Page 1 of 1

[Package] google-chrome v39.0.2171.65-x86_64-1sl

Posted: 18 Oct 2015, 01:32
by aus9
Hi

not sure if this is a bug, and it takes so long to download everything I am loathe to duplicate and confirm on another machine.

I chose the combined module option in USM.

Choosing googe-chrome in 64 bit XFCE did not start so info of error is

Code: Select all

/opt/google/chrome/chrome
[1919:1919:1018/092252:FATAL:setuid_sandbox_client.cc(282)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755.
Aborted
bash-4.2$ ls -al /opt/google/chrome/chrome-sandbox
-rwxr-xr-x 1 root root 14536 Nov 22  2014 /opt/google/chrome/chrome-sandbox
Fix is

Code: Select all

bash-4.2$ su
Password: 
root@porteus:/home/gordon# chmod 4755 /opt/google/chrome/chrome-sandbox
root@porteus:/home/gordon# ls -al /opt/google/chrome/chrome-sandbox
-rwsr-xr-x 1 root root 14536 Nov 22  2014 /opt/google/chrome/chrome-sandbox*
good luck

Re: [Package] google-chrome v39.0.2171.65-x86_64-1sl

Posted: 18 Oct 2015, 02:54
by francois
Thanks for the tip. I was running with:
Google-chrome --no-sandbox
Which is not much secure. I will try that on my installation. I am on Android for now.

Re: [Package] google-chrome v39.0.2171.65-x86_64-1sl

Posted: 20 Oct 2015, 03:21
by francois
Your trick does not seem to work for our prototype of archlinux-porteus version which is called nemesis. The file is in /usr/lib/chromium/chrome-sandbox:
http://forum.porteus.org/viewtopic.php? ... 853#p37853

Re: [Package] google-chrome v39.0.2171.65-x86_64-1sl

Posted: 20 Oct 2015, 07:08
by aus9
@francois
I will reply here. I never said it was the ownership of root that was the concern in my distro flavour.
see the first code box please. I forgot to mention that the command =/opt/google/chrome/chrome was run as non-root
---but you could infer it as the next command I mentioned I used su (toroot)

and it then shows perm as 655 which means non-root user can execute it.

and it also complained it need perm of 4755 meaning that root owner has sticky set....but non-root can still execute.

If I can be blunt....IMHO you must start google-chrome as local user and should not start it as root.

Can you do this for me on your flavour and post in your thread any error messages?...or this thread....whatever takes your fancy

Code: Select all

whoami
# response should be guest 

/opt/google/chrome/chrome
and hopefully it should start with only minor errors= non-fatal such as
[2128:2128:1020/150502:ERROR:nacl_fork_delegate_linux.cc(292)] Bad NaCl helper startup ack (0 bytes)
ATTENTION: default value of option force_s3tc_enable overridden by environment.
[2126:2126:1020/150504:ERROR:native_backend_gnome_x.cc(70)] Unable to load symbol gnome_keyring_attribute_list_new: /usr/lib64/libgnome-keyring.so.0: undefined symbol: gnome_keyring_attribute_list_new

good luck

Re: [Package] google-chrome v39.0.2171.65-x86_64-1sl

Posted: 22 Oct 2015, 01:33
by francois
@aus9:
If I can be blunt....IMHO you must start google-chrome as local user
And without whoami, I answer:

Code: Select all

root ~ #

and I use the cheatcode login=root on my bootloader instructions, see:
http://www.porteus.org/tutorials/26-gen ... -them.html
login=user_name
... Lets you specify the name of the user (could be also 'root')
which will be autologged into GUI session.
If username is not provided then booting stops on the lxdm/kdm
login screen.


You are not blunt. Let me say: "to root or not to root, that is the question". Let's say that though it is not considered a best practice, and advised to newbies to work as a normal user for security reasons, a few of us, very few, will work root. It is not considered an heresia.

If you know the risk, and what could be lost. I have been working root in the last ten years. My precious data is on usb.

You can start a discussion on the topic of root mode if you want. We are open to discussion. It will not be considered an heresia. :wink:

Re: [Package] google-chrome v39.0.2171.65-x86_64-1sl

Posted: 22 Oct 2015, 05:52
by aus9
@francois
Well what can I say?
I refuse to open such a discussion. You have already said you understand the risks. And I did qualify it with the use of IMHO. :D

But I am not sure you tried to login as guest to see if my trick resolved your nemesis item. I would hate it if I was right. Not that I have tried it myself.

Yes I do have a sense of humour.
giggles

BTW....since I don't have the Porteus expertise or as previously posted - fast internet.....why not copy and paste your nemesis issue here. I won't regard as off topic. I have seen your nemesis setting post but if you have time to paste the error don't forget to add the ls -al command as mentioned above please.

Re: [Package] google-chrome v39.0.2171.65-x86_64-1sl

Posted: 22 Oct 2015, 11:00
by francois
I will try under c guest.

Re: [Package] google-chrome v39.0.2171.65-x86_64-1sl

Posted: 11 Nov 2015, 23:31
by aus9
Ok on Nemesis I created a bundle for chromium and can see there are setuid issues.
as guest

Code: Select all

/usr/lib/chromium/chrome-sandbox --help
The setuid sandbox provides API version 1, but you need 0
Please read https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment.
as root

Code: Select all

cd /tmp
git clone https://code.google.com/p/setuid-sandbox/
Cloning into 'setuid-sandbox'...
fatal: unable to access 'https://code.google.com/p/setuid-sandbox/': error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none

env GIT_SSL_NO_VERIFY=true git clone https://code.google.com/p/setuid-sandbox/
Cloning into 'setuid-sandbox'...
Unpacking objects: 100% (89/89), done.
Checking connectivity... done.
Looks like I might be missing the Common Name cert for google.....will check for that later. In the meantime the no verify command is a success.
I seem to recall you had a different issue with git recently as well, so not sure if that has been resolved.

Code: Select all

make
gcc -c -Wall sandboxme.c -o sandboxme.o
gcc -c -Wall privdrop.c -o privdrop.o
gcc -Wall sandboxme.o privdrop.o -o sandboxme -lcap
gcc -c -Wall example.c -o example.o
gcc -c -Wall libsandbox.c -o libsandbox.o
gcc -Wall example.o libsandbox.o -o example

Code: Select all

cd /tmp
find . | xargs file | grep "executable"    | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
cd setuid-sandbox/
file sandboxme
sandboxme: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=70ca9107403dcd6a80aae780547bb8efca81ab6c, stripped
chown root:root sandboxme && chmod 4511 sandboxme
ls -al sandboxme
-r-s--x--x 1 root root 13912 Nov 11 23:55 sandboxme
I will pack this into a XZM for you if you like, or you can follow my commands above if you don't trust me? Still new at XZM tho. In the meantime lets cheat

Code: Select all

cp sandboxme /usr/local/bin
mkdir -p  /mnt/sda3/nemesis/changes/usr/local/bin
cp sandboxme /mnt/sda3/nemesis/changes/usr/local/bin/
Change pathway to your changes dir ^^^^^^

Ok that should be enough for me try out live things and have my file already saved to changes dir

as guest

Code: Select all

/usr/local/bin/sandboxme -- /usr/lib/chromium/chrome-sandbox 
Helper: write to 4 ($SBX_D) to chroot the sandboxed process
Could not find user suidsandbox
Hi from the sandbox! I'm pid=1, uid=1000, gid=100, dumpable=N
Executing /usr/lib/chromium/chrome-sandbox
Warning: we will become dumpable after execve()!
  please make /usr/lib/chromium/chrome-sandbox non readable
Usage: /usr/lib/chromium/chrome-sandbox <renderer process> <args...>
as root

Code: Select all

cd /usr/lib/chromium
chmod -r chrome-sandbox 
ls -al chrome-sandbox
--ws--x--x 1 root root 18376 Nov  1 15:42 chrome-sandbox
lets cheat again for changes

Code: Select all

mkdir -p /mnt/sda3/nemesis/changes/usr/lib/chromium
cp chrome-sandbox /mnt/sda3/nemesis/changes/usr/lib/chromium
Ok not yet a success but time to reboot into changes to see if I have understood how to use Nemesis/Porteus

OK used changes bootcode lets see if root works

Code: Select all

/usr/local/bin/sandboxme -- /usr/lib/chromium/chrome-sandbox 
The sandbox is not designed to be run by root, aborting
useradd suidsandbox
I just added the new user, not sure if I need to change PID/GID etc to match later output
at this stage

Code: Select all

cat /etc/group | grep suid
suidsandbox:x:1001:

hmm well lets just as guest run chromium.....error I had done things
locales are not yet resolved at this stage but lets fix my .config
as root

Code: Select all

chown -R guest:users .config
as guest

Code: Select all

chromium
now runs as expected but now lets try the sandbox

Code: Select all

/usr/local/bin/sandboxme -- /usr/lib/chromium/chrome-sandbox --use-gl
Helper: write to 4 ($SBX_D) to chroot the sandboxed process
Hi from the sandbox! I'm pid=1, uid=1000, gid=1001, dumpable=N
Executing /usr/lib/chromium/chrome-sandbox
The setuid sandbox provides API version 1, but you need 0
Please read https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment.

The setuid sandbox is not running as root. Common causes:
  * An unprivileged process using ptrace on it, like a debugger.
  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
HMMM need to research this......research starts

here is a good page and the original readme
https://chromium.googlesource.com/chrom ... sandbox.md

https://code.google.com/p/setuid-sandbo ... wse/README

In a code box in this post you can find
Could not find user suidsandbox
so as root I ran a command

Code: Select all

useradd suidsandbox
and could not make a difference.

Now in the research link for the readme it mentions
- by design, can allow a process to become impossible to kill by a user (if the administrator created SANDBOXUSER)
so will now try that

Code: Select all

useradd SANDBOXUSER
useradd: invalid user name 'SANDBOXUSER'

Re: [Package] google-chrome v39.0.2171.65-x86_64-1sl

Posted: 13 Nov 2015, 23:07
by aus9
@francois above post is getting too long so started a new post.

Code: Select all

/usr/local/bin/sandboxme chroot                                      
Helper: write to 4 ($SBX_D) to chroot the sandboxed process
Could not find user suidsandbox
Hi from the sandbox! I'm pid=1, uid=1000, gid=100, dumpable=N
Executing /bin/sh
sh-4.3$ /usr/lib/chromium/chrome-sandbox
Usage: /usr/lib/chromium/chrome-sandbox <renderer process> <args...>
sh-4.3$ /usr/lib/chromium/chrome-sandbox --use-gl
The setuid sandbox provides API version 1, but you need 0
Please read https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment.

close: Bad file descriptor
Read on socketpair: Success

exit
and exit still allows exit from chroot and as root re-add that user

Code: Select all

 useradd suidsandbox
repeat earlier commands

Code: Select all

/usr/local/bin/sandboxme chroot 
Helper: write to 4 ($SBX_D) to chroot the sandboxed process
Hi from the sandbox! I'm pid=1, uid=1000, gid=1001, dumpable=N
Executing /bin/sh
sh-4.3$ /usr/lib/chromium/chrome-sandbox --use-gl
The setuid sandbox provides API version 1, but you need 0
Please read https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment.

close: Bad file descriptor
Read on socketpair: Success
You probably can't spot it as there is a lot to read, we have eliminated one error, no longer getting below error
Could not find user suidsandbox

researching the "you need o" error I find this page
https://code.google.com/p/chromium/issu ... ?id=385995
check "ps auxww" to see if the command-line for the process mentions "nacl_helper"
trouble is, that command expects chromium to be running, and you need a separate terminal tab to use root to get that command to work
which it doesn't because chromium is not running.

I give up at this stage

Re: [Package] google-chrome v39.0.2171.65-x86_64-1sl

Posted: 13 Nov 2015, 23:32
by aus9
@francois

I give up at this stage

Maybe you could try
https://aur.archlinux.org/packages/google-chrome/
v 46.0.2490.86-1