Dan wrote: > Andrei POPESCU wrote: > > Dan wrote: > >> Interestingly I noticed that chrome/chromium use some kind of sandbox > >> to isolate the process that renders the page. That is a good idea for > >> security purposes, but it requires to the executable chrome-sandbox to > >> have suid root access. > > > > I'm not very familiar with chrome/chromium, but this sounds wrong. Could > > you please point me to where this is documented? I don't know if this is documented anywhere other than in the source code but this is the helper executable under discussion: $ ls -ld /usr/lib/chromium/chromium-sandbox -rwsr-xr-x 1 root root 18720 Mar 8 17:36 /usr/lib/chromium/chromium-sandbox > Here you can find the doc for the sandbox: > http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox > http://www.chromium.org/developers/design-documents/sandbox > > And some discussion: > http://scarybeastsecurity.blogspot.com/2009/10/chromium-and-linux-sandboxing.html > > The idea is good but in Linux requires root access, which I do not > like. It seems that it might be possible use the sandbox in a SELinux > environment but I do not know how to do that: > http://code.google.com/p/chromium/wiki/LinuxSandboxing If you don't accept that sometimes such as this one running as root can enable more security then at your option you can disable it with the --no-sandbox option. chromium --no-sandbox But as noted that prevents it from setting up the chroot jail and actually decreases security by the associated amount. However other browsers don't that that feature so probably no worse than other simply using browsers. Bob
Attachment:
signature.asc
Description: Digital signature