LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-26-2021, 03:09 PM   #1
max.b
Member
 
Registered: Feb 2013
Distribution: Debian 11, GNOME
Posts: 100

Rep: Reputation: 5
Question Should I run chromium-sandbox or plain chromium?


Debian 11 includes both chromium and chromium-sandbox.

It's my understanding that, while on the one hand, chromiums-sandbox prevents some attacks, it also increases other risks by being setuid.

What's the net effect? Is there a consensus on this?

===

I also noticed, by running aa-status, that AppArmor is running, and it confines some apps, like evince and man, but it does nothing for firefox-esr and chromium. Isn't this odd, considering that browsers are probably the most dangerous things you run?

Chrome gets 200+ CVEs/year, and Firefox gets 100 CVEs/year (some say the latter number is only smaller because Firefox gets less attention).

Last edited by max.b; 10-26-2021 at 07:45 PM.
 
Old 10-27-2021, 10:27 PM   #2
wpeckham
LQ Guru
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS, Manjaro
Posts: 5,842

Rep: Reputation: 2800Reputation: 2800Reputation: 2800Reputation: 2800Reputation: 2800Reputation: 2800Reputation: 2800Reputation: 2800Reputation: 2800Reputation: 2800Reputation: 2800
Probably not.
If you MUST run something chromium based, go straight and simple if you can.
Beyond that it depends upon what you do with and in your browser, and what features are important to you.
 
1 members found this post helpful.
Old 10-28-2021, 07:57 PM   #3
max.b
Member
 
Registered: Feb 2013
Distribution: Debian 11, GNOME
Posts: 100

Original Poster
Rep: Reputation: 5
Quote:
Originally Posted by wpeckham View Post
Probably not.
If you MUST run something chromium based,
Security researchers seem to very strongly favor Chrom(ium) over Firefox: https://madaidans-insecurities.githu...-chromium.html (See the last section for references to 9 others)

But on the other hand, Debian is about 3 months behind in fixing Chromium vulnerabilities in Debian Stable: https://security-tracker.debian.org/...ckage/chromium

Maybe this makes it a wash. IDK.
 
Old 10-29-2021, 04:26 AM   #4
cynwulf
Senior Member
 
Registered: Apr 2005
Posts: 2,727

Rep: Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367
chromium is technically superior from a security standpoint. But that's all about it's design - not the number of CVEs.
Quote:
Originally Posted by max.b View Post
Security researchers seem to very strongly favor[etc]
No. Wrong.

A self styled "security researcher" who authors some random blog and is anonymous (roughly translated - "college kid"). His main contributions on github are to his own website and some sparse contributions to a project called "whonix" (from his blog you'd imagine he was one of the key developers...). Check for yourself - yes always check your sources before reposting them.

He put up a typically sensationalist, skewed and narrow focused, not to mention ill-researched, article on OpenBSD - the usual attempted destruction, laden with rhetoric and security buzzwords.

His articles read like compilations of other material from other sources. Someone posted to openbsd-misc quoting that one and it, rather unsurprisingly, attracted little interest among software developers who actually understand security and actually write code.

We need to see Mr Anonymous' code contributions first... and of course his patches to address all of these issues he found in OpenBSD and other OS and web browsers - to date there haven't been any. The poster of the article on OpenBSD misc was a clear troll - he addressed mailing list users as "fans" from the off, then when failing to get a bite, resorted to a tangential attack regarding cryptography, before exposing himself completely, and going off on more tangents trolling about Linux and systemd, etc. He was only individual who reposted that worthless article on OpenBSD's mailing list.

Mr Anonymous' biggest success had been in finding willing dupes to quote and repost his agenda driven FUD all over the web. How naive do you have to be, to have your opinions and personal choices continually swayed by random bloggers...?

So only the misinformed and obvious trolls are reposting links to this particular blogger's articles.

Last edited by cynwulf; 10-29-2021 at 05:08 AM.
 
3 members found this post helpful.
Old 11-11-2021, 11:46 AM   #5
max.b
Member
 
Registered: Feb 2013
Distribution: Debian 11, GNOME
Posts: 100

Original Poster
Rep: Reputation: 5
Quote:
Originally Posted by cynwulf View Post
chromium is technically superior from a security standpoint. But that's all about it's design - not the number of CVEs.
That's precisely my point (and what the security researcher wrote). Read more carefully next time, would you?

Quote:

No. Wrong.

A self styled "security researcher" who authors some random blog and is anonymous (roughly translated - "college kid"). His main contributions on github are to his own website and some sparse contributions to a project called "whonix" (from his blog you'd imagine he was one of the key developers...). Check for yourself - yes always check your sources before reposting them.

He put up a typically sensationalist, skewed and narrow focused, not to mention ill-researched, article on OpenBSD - the usual attempted destruction, laden with rhetoric and security buzzwords.

His articles read like compilations of other material from other sources. Someone posted to openbsd-misc quoting that one and it, rather unsurprisingly, attracted little interest among software developers who actually understand security and actually write code.

We need to see Mr Anonymous' code contributions first... and of course his patches to address all of these issues he found in OpenBSD and other OS and web browsers - to date there haven't been any. The poster of the article on OpenBSD misc was a clear troll - he addressed mailing list users as "fans" from the off, then when failing to get a bite, resorted to a tangential attack regarding cryptography, before exposing himself completely, and going off on more tangents trolling about Linux and systemd, etc. He was only individual who reposted that worthless article on OpenBSD's mailing list.

Mr Anonymous' biggest success had been in finding willing dupes to quote and repost his agenda driven FUD all over the web. How naive do you have to be, to have your opinions and personal choices continually swayed by random bloggers...?

So only the misinformed and obvious trolls are reposting links to this particular blogger's articles.
Let me get this straight. This person writes a long post explaining in much technical detail how Firefox is inferior to Chrom(ium) from the security perspective. While you agree with the statement, and can't refute any of the statements, you claim (anonymously) that this person's writing is worthless because he's anonymous, and doesn't have enough contributions on github (under his account)? He also links 9 other security researchers writing on this topic, which you ignore.
 
Old 11-11-2021, 01:31 PM   #6
pan64
LQ Addict
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 22,252

Rep: Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419Reputation: 7419
if you are really paranoid use a VM, run whatever browser you want and browse whatever site you want and destroy the full VM when you are done. Or just open every page/site in another VM. That is definitely safer than a sandbox.
Anyway, security always depend on the user [and usage, configuration] and must not rely only on any tool (and default settings).
 
Old 11-12-2021, 03:06 AM   #7
cynwulf
Senior Member
 
Registered: Apr 2005
Posts: 2,727

Rep: Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367
Quote:
Originally Posted by max.b View Post
That's precisely my point (and what the security researcher wrote). Read more carefully next time, would you?

Let me get this straight. This person writes a long post explaining in much technical detail how Firefox is inferior to Chrom(ium) from the security perspective. While you agree with the statement, and can't refute any of the statements, you claim (anonymously) that this person's writing is worthless because he's anonymous, and doesn't have enough contributions on github (under his account)? He also links 9 other security researchers writing on this topic, which you ignore.
You're either trolling (badly) or you have reading comprehension problems, or both.

Read and digest what the "security researcher" wrote as many times as you like. Knock yourself out - if you want to get your information from random anonymous blogs, probably posted by college kids, then be my guest. Once again: That "blog" did not get a single response when posted by a troll on the OpenBSD mailing lists. Most could see it for what it was - click bait for the fickle and gullible. IlJa Van Sprundel's actual research, did and resulted in patches and vulnerabilities being fixed.

I've seen and read enough of the sources, most being reddit, twitter (two corporate reps) and other troll's blogs from between 2015 to 2017, the last "researcher" admits he doesn't know the difference between firefox and chromium from a security perspective. I don't care to read any more of it. Ironically, the most relevant citation about firefox and chromium is Theo de Raadt's posting from 2018 (ironically that's the lead developer of the OS he set out to defame and debase in another blog entry). The others are mostly one liners and all are about the "tor browser bundle" - the tor browser bundle is primarily about privacy, which is why it uses firefox and not a product from the biggest data mining and telemetry shop in the world... did you honestly read any of the sources?

I know which of the sources are legit and which are on the payroll of some interested party and which are just skewed opinion pieces from random individuals. I've also come across numerous other sites over the years (one of which is his main source for the OpenBSD posting) - they deploy weasel words, cherry picked "facts" and are completely worthless. They set out to reach a conclusion and then proceed to fill in the blanks around that, then throw a bone, as a footnote to give the illusion of fairness.

You have descended through a chain of attacking firefox in Debian, supposedly considering moving to chromium, then attacking Debian after you supposedly discovered that chromium is unmaintained and has all those CVEs listed against it. You're brought this incredible material into it in an attempt to bolster your case. The material would have some merit if your focus was on firefox insecurity and comparisons with chromium - that is not the case. Your intent has been to attack Linux and these threads of yours are just you laying the foundations for those attacks.

//edit:

Your original intent was to simply attack Debian and other Linux distributions, as you have been doing in your now numerous troll threads at this site:

https://www.linuxquestions.org/quest...re-4175703471/
https://www.linuxquestions.org/quest...ml#post6300572

In those two recent ones, you've now played your hand and it's up to others here to decide if they actually want to continue wasting their time making legitimate responses...

Last edited by cynwulf; 11-12-2021 at 04:39 AM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Should Mozilla contribute to Chromium or should it continue to develop itself independently? l0f4r0 General 30 03-06-2019 09:03 PM
NS2: Need of plain plain aodv.cc and aodv.h files chenil Linux - Software 1 07-10-2013 06:17 AM
LXer: This week at LWN: Google's Chromium sandbox LXer Syndicated Linux News 0 09-09-2009 09:41 AM
How to run Java programs in a sandbox fpmc Programming 0 07-07-2004 03:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration