[Pkg-chromium-maint] Bug#839277: chromium: sandbox won't run unless world-executable

[Michael Gold]

Package: chromium
Version: 53.0.2785.113-1
Severity: wishlist

/usr/lib/chromium/chrome-sandbox won't run unless it's world-executable,
due to this code in sandbox/linux/suid/client/setuid_sandbox_host.cc:
  if (access(sandbox_binary.c_str(), X_OK) != 0 || (st.st_uid != 0) ||
      ((st.st_mode & S_ISUID) == 0) || ((st.st_mode & S_IXOTH)) == 0) {
    LOG(FATAL) << "The SUID sandbox helper binary was found, but is not "
                  "configured correctly. Rather than run without sandboxing "
                  "I'm aborting now. You need to make sure that "
               << sandbox_binary << " is owned by root and has mode 4755.";
  }

Please remove the last check (IXOTH).  System accounts like 'nobody' and
'lp' should never run the sandbox, so I've used chgrp and 'chmod o-x' to
ensure only users with GUI access can run it on my system.  And it works
as long as this check is disabled.  The access() check should be enough,
anyway, to verify it will run.

I'm not sure the other checks are useful either--a similar message could
instead be printed when execve() fails or the sandbox sees EPERM/EACCES.
The sandbox itself looks like it will try to continue when geteuid()!=0,
until something important actually fails; this might let it work without
being setuid if the administrator has enabled filesystem capabilities or
unprivileged namespaces.

- Michael


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64, mips, i386

Kernel: Linux 4.7.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages chromium depends on:
ii  libasound2           1.1.2-1
ii  libatk1.0-0          2.22.0-1
ii  libavcodec57         7:3.1.3-1+b3
ii  libavformat57        7:3.1.3-1+b3
ii  libavutil55          7:3.1.3-1+b3
ii  libc6                2.24-3
ii  libcairo2            1.14.6-1+b1
ii  libcups2             2.2.0-2
ii  libdbus-1-3          1.10.10-1
ii  libexpat1            2.2.0-1
ii  libfontconfig1       2.11.0-6.7
ii  libfreetype6         2.6.3-3+b1
ii  libgcc1              1:6.2.0-4
ii  libgdk-pixbuf2.0-0   2.36.0-1
ii  libglib2.0-0         2.50.0-1
ii  libgnome-keyring0    3.12.0-1+b1
ii  libgtk-3-0           3.22.0-1
ii  libharfbuzz0b        1.2.7-1+b1
ii  libjpeg62-turbo      1:1.5.1-1
ii  libnettle6           3.2-1
ii  libnspr4             2:4.12-6
ii  libnss3              2:3.26-2
ii  libpango-1.0-0       1.40.3-2
ii  libpangocairo-1.0-0  1.40.3-2
ii  libpci3              1:3.3.1-1.1
ii  libpulse0            9.0-3
ii  libspeechd2          0.8.5-1
ii  libstdc++6           6.2.0-4
ii  libx11-6             2:1.6.3-1
ii  libxcomposite1       1:0.4.4-1
ii  libxcursor1          1:1.1.14-1+b1
ii  libxdamage1          1:1.1.4-2+b1
ii  libxext6             2:1.3.3-1
ii  libxfixes3           1:5.0.2-1
ii  libxi6               2:1.7.6-1
ii  libxml2              2.9.4+dfsg1-2
ii  libxrandr2           2:1.5.0-1
ii  libxrender1          1:0.9.9-2
ii  libxslt1.1           1.1.29-1
ii  libxss1              1:1.2.2-1
ii  libxtst6             2:1.2.2-1+b1
ii  x11-utils            7.7+3
ii  xdg-utils            1.1.1-1

Versions of packages chromium recommends:
ii  fonts-liberation  1:1.07.4-2

Versions of packages chromium suggests:
pn  chromium-l10n  <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-chromium-maint/attachments/20160930/41746a48/attachment.sig>