Based on the io log from your own answer, I'm not sure if you were actually able to see the [URL]
it prints to the console but it leads to this documentation of the Chromium Sandbox which specifies that you might have to set the required permissions yourself depending on your way of installation. This can be the case when using Puppeteer on Windows. This has also basically been copy-pasted into the Puppeteer Troubleshooting, which also provides a way how you can set the required permissions with icacls
.
This is imo a safer way than just disabling the sandboxing alltogether. However, the SID used in the provided command S-1-15-2-1
results to ALL APPLICATION PACKAGES
, which is pretty broad. This is why both docs mention that "in high security environments a more restrictive SID should be used such as one from the installer" (I'm pretty sure that the provided link to the installer is actually referencing the wrong LOC and it should actually lead to here). However, the Chromium Sandbox docs mention the ALL RESTRICTED APPLICATION PACKAGES
SID (Windows 10 RS2 or higher), which doesn't show up in Microsoft's official list of "Well-Known SIDs" but is S-1-15-2-2
.
Solution: This is why I think that, instead of disabling the Sandbox, it would be safer to grant the required permissions by executing the following command in CMD:
icacls %USERPROFILE%/.cache/puppeteer/chrome /grant *S-1-15-2-2:(OI)(CI)(RX)
Running cmd as an admin is not required (at least it wasn't for me). The path is where Puppeteer usually stores its chrome bins, but you might need to adjust it if you specified a different path in Puppeteer.
The thing is, S-1-15-2-2
is still a pretty broad SID, but I wasn't able to figure out a more narrow SID that would work. If you check the installer, you can see that it sets GENERIC_READ
(GR) and FILE_DELETE_CHILD
(DC) for the SID AUTHENTICATED_USERS
, however this cannot be all because the LOC in "sandbox_win.cc" that throws your error actually checks for GENERIC_READ
(GR) and GENERIC_EXECUTE
(GE) (so (RX) in total). I'm pretty sure User SIDs and Group SIDs won't work. I think what would work would be a "Logon" SID starting with S-1-5-5-
, but that would change every time. I'll play around a little more with the information found in this answer and edit this if I find a safer solution. Also, I'm not even sure why the package SIDs work, because they should only work for Windows Store apps, processes running in an App Container, or UWP. So it's definitely not a Windows Store app, I also checked with Process Explorer and the process in question doesn't run in an App Container. I couldn't make sure if Chromium on Windows is UWP.