Please create an account to participate in the Slashdot moderation system


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re: Trafficking in circumvention measures is ille (Score 1) 227

Um, no actually, I actively cheer them on for catching murderers because I strongly believe murderers shouldn't be allowed free in society. I don't know what weird ideology you have that believes otherwise.

Actually, Niemöller's poem never talked about murderers, but merely about Socialists, Trade Unionists and Jews. Well, some variants listed communists, incurable patients, Jehova's witnesses, civilians of occupied countries, but none listed murderers.

Comment Re:Thought crime (Score 1) 164

Let's say you change the laws and make possessing it a non-criminal offense. The first thing that will happen is that people will monetize it (selling/subscriptions/advertising/etc) and when there is a demand for additional/higher quality content, it will be purchased from the abusers.

They could start by only criminalizing commerce in such pictures. This would remove the incentive to plant it, or to simply mislabel innocent pictures as something nasty (who's gonna contradict law enforcement, when mere viewing of such pictures is a crime?)

Comment Re:I wouldn't touch Google Chrome on Linux (Score 1) 92

And we where talking about Chrome, not Chromium, or do I miss anything?

In my case it's Chromium (hence nicely packaged as a .deb), but the original poster observed the same thing about Chrome. That it also happens with Chromium on some distributions is worrisome: Chromium is supposed to be repackaged, so that the distributor can remove such shenanigans. Ubuntu managed to do that (in 16.10). Debian, unfortunately, didn't.

Sorry, if that applications needs s-bit as root to run: delete it.

Which is what ended up doing...

And I would have done it much earlier had I known (suspected) this. And in order give other people, who might still be as unsuspecting as I am, a heads up, I'm talking about it.

Comment Re:I wouldn't touch Google Chrome on Linux (Score 1) 92

I guess that is more a problem of the installation process than any 'necessity' ... if you know that, why don't you remove the s bit?

Have you stopped beating your wife? :-)

Well, as stated in my other message, if I remove the s bit Chromium will refuse to start.

And how can it be that the user and groop is root anyway?

Most software belongs to root... (have you actually ever looked at any software on your own system, or are you just trolling?)

I guess you installed Chrome as root

In this case, I trusted my distribution, and installed the .deb from repository.

so the mistake is just yours.

If I had installed it manually in my own directory, chances are, it would refuse to run (... as it would not be setuid root)

Comment Re:I wouldn't touch Google Chrome on Linux (Score 1) 92

$ ls -ld /bin/ping
-rwsr-xr-x 1 root root 60288 Jun 15 2016 /bin/ping

Not on my Debian:

> ls -ld /bin/ping
-rwxr-xr-x 1 root root 44104 Nov 8 2014 /bin/ping

You're talking about using software that has access to your keystrokes, mouse movements and clicks,

Only its own (although I wouldn't trust most distros' X setups to appropriately protect applications from each other in that regard, but that's another peeve...).

the plaintext of your TLS sessions.

Again, only their own. As long as I use Firefox for the serious stuff, and chromium only for browsing Javascript infested thrashcan sites my TLS sessions (from Firefox) would still be safe. But with this bug... not so sure.

It also controls the layout and placement of the content that it's presented. The majority of PC-using Americans do pretty much everything in their web browsers.

This is not about the computers of the trump voters (these would use IE 11 on Windows anyways...), but about the computers of more tech-savvy users who just wouldn't expect something like this.

If Google were malicious, they'd be able to get all the data they'd ever want without ever touching root privs.

Not malicious, just callous. Rechklessly allowing third parties (shady sites packed full of Javascripts) to leverage that hole to get admin on victim's computer.

Comment Re:I wouldn't touch Google Chrome on Linux (Score 1) 92

On my machine (Fedora 25):
> ls -ld /usr/lib/chromium/chrome-sandbox
ls: cannot access '/usr/lib/chromium/chrome-sandbox': No such file or directory

Careful there, the offending binary might just be called something else (chrome instead of chromium, in /usr/local/lib instead of /usr/lib), etc.

Just try locate sandbox, or rpm -q -l chromium | xargs ls -ld | egrep '^-..s' to be sure...

Comment Re:I wouldn't touch Google Chrome on Linux (Score 1) 92

Ubuntu has a lot to answer for IMO.

Actually, this is a Debian system where I saw this... And one Anonymous Coward claims that on his Ubuntu 16.10 system, Chromium doesn't have the bug. So let's be careful who deserves the blame here... my hunch is that it's google itself, rather than the distro.

Comment Re:I wouldn't touch Google Chrome on Linux (Score 4, Informative) 92

Nothing in Chrome requires a root user.

Unfortunately, it does, I didn't believe it myself at first...:
# ls -l /usr/lib/chromium/chrome-sandbox
-rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox

Removing that s bit causes chromium to refuse to run:
> chromium
[28193:28193:0225/] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/chromium/chrome-sandbox is owned by root and has mode 4755.
#0 0x564a04ba083e <unknown>
#1 0x564a04bb4f7b <unknown>
#2 0x564a05a0f4cf <unknown>
#3 0x564a043f3def <unknown>
#4 0x564a043f325e <unknown>
#5 0x564a043f384e <unknown>
#6 0x564a0408872c <unknown>
#7 0x564a0409036d <unknown>
#8 0x564a04087dcc <unknown>
#9 0x564a0480764b <unknown>
#10 0x564a04805fa0 <unknown>
#11 0x564a033de1bc ChromeMain
#12 0x7ff5074f5b45 __libc_start_main
#13 0x564a033de069

zsh: abort chromium

Comment Re:I wouldn't touch Google Chrome on Linux (Score 3, Insightful) 92

Chrome runs under the user id it was started from.

... and then proceeds by invoking a set-uid binary (that it conveniently set up at installation time) to become root:

# ls -ld /usr/lib/chromium/chrome-sandbox
-rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox

Slashdot Top Deals

Your code should be more efficient!