https://bugzilla.novell.com/show_bug.cgi?id=779448 https://bugzilla.novell.com/show_bug.cgi?id=779448#c1 --- Comment #1 from Peter Hanisch 2012-09-09 21:36:08 CEST --- This is /usr/lib/chrome_sandbox when the error happens (untempered with) sh-4.2$ ls -l /usr/lib/chrome_sandbox -rwxr-xr-x 1 root root 16472 Sep 8 00:11 /usr/lib/chrome_sandbox -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779448 https://bugzilla.novell.com/show_bug.cgi?id=779448#c3 --- Comment #3 from Peter Hanisch 2012-09-10 14:52:11 CEST --- Dear Marcus, I'm using "secure" permissions, and have been for a long while. sh-4.2$ grep PERMISSION_SECURITY /etc/sysconfig/security PERMISSION_SECURITY="secure local" # PERMISSION_SECURITY. If PERMISSION_SECURITY contains 'secure' or Previously, upon updating/installing chromium, the chromium-suid-helper install script complained about "wrong permissions" and set them to 4755 instead of 0755. Why has this behaviour changed in 12.2, or rather, why does it use 0755 as permissions even though it breaks all sandboxing for chrome? :S I assume just changing the permissions file to 4755 would mitigate the problem but at the same time runs against the original intention? Something seems to have changed about permission handling with openSUSE & zypper since 12.1, I'm just wondering if the old way was broken and this is the proper way, or whether the new way is handling things wrong. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779448 https://bugzilla.novell.com/show_bug.cgi?id=779448#c5 Peter Hanisch changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|veniastra@gmail.com | --- Comment #5 from Peter Hanisch 2012-09-11 14:21:36 CEST --- Ah, that makes sense. I'll adjust /etc/permissions.local then and this can be closed, I suppose. And I guess this way, if somebody else experiences the same situation, at least this entry is there as an explanation. :) Thank you for your help, Markus! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779448 https://bugzilla.novell.com/show_bug.cgi?id=779448#c9 Raymond Wooninck changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |REOPENED CC| |tittiatcoke@gmail.com Resolution|FIXED | --- Comment #9 from Raymond Wooninck 2013-08-16 13:05:03 UTC --- I would like to re-open this bug with the question to the security team if we could have also the SETUID for /usr/lib/chrome_sandbox in case we are running with secure permissions. As we know the chrome_sandbox is required to make the system less vulnerable for bad coding, etc, so it would make sense to have chrome_sandbox set with the right permissions. This request comes from a very recent issue reported on the chromium-support channel where an openSUSE user complained why his chromium installation is running with the --no-sandbox. That user has the secure permissions, but indicated that he never made any changes to this. I will change the Chromium package to remove the "--no-sandbox" part and given an indication that the sandbox is not supporting in the permission state they are running. But as indicated it would be better if we can include the SETUID for chrome_sandbox in the secure mode. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.