(For context see LinuxSUIDSandbox)
We need a SUID helper binary to turn on the sandbox on Linux.
In most cases, you can run build/update-linux-sandbox.sh and it'll install the proper sandbox for you in /usr/local/sbin and tell you to update your .bashrc if needed.
Running without the SUID sandbox!
The setuid sandbox provides API version X, but you need Y
You are using a wrong version of the setuid binary!
Run the script mentioned above, or do something such as:
sudo cp out/Debug/chrome_sandbox /usr/local/sbin/chrome-devel-sandbox #needed if you build on NFS! sudo chown root:root /usr/local/sbin/chrome-devel-sandbox sudo chmod 4755 /usr/local/sbin/chrome-devel-sandbox
export CHROME_DEVEL_SANDBOX=/usr/local/sbin/chrome-devel-sandbox
If you're installing a new bot, always install the setuid sandbox (the instructions are different than for developers, contact the Chrome troopers). If something does need to run without the setuid sandbox, use the --disable-setuid-sandbox command line flag.
The SUID sandbox must be enabled on the try bots and the waterfall. If you don't use it locally, things might appear to work for you, but break on the bots.
(Note: as a temporary, stop gap measure, setting CHROME_DEVEL_SANDBOX to an empty string is equivalent to --disable-setuid-sandbox)
If you are certain that you don‘t want the setuid sandbox, use --disable-setuid-sandbox. There should be very few cases like this. So if you’re not absolutely sure, run with the setuid sandbox.
If you're using a “raw” build of Chromium, do the following:
sudo chown root:root chrome_sandbox && sudo chmod 4755 chrome_sandbox && export CHROME_DEVEL_SANDBOX="$PWD/chrome_sandbox" ./chrome
You can also make such an installation more permanent by following the steps above and installing chrome_sandbox to a more permanent location.
The CHROME_DEVEL_SANDBOX variable is intended for developers and won't work for a system-wide installation of Chromium. Package maintainers should make sure the setuid binary is installed and defined in GYP as linux_sandbox_path.