Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 550290 - www-client/chromium: suid USE flag should be added to make suid binary optional
Summary: www-client/chromium: suid USE flag should be added to make suid binary optional
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: Chromium Project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-24 09:25 UTC by Karol Herbst
Modified: 2016-08-10 20:34 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Herbst 2015-05-24 09:25:27 UTC
having the suid sandbox is not the only way to adequately sandbox chromium, because other features from the Linux kernel can be used instead.

Also having a suid'ed binary with a lot of potential attacks over the web is a big security concern.

Please meake the suid feature optional in both chromium and google-chrome

Reproducible: Always
Comment 1 Mike Gilbert gentoo-dev 2015-05-24 13:37:30 UTC
I'm a bit conflicted on this: we have no direct control over what kernel features are enabled, and the suid sandbox provides a nice fallback if the namespace support isn't enabled.

> Also having a suid'ed binary with a lot of potential attacks over the web is a big security concern.

It's suid because that's the only way it can chroot under normal conditions. It's a security feature, and less so a "risk". I'm sure it has been very carefully coded with security in mind.
Comment 2 Karol Herbst 2015-05-24 13:58:15 UTC
there could be a post install message in the ebuild, that if suid is disabled, this and this kernel feature has to be enabled to have an adequate sandbox. There could be also a link to "chrome://sandbox/" so that the user can check easily, if enough kernel features are enabled.

(In reply to Mike Gilbert from comment #1)
> I'm sure it has been very carefully coded with security in mind.

Yeah well, there are a lot of security related libraries out there and I am sure that most of them are also very carefully coded with security in mind, but sometimes there is a vulnerability and it would make sense to be able to reduce the attack surface from the internet.
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2016-07-05 10:14:12 UTC
See https://bugs.chromium.org/p/chromium/issues/detail?id=312380 and https://bugs.chromium.org/p/chromium/issues/detail?id=598454 .

Looks like we're getting closer to being able to enable this.
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2016-08-10 20:34:58 UTC
Should be fixed now with https://gitweb.gentoo.org/repo/gentoo.git/commit/www-client/chromium?id=58f3fd3b9db9ce046e50a5a82b1d2499ebcaaf47 .