https://bugzilla.novell.com/show_bug.cgi?id=718016 https://bugzilla.novell.com/show_bug.cgi?id=718016#c0 Summary: Please add file %{_libdir}/chromium/chrome_sandbox to the allowed programs with SUID-bit set on Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: x86 OS/Version: SuSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: rwooninck@opensuse.org QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.3 (KHTML, like Gecko) Chrome/16.0.880.0 Safari/535.3 SUSE/16.0.880.0 I have resubmitted Chromium to factory again to resolve the few comments that were given during the legal and build review. However for one comment, I would need a review by the Security team. The reason for this is that I am packaging a binary that requires the SUID-bit to be on. This is the so called chrome_sandbox program and it doesn't do anything else then giving access to the filesystem in a chroot'ed temp directory. Further specifications can be seen at: http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox I also want to indicate that the sources used for this program are inside the Chromium source tree, but fortunately located in a separate sub-directory (chromium-suse/src/sandbox/linux/suid). This would prevent going through around 2Gb of sources as that the program only consists out of 3 programs and 2 header files with a total size of around 15K. The program is also created separately and is build after the main chromium program. Unfortunately we cannot avoid this helper, as that chromium is now explicitly checking that it is existing and that it has the SUID bits set on. The SR for Chromium is #82199 Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.