Google Chrome

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
hrlngrv
Level 1
Level 1
Posts: 16
Joined: Sat May 25, 2013 11:10 pm

Google Chrome

Post by hrlngrv »

I just installed Google Chrome using Google's Debian/Ubuntu DEB, and it didn't run at first.

I found out the problem is that chrome-sandbox needs suid, but my /opt is on a nosuid partition, and I won't change that. I came up with a crude work-around which seems to work, but I'm wondering whether I'm begging for trouble. I copied chrome-sandbox with permissions to /usr/local/bin, renamed it in /opt/google/chrome, then created a symlink so /opt/google/chrome/chrome-sandbox -> /usr/local/bin/chrome-sandbox.

If there are no potential problems with this, I then have to ask whether it's a security hole for symlinks on nosuid partitions to be able to point to suid executables on other partitions.
User avatar
kc1di
Level 16
Level 16
Posts: 6383
Joined: Mon Sep 08, 2008 8:44 pm
Location: Maine USA

Re: Google Chrome

Post by kc1di »

Hello hrlngrv and welcome to Mint Forums,

I'm not sure about the security of the way you have done it but I believe a better way (if your not using LMDE) is you install chrome via it's ubuntu PPA.
here's a Link telling you how to do that:
http://www.howopensource.com/2011/10/in ... -10-10-04/
Easy tips : https://easylinuxtipsproject.blogspot.com/ Pjotr's Great Linux projects page.
Linux Mint Installation Guide: http://linuxmint-installation-guide.rea ... en/latest/
Registered Linux User #462608
pfeiffep
Level 2
Level 2
Posts: 92
Joined: Tue Apr 23, 2013 10:32 pm
Location: United States

Re: Google Chrome

Post by pfeiffep »

hrlngrv wrote:I just installed Google Chrome using Google's Debian/Ubuntu DEB, and it didn't run at first.

I found out the problem is that chrome-sandbox needs suid, but my /opt is on a nosuid partition, and I won't change that. I came up with a crude work-around which seems to work, but I'm wondering whether I'm begging for trouble. I copied chrome-sandbox with permissions to /usr/local/bin, renamed it in /opt/google/chrome, then created a symlink so /opt/google/chrome/chrome-sandbox -> /usr/local/bin/chrome-sandbox.

If there are no potential problems with this, I then have to ask whether it's a security hole for symlinks on nosuid partitions to be able to point to suid executables on other partitions.
I've installed Chromium :wink: from the software center without problems...Chromium is what Chrome is based upon
HP Tower | Intel iCore 7 3.2Ghz | 12 Gb mem | SDD Win7 | HDD Ubuntu 13.04 & Mint 14 Cinnamon | USB HDD Ubuntu 13.10
Dell laptop | Intel celeron 1.5 Ghz | 2 Gb mem | HDD Ubuntu 13.04 | USB HDD Mint 14


Regards, Pete
hrlngrv
Level 1
Level 1
Posts: 16
Joined: Sat May 25, 2013 11:10 pm

Re: Google Chrome

Post by hrlngrv »

Thank you, kc1di and pfeiffep.

I hadn't realized that there was a PPA for Chrome. However, it doesn't seem to be available at the moment (midday Pacific Daylight Time). Also, it's coming from Google, so I have to question whether the DEB package would be different from the one I downloaded from https://www.google.com/intl/en/chrome/browser/ and installed.

With respect to Chromium, /usr/lib/chromium-browser/chromium-browser-sandbox is also suid, like /opt/google/chrome/chrome-sandbox. That wouldn't cause the same problem for me because my entire /usr hierarchy is on a suid partition. However, the version of Chromium in the Linux Mint or Ubuntu repositories is 25.x, but the latest stable release is 27.x. My primary browser is Firefox (due to various add-in adictions). I need Chrome to test various things with the latest version. If the Chromium version in the repositories is always one or two behind the latest stable one, I can't use it for my intended purpose.

But my interest is still more in the file system/secutiry issues. Could a symlink on a nosuid partition to a suid executable on an suid partition cause problems other than security related ones? If not, how much of a security threat is it being able to symlink from nosuid partition to suid executables on suid partitions?
User avatar
DrHu
Level 17
Level 17
Posts: 7522
Joined: Wed Jun 17, 2009 8:20 pm

Re: Google Chrome

Post by DrHu »

Security read-about(s)..
http://www.cyberciti.biz/tips/linux-security.html
http://tldp.org/HOWTO/html_single/Security-HOWTO/

nosuid or noexec.. example /tmp..
http://www.gentoo.org/doc/en/security/s ... t=1&chap=4
http://www.webhostingtalk.com/showthread.php?t=45885

http://forums.anandtech.com/showthread.php?t=1592795
http://www.md3v.com/mount-the-tmp-parti ... id-options
--important for Debian upates (apt: needs access to /tmp..RW)

Security if that is a real concern, however sudo managment (/etc/sudoers file), file quotas and maintaining system logs can all manage or detect any or most security issues, and not cause permissions issues by including noexec or nosuid bits for file(s)..
--you can also run chkroot scanners, add clamav for ms email virus transfer attempts, control user persissions more completely, perhaps with Linux acl cpontrols and so on
  • As well you can run hardening scripts , for example Bastille, or use an intrusion detection system
    --or otherwise manage all the bits of security you need
    If it is entirely local users (not just yourself), they can be controlled by limiting their access or even trying to prevent shell escapers, if you think you have more sophisticated users entering your realm..
If you wanted to audit your system..
http://www.ibm.com/developerworks/linux ... index.html
Post Reply

Return to “Software & Applications”