FS#67732 - Drop suid on chrome-sandbox in signal-desktop
Attached to Project:
Community Packages
Opened by NgoHuy (Severus) - Thursday, 27 August 2020, 08:54 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 27 August 2020, 13:33 GMT
Opened by NgoHuy (Severus) - Thursday, 27 August 2020, 08:54 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 27 August 2020, 13:33 GMT
|
Details
Description:
I have found that signal-desktop worked fine without suid on chrome-sandbox. Because kernel.unprivileged_userns_clone = 1 by default, we safely remove it from PKGBUILD. `chmod u+s "${pkgdir}/usr/lib/signal-desktop/chrome-sandbox"` Additional info: * Signal-desktop: 1.34.5-2 Steps to reproduce: sudo chmod 0755 /usr/lib/signal-desktop/chrome-sandbox && signal-desktop |
This task depends upon
Closed by Eli Schwartz (eschwartz)
Thursday, 27 August 2020, 13:33 GMT
Reason for closing: Won't implement
Additional comments about closing: In order to match the system electron package, the sandbox is intentionally installed as setuid precisely because we do NOT, in fact, assume unprivileged_userns_clone on security-conscious systems such as linux-hardened.
Thursday, 27 August 2020, 13:33 GMT
Reason for closing: Won't implement
Additional comments about closing: In order to match the system electron package, the sandbox is intentionally installed as setuid precisely because we do NOT, in fact, assume unprivileged_userns_clone on security-conscious systems such as linux-hardened.
0
So, no, not by default. I'm using core/linux.
edit: nope, disregard. I've turned it off because I don't trust userns.