google chrome - NaCl helper process running without a sandbox! error when running npm tests

Question

I'n having a problem when running some npm test. The error I'm receiving is: "NaCl helper process running without a sandbox!", which is true, as I'm running the browser with the "--no-sandbox" option. I have to run this option due to the fact that the browser runs as root, and I don't have an option to run it a different user at all(it's a docker image). Can anyone please help me to sort it out?

P.S I'm installing the browser in the following way:

RUN apt-get update
RUN apt-get install -y nodejs npm
RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add -
RUN sh -c 'echo "deb https://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
RUN apt-get install -y apt-transport-https
RUN apt-get update
RUN apt-get install -y google-chrome-stable

Thanks in advance!

Answer 1

This error message...

NaCl helper process running without a sandbox!

...implies that you have no setuid sandbox in your system, hence the program was unable to initiate/spawn a new Browsing Context i.e. Chrome Browser session.

---

Solution

A quick solution will be, if you want to run Chrome and only use the namespace sandbox, you can set the flag:

--disable-setuid-sandbox

This flag will disable the setuid sandbox (Linux only). But if you do so on a host without appropriate kernel support for the namespace sandbox, Chrome will not spin up. As an alternative you can also use the flag:

--no-sandbox

This flag will disable the sandbox for all process types that are normally sandboxed.

Example:

chromeOptions: {
      args: ['--disable-setuid-sandbox', '--no-sandbox']
},

You can find a detailed discussion in Security Considerations - ChromeDriver - Webdriver for Chrome

---

Deep dive

As per the documentation in Linux SUID Sandbox Development google-chrome needs a SUID helper binary to turn on the sandbox on Linux. In majority of the cases you can install the proper sandbox for you using the command:

build/update-linux-sandbox.sh

This program will install the proper sandbox for you in /usr/local/sbin and tell you to update your .bashrc if required.

However, there can be some exceptions as an example, if your setuid binary is out of date, you will get messages such as:

Running without the SUID sandbox! 

Or

The setuid sandbox provides API version X, but you need Y
You are using a wrong version of the setuid binary!

In these cases, you need to:

• Build chrome_sandbox whenever you build chrome (ninja -C xxx chrome chrome_sandbox instead of ninja -C xxx chrome)

• After building, execute update-linux-sandbox.sh.

  # needed if you build on NFS!
  sudo cp out/Debug/chrome_sandbox /usr/local/sbin/chrome-devel-sandbox
  sudo chown root:root /usr/local/sbin/chrome-devel-sandbox
  sudo chmod 4755 /usr/local/sbin/chrome-devel-sandbox
  

• Finally, you have to include the following line in your ~/.bashrc (or .zshenv):

  export CHROME_DEVEL_SANDBOX=/usr/local/sbin/chrome-devel-sandbox