FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-14-2012, 06:40 PM
Andrei POPESCU
 
Default OT chromium/chrome sandbox

On Mi, 14 mar 12, 20:09:10, Dan wrote:
>
> Interestingly I noticed that chrome/chromium use some kind of sandbox
> to isolate the process that renders the page. That is a good idea for
> security purposes, but it requires to the executable chrome-sandbox to
> have suid root access.

I'm not very familiar with chrome/chromium, but this sounds wrong. Could
you please point me to where this is documented?

Kind regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 03-14-2012, 07:20 PM
Dan
 
Default OT chromium/chrome sandbox

On Wed, Mar 14, 2012 at 8:40 PM, Andrei POPESCU
<andreimpopescu@gmail.com> wrote:
> On Mi, 14 mar 12, 20:09:10, Dan wrote:
>>
>> Interestingly I noticed that chrome/chromium use some kind of sandbox
>> to isolate the process that renders the page. That is a good idea for
>> security purposes, but it requires to the executable chrome-sandbox to
>> have suid root access.
>
> I'm not very familiar with chrome/chromium, but this sounds wrong. Could
> you please point me to where this is documented?
>
> Kind regards,
> Andrei

Hi Andrei,

Here you can find the doc for the sandbox:
http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox
http://www.chromium.org/developers/design-documents/sandbox

And some discussion:
http://scarybeastsecurity.blogspot.com/2009/10/chromium-and-linux-sandboxing.html

The idea is good but in Linux requires root access, which I do not
like. It seems that it might be possible use the sandbox in a SELinux
environment but I do not know how to do that:
http://code.google.com/p/chromium/wiki/LinuxSandboxing

Best regards,
Dan


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAK00fOLJ_61QZQTobxfDBjCLBQKowmCcpAJ7cPZ8hfqsmA=+t Q@mail.gmail.com">http://lists.debian.org/CAK00fOLJ_61QZQTobxfDBjCLBQKowmCcpAJ7cPZ8hfqsmA=+t Q@mail.gmail.com
 
Old 03-14-2012, 08:13 PM
Bob Proulx
 
Default OT chromium/chrome sandbox

Dan wrote:
> Andrei POPESCU wrote:
> > Dan wrote:
> >> Interestingly I noticed that chrome/chromium use some kind of sandbox
> >> to isolate the process that renders the page. That is a good idea for
> >> security purposes, but it requires to the executable chrome-sandbox to
> >> have suid root access.
> >
> > I'm not very familiar with chrome/chromium, but this sounds wrong. Could
> > you please point me to where this is documented?

I don't know if this is documented anywhere other than in the source
code but this is the helper executable under discussion:

$ ls -ld /usr/lib/chromium/chromium-sandbox
-rwsr-xr-x 1 root root 18720 Mar 8 17:36 /usr/lib/chromium/chromium-sandbox

> Here you can find the doc for the sandbox:
> http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox
> http://www.chromium.org/developers/design-documents/sandbox
>
> And some discussion:
> http://scarybeastsecurity.blogspot.com/2009/10/chromium-and-linux-sandboxing.html
>
> The idea is good but in Linux requires root access, which I do not
> like. It seems that it might be possible use the sandbox in a SELinux
> environment but I do not know how to do that:
> http://code.google.com/p/chromium/wiki/LinuxSandboxing

If you don't accept that sometimes such as this one running as root
can enable more security then at your option you can disable it with
the --no-sandbox option.

chromium --no-sandbox

But as noted that prevents it from setting up the chroot jail and
actually decreases security by the associated amount. However other
browsers don't that that feature so probably no worse than other
simply using browsers.

Bob
 
Old 03-14-2012, 09:36 PM
Andrei POPESCU
 
Default OT chromium/chrome sandbox

On Mi, 14 mar 12, 21:20:58, Dan wrote:
>
> Here you can find the doc for the sandbox:
> http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox
> http://www.chromium.org/developers/design-documents/sandbox
>
> And some discussion:
> http://scarybeastsecurity.blogspot.com/2009/10/chromium-and-linux-sandboxing.html
>
> The idea is good but in Linux requires root access, which I do not
> like. It seems that it might be possible use the sandbox in a SELinux
> environment but I do not know how to do that:
> http://code.google.com/p/chromium/wiki/LinuxSandboxing

Interesting (though I only skimmed through). I'm by far not an expert on
these matters, but considering the exposure of chrome/chromium I'm
guessing that code has seen at least some scrutiny by knowledgeable
people. I'm not worried :-)

Kind regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 

Thread Tools




All times are GMT. The time now is 06:05 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org