“The namespace sandbox aims to replace the setuid sandbox. It has the advantage of not requiring a setuid binary. It's based on (unprivileged) user namespaces in the Linux kernel. It generally requires a kernel >= 3.10, although it may work with 3.8 if certain patches are backported.

Starting with M-43, if the kernel supports it, unprivileged namespaces are used instead of the setuid sandbox. Starting with M-44, certain processes run in their own PID namespace, which isolates them better.”

So the answer is that SUID is disabled because the new Namespace Sandbox replaces it (if possible).

It said “You are adequately sandboxed.” also when there was only SUID, PID namespaces and Network namespaces, before Seccomp-BPF (when legacy Seccomp was disabled by default) and before Yama.

So Namespace Sandbox can be seen as a replacement for SUID?

The changelog¹ for Chromium (where SUID is called “setuid”) isn’t very clear (to me), and the documentation² is outdated.

¹ https://chromium.googlesource.com/chromium/src/+log/41.0.2272.0..42.0.2311.0?pretty=fuller&n=10000

² https://code.google.com/p/chromium/wiki/LinuxSandboxing

Sorry to read the P.P.S.

You are adequately sandboxed.

SUID sandbox is not needed if your kernel supports the other required features (kernels of 3.17 or newer almost always will and some older kernels if they have been suitably patched by your distro).

P.S. The sandbox is still SUID in post install of packaging because not everyone has a suitable kernel.

P.P.S. It seems that I still have an employee badge but I have left Opera now, following the shut down of the Desktop team in Olso.