Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#67732 - Drop suid on chrome-sandbox in signal-desktop

Attached to Project: Community Packages
Opened by NgoHuy (Severus) - Thursday, 27 August 2020, 08:54 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 27 August 2020, 13:33 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
I have found that signal-desktop worked fine without suid on chrome-sandbox. Because kernel.unprivileged_userns_clone = 1 by default, we safely remove it from PKGBUILD.
`chmod u+s "${pkgdir}/usr/lib/signal-desktop/chrome-sandbox"`

Additional info:
* Signal-desktop: 1.34.5-2

Steps to reproduce:
sudo chmod 0755 /usr/lib/signal-desktop/chrome-sandbox && signal-desktop
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Thursday, 27 August 2020, 13:33 GMT
Reason for closing:  Won't implement
Additional comments about closing:  In order to match the system electron package, the sandbox is intentionally installed as setuid precisely because we do NOT, in fact, assume unprivileged_userns_clone on security-conscious systems such as linux-hardened.
Comment by Dave Reisner (falconindy) - Thursday, 27 August 2020, 12:29 GMT
$ sysctl kernel.unprivileged_userns_clone
0

So, no, not by default. I'm using core/linux.

edit: nope, disregard. I've turned it off because I don't trust userns.
Comment by Levente Polyak (anthraxx) - Thursday, 27 August 2020, 12:37 GMT
This would either way fully break signal for running on linux-hardened

Loading...