Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:I wouldn't touch Google Chrome on Linux (Score 1) 90

And we where talking about Chrome, not Chromium, or do I miss anything?

In my case it's Chromium (hence nicely packaged as a .deb), but the original poster observed the same thing about Chrome. That it also happens with Chromium on some distributions is worrisome: Chromium is supposed to be repackaged, so that the distributor can remove such shenanigans. Ubuntu managed to do that (in 16.10). Debian, unfortunately, didn't.

Sorry, if that applications needs s-bit as root to run: delete it.

Which is what ended up doing...

And I would have done it much earlier had I known (suspected) this. And in order give other people, who might still be as unsuspecting as I am, a heads up, I'm talking about it.

Comment Re:I wouldn't touch Google Chrome on Linux (Score 1) 90

I guess that is more a problem of the installation process than any 'necessity' ... if you know that, why don't you remove the s bit?

Have you stopped beating your wife? :-)

Well, as stated in my other message, if I remove the s bit Chromium will refuse to start.

And how can it be that the user and groop is root anyway?

Most software belongs to root... (have you actually ever looked at any software on your own system, or are you just trolling?)

I guess you installed Chrome as root

In this case, I trusted my distribution, and installed the .deb from repository.

so the mistake is just yours.

If I had installed it manually in my own directory, chances are, it would refuse to run (... as it would not be setuid root)

Comment Re:I wouldn't touch Google Chrome on Linux (Score 1) 90

$ ls -ld /bin/ping
-rwsr-xr-x 1 root root 60288 Jun 15 2016 /bin/ping

Not on my Debian:

> ls -ld /bin/ping
-rwxr-xr-x 1 root root 44104 Nov 8 2014 /bin/ping

You're talking about using software that has access to your keystrokes, mouse movements and clicks,

Only its own (although I wouldn't trust most distros' X setups to appropriately protect applications from each other in that regard, but that's another peeve...).

the plaintext of your TLS sessions.

Again, only their own. As long as I use Firefox for the serious stuff, and chromium only for browsing Javascript infested thrashcan sites my TLS sessions (from Firefox) would still be safe. But with this bug... not so sure.

It also controls the layout and placement of the content that it's presented. The majority of PC-using Americans do pretty much everything in their web browsers.

This is not about the computers of the trump voters (these would use IE 11 on Windows anyways...), but about the computers of more tech-savvy users who just wouldn't expect something like this.

If Google were malicious, they'd be able to get all the data they'd ever want without ever touching root privs.

Not malicious, just callous. Rechklessly allowing third parties (shady sites packed full of Javascripts) to leverage that hole to get admin on victim's computer.

Comment Re:I wouldn't touch Google Chrome on Linux (Score 1) 90

On my machine (Fedora 25):
> ls -ld /usr/lib/chromium/chrome-sandbox
ls: cannot access '/usr/lib/chromium/chrome-sandbox': No such file or directory

Careful there, the offending binary might just be called something else (chrome instead of chromium, in /usr/local/lib instead of /usr/lib), etc.

Just try locate sandbox, or rpm -q -l chromium | xargs ls -ld | egrep '^-..s' to be sure...

Comment Re:I wouldn't touch Google Chrome on Linux (Score 1) 90

Ubuntu has a lot to answer for IMO.

Actually, this is a Debian system where I saw this... And one Anonymous Coward claims that on his Ubuntu 16.10 system, Chromium doesn't have the bug. So let's be careful who deserves the blame here... my hunch is that it's google itself, rather than the distro.

Comment Re:I wouldn't touch Google Chrome on Linux (Score 4, Informative) 90

Nothing in Chrome requires a root user.

Unfortunately, it does, I didn't believe it myself at first...:
# ls -l /usr/lib/chromium/chrome-sandbox
-rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox

Removing that s bit causes chromium to refuse to run:
> chromium
[28193:28193:0225/] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /usr/lib/chromium/chrome-sandbox is owned by root and has mode 4755.
#0 0x564a04ba083e <unknown>
#1 0x564a04bb4f7b <unknown>
#2 0x564a05a0f4cf <unknown>
#3 0x564a043f3def <unknown>
#4 0x564a043f325e <unknown>
#5 0x564a043f384e <unknown>
#6 0x564a0408872c <unknown>
#7 0x564a0409036d <unknown>
#8 0x564a04087dcc <unknown>
#9 0x564a0480764b <unknown>
#10 0x564a04805fa0 <unknown>
#11 0x564a033de1bc ChromeMain
#12 0x7ff5074f5b45 __libc_start_main
#13 0x564a033de069

zsh: abort chromium

Comment Re:I wouldn't touch Google Chrome on Linux (Score 3, Insightful) 90

Chrome runs under the user id it was started from.

... and then proceeds by invoking a set-uid binary (that it conveniently set up at installation time) to become root:

# ls -ld /usr/lib/chromium/chrome-sandbox
-rwsr-xr-x 1 root root 14664 Jan 30 18:39 /usr/lib/chromium/chrome-sandbox

Comment Re: liar (Score 1) 564

If he takes a ride in a diplomatic car, local cops can't touch him.

However, they can touch him before he is even able to reach that diplomatic car. Indeed, the Ecuadorian embassy is in a multi-tenant building, and the staircase leading from the embassy to the parking garage is not extraterritorial. And British cops do indeed hang around in that staircase, exactly to prevent this from happening.

There would still be the possibility of valise diplomatique but that one is only protected as long as there are no obvious signs that it contains something else than documents (and a huge trunk giving off infrared radiation due to body heat obviously does not contain only documents...)

Leaked documents reveal Ecuadorian Embassy's 'disguise' escape plan

Comment Re:Not sure what to think.... (Score 1) 798

You don't need to be convicted or even charged with any crime or act to be pardoned. A pardon is essentially the head of the executive branch saying the executive branch will not execute laws in regards to a specific person, situation, etc.

How would that work if you're only in charge for 2 more days for that executive branch? No, a pardon is much more, it actually reduces/negates the sentence.

Moreover, even the head of an executive branch cannot "pardon" everybody in his jurisdiction in all circumstances. Here's a case where the governor of Florida tried just that, and was stopped by court.

Comment Re: Linux router (Score 1) 137

The trouble is that more and more sites are now not allowing you to access them without turning off your ad-blocker.

Indeed, there is the German tabloid "Bild Zeitung" which does this (no big loss...). Which other site does this?

And, if you are so inclined, Bild's block is easy to subvert: just do View->PageStyle->NoStyle. Yeah, "No Style", quite fitting for that rag.

Slashdot Top Deals

This is an unauthorized cybernetic announcement.