Problems with Chromium Sandbox Permissions on Home-Manager

john-craig · June 22, 2025, 1:55am

I am running Home Manager on Archlinux, with the linux-hardened kernel. When I attempt to start chromium, or any other Electron-based application, I see this error:

[29679:29679:0621/215124.221513:FATAL:sandbox/linux/suid/client/setuid_sandbox_host.cc:163] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /nix/store/blg0s97glz9pwnww3li4miz6g69bfwbs-ungoogled-chromium-136.0.7103.59-sandbox/bin/__chromium-suid-sandbox is owned by root and has mode 4755.

By issuing stat, I can see that this file indeed has the incorrect permissions:

  File: /nix/store/blg0s97glz9pwnww3li4miz6g69bfwbs-ungoogled-chromium-136.0.7103.59-sandbox/bin/__chromium-suid-sandbox
  Size: 332792          Blocks: 656        IO Block: 4096   regular file
Device: 0,63    Inode: 3147974     Links: 1
Access: (0555/-r-xr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-06-19 17:58:04.853568911 -0400
Modify: 1969-12-31 19:00:01.000000000 -0500
Change: 2025-05-06 06:59:15.514630099 -0400
 Birth: 2025-05-06 06:59:15.475710738 -0400

Is there a way I can override the chromium package to set the permission of the sandbox correctly? Or any other approach I can take to resolve this problem?

Thanks

brnix · August 1, 2025, 4:25pm

I have also run into this on Ubuntu 24.04. Did you, by chance, ever find a solution?

bloodstiller · August 1, 2025, 5:24pm

Is google-chrome and chromium not running on kernel 5_4_hardened? You could pass the no sandbox flag as mentioned here but kind of defeats the point.

john-craig · August 1, 2025, 6:27pm

I ended up using this as a workaround to at least be able to use the system’s installed chrome-sandbox executable, which is set with the correct permissions.

chromium = pkgs.ungoogled-chromium.overrideAttrs (old: rec {
    buildCommand = let
      oldStr = ''
        if [ -x "/run/wrappers/bin/${old.passthru.sandboxExecutableName}" ]
        then
          export CHROME_DEVEL_SANDBOX="/run/wrappers/bin/${old.passthru.sandboxExecutableName}"
        else
          export CHROME_DEVEL_SANDBOX="$sandbox/bin/${old.passthru.sandboxExecutableName}"
        fi
      '';
      newStr = ''export CHROME_DEVEL_SANDBOX=/usr/lib/chromium/chrome-sandbox'';
    in
      builtins.replaceStrings [oldStr] [newStr] old.buildCommand;
  });

It breaks full reproducibility but I prefer that trade-off rather than running with --no-sandbox.