a Chromium from a system generation without S in a system generation with S, Chromium works; and
4. if I run a Chromium from a system generation with S in a system generation with S, Chromium works.

In cases (3) and (4), <chrome://sandbox> says "You are adequately sandboxed." (Edit: It also lists the "Layer 1 Sandbox" as "SUID".)

Edit: I note that I do have security.allowUserNamespaces = true.

[primeos]

Edit: I note that I do have security.allowUserNamespaces = true.

Huh, that's strange... I suspected this would be the problem due to the hardened kernel patches but with user namespaces the sandboxing should work. Does e.g. unshare --user --pid echo Success also work?

[31341:31341:0611/040512.056408:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /nix/store/98a01h4pabdqsbf6ghny3chzgpp3z5h4-chromium-83.0.4103.97-sandbox/bin/__chromium-suid-sandbox is owned by root and has mode 4755.

On my system I don't get any messages about the SUID sandbox with Chromium, I assume this is because the user namespaces sandbox work and the SUID sandbox is only used as a fallback (but this behaviour could also be different with Google Chrome).

I guess you basically have two options:

1. Try to get the user namespaces sandbox of Google Chrome to work
2. Patch Google Chrome to use the correct SUID binary (the one from Chromium should be in /run/wrappers/bin/ but I don't know if it'll work for Chrome as well or if we need another NixOS module and SUID binary for that)

[8573]

@primeos:

Does e.g. unshare --user --pid echo Success also work?

I see that it does not:

$ unshare --user --pid echo Success
unshare: unshare failed: Operation not permitted

I had forgotten that I also have a limit on the number of user namespaces, but raising this limit even to a million doesn't change the result of unshare --user --pid echo Success.

[8573]

Googling around, I find NixOS/nix#2404, and indeed, even if I un-raise the user namespace limit, setting the sysctl variable kernel.unprivileged_userns_clone to 1 per NixOS/nix#2404 (comment) results in—

$ unshare --user --pid echo Success
Success

—and Chromium's using its user namespace sandbox, according to <chrome://sandbox>. Google Chrome also now runs and reports using its user namespace sandbox; however, even though <chrome://sandbox> says that it's "adequately sandboxed", Chrome complains to stderr that it isn't quite entirely sandboxed:

[0616/041212.034630:ERROR:nacl_helper_linux.cc(308)] NaCl helper process running without a sandbox!
Most likely you need to configure your SUID sandbox correctly

Notably, this error message seems to be emitted when and only when Chrome is shut down.

However, reading up on it, I'm more inclined to stick with kernel.unprivileged_userns_clone=0, and, with that being the default in Debian, I'm not inclined to expect it soon to become unsupported.

[8573]

https://chromium.googlesource.com/chromium/src.git/+/master/docs/linux/suid_sandbox.md mentions an environment variable CHROME_DEVEL_SANDBOX to set the path of the SUID sandbox executable, but Chrome doesn't seem to respect this on NixOS:

$ CHROME_DEVEL_SANDBOX=/run/wrappers/bin/__chromium-suid-sandbox google-chrome-stable
[18651:18651:0616/050443.108412:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /nix/store/pd6zf53b5150pk2qlvf15a7ddwxv2mgy-google-chrome-83.0.4103.61/share/google/chrome/chrome-sandbox is owned by root and has mode 4755.
[1]    18651 trace trap (core dumped)  CHROME_DEVEL_SANDBOX=/run/wrappers/bin/__chromium-suid-sandbox 
[0616/050443.509148:ERROR:nacl_helper_linux.cc(308)] NaCl helper process running without a sandbox!                                                                                                                 
Most likely you need to configure your SUID sandbox correctly

[8573]

I note that, when Chromium is using the SUID sandbox, <chrome://sandbox> reports all the sandbox features as working—

PID namespaces | Yes
Network namespaces | Yes
Seccomp-BPF sandbox | Yes
Seccomp-BPF sandbox supports TSYNC | Yes
Ptrace Protection with Yama LSM (Broker) | Yes
Ptrace Protection with Yama LSM (Non-broker) | Yes

—but, when I had it using the unprivileged-user-namespace sandbox, it reported the last feature as nonfunctional:

Ptrace Protection with Yama LSM (Non-broker) | No

The page still concluded "You are adequately sandboxed", though.

[primeos]

https://chromium.googlesource.com/chromium/src.git/+/master/docs/linux/suid_sandbox.md mentions an environment variable CHROME_DEVEL_SANDBOX to set the path of the SUID sandbox executable, but Chrome doesn't seem to respect this on NixOS:

It could be that CHROME_DEVEL_SANDBOX is deprecated, at least for Chromium we seem to require a patch for this to work correctly: chromium/common.nix#L168

I did also just test setting CHROME_DEVEL_SANDBOX and strace shows that it still accesses the sandbox binary in the Nix store (which isn't SUID). It might work if we replace that binary with a symlink to the SUID sandbox.

—but, when I had it using the unprivileged-user-namespace sandbox, it reported the last feature as nonfunctional:

That's ok (technically not ideal of course, but still adequate as the page concludes), this basically depends on kernel.yama.ptrace_scope and also affects other distributions.

[alexeymuranov]

After upgrading to NixOS 20.09 Alpha, chromium, skypeforlinux, element-desktop, Discord do not start and produce the message:

The SUID sandbox helper binary was found, but is not configured correctly.

[stale]

I marked this as stale due to inactivity. → More info

[8573]

@Stale: Just when it's becoming more relevant!

[8573]

Using security.wrappers alone is not enough, because Google Chrome looks for its SUID sandbox helper program next to its other files in the store, at /nix/store/…-google-chrome-…/share/google/chrome/chrome-sandbox. I fixed this by using a package that mostly copies the standard Chrome package but replaces that chrome-sandbox file with a symbolic link to the SUID wrapper (in /run/wrappers/bin) for the standard Chrome package's chrome-sandbox file. The one disadvantage of this method I see is that, because it means keeping two slightly-different Chrome packages around, it wastes space if one doesn't optimise one's Nix store, though I keep auto-optimisation on.

I previously tried using an activation script to copy Chrome into /etc so that the chrome-sandbox file could have the required ownership and permission mode. That worked too, but of course Chrome has no business being in /etc.

Before that, I tried this LD_PRELOAD hack to redirect Chrome's attempts to access its sandbox helper in the store to the corresponding SUID wrapper, but that apparently made Chrome deadlock (strace showed a sea of futex wait timeouts).

[stale]

I marked this as stale due to inactivity. → More info

[zoechi]

I run into this when I tried a hardened kernel (5.6)
I also found

• Can't run Discord with Linux-Hardened kernel netblue30/firejail#3754
• https://authmane512.medium.com/solve-the-suid-sandbox-helper-binary-was-found-but-is-not-configured-correctly-3-solutions-4f1425a9a76c

google-chrome-stable --no-sandbox allows to run Chrome but probably not worth it.
I don't know if sysctl kernel.unprivileged_userns_clone=1 is better, but it also works around it.

Also all Electron apps seem to be affected.

[deepfire]

@8573, did you consider making a PR with the implementation of your approach?