diff --git a/indra/newview/linux_tools/install.sh b/indra/newview/linux_tools/install.sh
index 63e368d1583177d949080d094e6ccba515ffa9aa..1801abf1463ebdec23a5080893b774c6a67d3b70 100755
--- a/indra/newview/linux_tools/install.sh
+++ b/indra/newview/linux_tools/install.sh
@@ -93,11 +93,35 @@ function install_to_prefix()
if [ "$UID" == "0" ]; then
"$1/etc/chrome_sandboxing_permissions_setup.sh"
else
- echo "Permissions on $SANDBOX_BIN need to be set to enable security sandboxing for the integrated browser. You may be asked to authorize this step with administrative credentials."
- prompt "This step is optional, though recommended for safety and security. Proceed with the installation? [Y/N]: "
+ echo " â•â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â•®"
+ echo "â•â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”˜ Web Media Process Sandboxing Setup └──────────────────╮"
+ echo "│ │"
+ echo "│ Embedded Chromium sandboxing is a highly recommended security feature! │"
+ echo "│ │"
+ echo "│Sandboxing helps prevents malicious code from running in the browser process, │"
+ echo "│which could otherwise be used to compromise the viewer or your system. │"
+ echo "│ │"
+ echo "│For more information please see the following resources: │"
+ echo "│https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md │"
+ echo "│https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux/sandboxing.md│"
+ echo "│ │"
+ echo "│Permissions on the following viewer file must be set to enable sandboxing. │"
+ echo "│ bin/llplugin/chrome-sandbox │"
+ echo "│ │"
+ echo "│You may be asked provide credentials to authorize this setup. │"
+ echo "╰──────────────────────────────────────────────────────────────────────────────╯"
+ echo "Saying no will not enable sandboxing, which endangers your system security."
+ echo "Saying yes will run a chown and chmod command to enable sandboxing."
+ echo ""
+ warn "By refusing this step, you accept this risk."
+ prompt "Proceed with enabling web media process sandboxing? [Y/N]: "
if [[ $? == 0 ]]; then
+ # Save this choice so that we don't ask for creds on every viewer launch
+ touch "$1/bin/llplugin/.user_does_not_want_chrome_sandboxing_and_accepts_the_risks"
exit 0
fi
+ # Remove any previous opt-out file since we're opting in now
+ rm "$1/bin/llplugin/.user_does_not_want_chrome_sandboxing_and_accepts_the_risks" 2> /dev/null
pkexec "$1/etc/chrome_sandboxing_permissions_setup.sh" || die "Failed to set permissions on chrome-sandbox"
fi
}
diff --git a/indra/newview/linux_tools/wrapper.sh b/indra/newview/linux_tools/wrapper.sh
index 124428d7abc3cf19c6d69228d649df64bfbeefd7..b6c49981396184d9cce97c87ea7af4a2cd0c08d1 100755
--- a/indra/newview/linux_tools/wrapper.sh
+++ b/indra/newview/linux_tools/wrapper.sh
@@ -107,10 +107,13 @@ done
# Check chrome-sandbox permissions, and try to set them if they are not already
SANDBOX_BIN=bin/llplugin/chrome-sandbox
# if set-user-id = false || is writable || executable = false || read is false || is owned by effective uid || is owned by effective gid
+OPTOUT_FILE="bin/llplugin/.user_does_not_want_chrome_sandboxing_and_accepts_the_risks"
if [[ !(-u $SANDBOX_BIN) || (-w $SANDBOX_BIN) || !(-x $SANDBOX_BIN) || !(-r $SANDBOX_BIN) || ( -O $SANDBOX_BIN) || (-G $SANDBOX_BIN) ]]; then
- echo "$SANDBOX_BIN permissions are incorrect and will be reset"
- SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
- pkexec "$SCRIPT_DIR/etc/chrome_sandboxing_permissions_setup.sh"
+ echo "$SANDBOX_BIN permissions are not set properly to run under sandboxing."
+ if [ ! -f "$OPTOUT_FILE" ]; then
+ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+ pkexec "$SCRIPT_DIR/etc/chrome_sandboxing_permissions_setup.sh"
+ fi
fi
#setup wine voice