[Bug 718016] New: Please add file %{_libdir}/chromium/chrome_sandbox to the allowed programs with SUID-bit set on
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c0 Summary: Please add file %{_libdir}/chromium/chrome_sandbox to the allowed programs with SUID-bit set on Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: x86 OS/Version: SuSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: rwooninck@opensuse.org QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.3 (KHTML, like Gecko) Chrome/16.0.880.0 Safari/535.3 SUSE/16.0.880.0 I have resubmitted Chromium to factory again to resolve the few comments that were given during the legal and build review. However for one comment, I would need a review by the Security team. The reason for this is that I am packaging a binary that requires the SUID-bit to be on. This is the so called chrome_sandbox program and it doesn't do anything else then giving access to the filesystem in a chroot'ed temp directory. Further specifications can be seen at: http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox I also want to indicate that the sources used for this program are inside the Chromium source tree, but fortunately located in a separate sub-directory (chromium-suse/src/sandbox/linux/suid). This would prevent going through around 2Gb of sources as that the program only consists out of 3 programs and 2 header files with a total size of around 15K. The program is also created separately and is build after the main chromium program. Unfortunately we cannot avoid this helper, as that chromium is now explicitly checking that it is existing and that it has the SUID bits set on. The SR for Chromium is #82199 Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c1 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Please add file |AUDIT-0: chromium: setuid |%{_libdir}/chromium/chrome_ |bit on |sandbox to the allowed |%{_libdir}/chromium/chrome_ |programs with SUID-bit set |sandbox |on | --- Comment #1 from Ludwig Nussel <lnussel@suse.com> 2011-09-15 13:06:40 CEST --- setuid bit certainly needs a closer look. Consider patching chromium to continue despite missing setuid bit until the audit is done. Note that the helper should be in %{_prefix}/lib instead of %{_libdir} -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c2 Raymond Wooninck <rwooninck@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #2 from Raymond Wooninck <rwooninck@opensuse.org> 2011-09-15 11:33:56 UTC --- *** Bug 718041 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=718041 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c3 --- Comment #3 from Raymond Wooninck <rwooninck@opensuse.org> 2011-09-15 11:40:47 UTC --- I can move the helper to any required location, as that the guidance is done by setting an environment variable. I could patch chromium to continue without sandbox until this is reviewed. However I don't know if this wouldn't cause more security issues as that we might get into the situation where through Chromium access to the filesystem could be obtained. There seems to be an alternative (using seccomp for the sandbox) however the indications are that this is pushing the performance drastically (up to 4000%) down. (outlined in http://code.google.com/p/chromium/issues/detail?id=36133) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c4 --- Comment #4 from Marcus Meissner <meissner@suse.com> 2011-09-15 11:52:14 UTC --- for quick acceptance to factory you could switch it off for a bit while we get to review it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c5 --- Comment #5 from Raymond Wooninck <rwooninck@opensuse.org> 2011-09-15 12:09:55 UTC --- Exactly my idea. I have changed the spec file so that it no longer sets the SUID bit on the helper and ensure that Chromium sandbox is no longer used. Once this gets accepted in Factory, I will switch the helper on again, so that people can switch to use the browser from the network:chromium repo in a more secure way. Thanks for your help and please let me know if you need any additional info. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c6 --- Comment #6 from Marcus Meissner <meissner@suse.com> 2011-09-15 16:11:26 UTC --- you could hook it up to the permission system already. in %verifyscript %verify_permissions -e %{_libdir}/chromium/chrome_sandbox and in the section %post add: %set_permissions %{_libdir}/chromium/chrome_sandbox and in the filelist list this binary as: %verify(not mode) %{_libdir}/chromium/chrome_sandbox -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c7 --- Comment #7 from Raymond Wooninck <rwooninck@opensuse.org> 2011-09-15 17:02:07 UTC --- Thanks. I have adjusted the statements that I already had in the spec-file to the ones indicated. Also I moved the file to the correct location /usr/lib as indicated by Ludwig. Currently the file is building in network:chromium and when completed/correct building I will submit the package to Factory. It was already legally approved, etc, so that inclusion could happen fast. At least in time for the Beta 1 milestone. Once this exception has been approved, I only need to remove a small statement to enable the sandbox again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c8 --- Comment #8 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-09-16 15:00:43 CEST --- This is an autogenerated message for OBS integration: This bug (718016) was mentioned in https://build.opensuse.org/request/show/82427 Factory / chromium -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c9 --- Comment #9 from Sebastian Krahmer <krahmer@suse.com> 2011-09-19 14:32:00 UTC ---
From what I've seen during the review, the suid code is OK. It changed during past (formerly chrooting to /tmp/ subdir, now to /proc/pid/fd) and is using tricky mechanisms. Basically the suids sandbox is also available as a separate project:
http://code.google.com/p/setuid-sandbox/source/browse/trunk/sandboxme.c?r=13 So I have no problem making it suid and this bug can probably closed then. We need to re-check if they change the code again, of course. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c10 --- Comment #10 from Raymond Wooninck <rwooninck@opensuse.org> 2011-09-20 08:12:22 UTC --- This is great news. What would be the next step ? Chromium has been accepted into Factory in the meanwhile, but is kinda crippled due to the missing helper. The spec-file has been prepared as Marcus indicated, but I would need to remove the "--no-sandbox" from the command-line options. I have seen the separate project, however this somehow is not maintained anymore since March of this year. I compared the code and the current code (packed with the chromium sources) is different. My final target would be to have this suid sandbox packaged in a separate package, so that we can more clearly track changes, etc. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c11 --- Comment #11 from Ludwig Nussel <lnussel@suse.com> 2011-09-20 10:18:08 CEST --- Normally you wouldn't need to do anything as the setuid bit will magically appear when I submit a permissions package. However, since you added that hardcoded --no-sandbox you will need to resubmit chromium to remove the parameter again I guess. Note that chromium must be able to deal with a missing setuid bit on the helper at at run time. An admin is free to change security level and not have the setuid bit set. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED AssignedTo|security-team@suse.de |lnussel@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c12 --- Comment #12 from Raymond Wooninck <rwooninck@opensuse.org> 2011-09-20 08:39:42 UTC --- Ok. Then I will replace the hardcoded parameter by a routine that determines if the helper has the setuid bit or not. If it is not set, then it adds the --no-sandbox parameter. This should be able to take care of most situations. Thanks for your help. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c13 --- Comment #13 from Raymond Wooninck <rwooninck@opensuse.org> 2011-09-20 13:28:34 UTC --- Hi Ludwig, I have a question related to this topic. The update for the automatic setting of the SETUID bit will only happen for Factory. Pavol Rusnak has updated the 11.2:Contrib, 11.3:Contrib and 11.4:Contrib repo's so that they are linked from the Chromium package in Factory. However if the permissions change is only for Factory, then I would need to explicitly do this in the spec file for distro's <= 11.4. Which would require also a rpmlintrc file. Would such a situation be allowed in Factory ? Or should I create a separate patch that needs to be applied against the Contrib package ? Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c14 --- Comment #14 from Ludwig Nussel <lnussel@suse.com> 2011-09-20 15:36:02 CEST --- better include a file e.g. /etc/permissions.d/chromium.easy that sets the setuid bit in older distros. Then set the badness of the resulting rpmlint message to zero. Any rpmlintrc that suppresses permission errors won't be accepted in Factory. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c15 --- Comment #15 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-09-20 17:00:16 CEST --- This is an autogenerated message for OBS integration: This bug (718016) was mentioned in https://build.opensuse.org/request/show/83931 Factory / permissions -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c16 --- Comment #16 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-09-20 18:00:21 CEST --- This is an autogenerated message for OBS integration: This bug (718016) was mentioned in https://build.opensuse.org/request/show/83945 Factory / permissions -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c17 --- Comment #17 from Raymond Wooninck <rwooninck@opensuse.org> 2011-09-21 06:40:03 UTC --- I have tested the chromium installation together with the new permissions file. However it seems that the permission.secure has the file /lib/chrome_sandbox, while (according to comment #2) I have the file %{_prefix}/lib/chrome_sandbox. Ludwig, I would appreciate if you would indicate which path is correct. For me just /lib/chrome_sandbox sound strange (at least I see only libraries in that directory). Thanks Regards Raymond -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c18 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #18 from Ludwig Nussel <lnussel@suse.com> 2011-09-21 10:03:39 CEST --- oops, that was a copy&paste error. /usr/lib is correct of course. fixed now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c19 --- Comment #19 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-09-21 11:00:26 CEST --- This is an autogenerated message for OBS integration: This bug (718016) was mentioned in https://build.opensuse.org/request/show/84044 Factory / permissions -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c20 Raymond Wooninck <rwooninck@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED --- Comment #20 from Raymond Wooninck <rwooninck@opensuse.org> 2011-09-21 09:37:18 UTC --- Bug is indeed resolved. Tested it locally and everything works. Thanks !! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c21 --- Comment #21 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-09-26 13:00:16 CEST --- This is an autogenerated message for OBS integration: This bug (718016) was mentioned in https://build.opensuse.org/request/show/84818 Factory / chromium -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c22 --- Comment #22 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-08-21 16:00:13 CEST --- This is an autogenerated message for OBS integration: This bug (718016) was mentioned in https://build.opensuse.org/request/show/195811 Factory / permissions -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com