Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Is Chromium safe?

If none of the specific sub-forums seem right for your thread, ask here.
Message
Author
MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#16 Post by MagicPoulp »

Head_on_a_Stick wrote:
MagicPoulp wrote:Why do you prefer to use chromium and not chrome?
Because Google will not release the full source code for Chrome.

What are they hiding, exactly?
Yes good point. They do tracking, and they collect data about people. Like the Javascript code injection they use with their front-end advertising script. But if they own the browser, it is even better.

But one can assume that one does not care. I already use google mail. So at this point, I don't really care using the proprietary google chrome.

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#17 Post by MagicPoulp »

Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?

It seems strange. But I did not check the internals of dpkg myself.

A chroot will not give sudo access to your real root folder but to a fake one.
dilberts_left_nut wrote:
MagicPoulp wrote:Installing a .deb from Google does not give sudo access to google on my computer.
No, but adding the repo lets them put whatever they want on your box.
Only the installation uses sudo not the execution of the program.
There is nothing (technical) stopping them including a data mining service that starts at boot and runs as root.
And the package manager is very smart.
It only copies files to the /usr/bin and put config files and libraries in other folders. It cannot do more than copy files.
Really?
... and the pre & post-inst script mechanisms?
dpkg only allowed to create a source file which refers to the package name.
sudo less /etc/apt/sources.list.d/google-chrome.list
That can be called anything and contain anything.
If really you don't want to run sudo, you can use a chroot, that is a fake root folder.
Which has nothing to do with the subject.
Besides, AppArmor will be by default in Buster. So applications will be even more protected.
Snake Oil salesmen are alive and doing well.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Is Chromium safe?

#18 Post by dilberts_left_nut »

MagicPoulp wrote:Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?

It seems strange. But I did not check the internals of dpkg myself.

A chroot will not give sudo access to your real root folder but to a fake one.
You seem to be missing some basic concepts.
What does "sudo access" mean?
Using a chroot is indeed giving you full access to the filesystem you are chrooting into.

The package installation procedure must have root privileges to install system files, set owner and group permissions etc and run the install scripts to add users/groups and such and set up other environment requirements for the software being installed.

By adding a repo and installing packages you are handing control of your system to whoever can put code in that repo.

The Debian repo's have systems in place to ensure provided binaries match the source code, which is all reviewable and provides a chain of trust that is verifiable.

Closed source binaries (and random 'third party' repo's) do not - use at your own risk.
AdrianTM wrote:There's no hacker in my grandma...

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#19 Post by MagicPoulp »

OK you gave your opinion.

But I thought dpkg was smart. Waiting for somone else to clarify if dpkg is smart or not.

debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

#20 Post by debiandonder »

I don't know if Chromium Debian Stretch version is safe, because I was using it today, with two tabs open and went away to make some tea. When I came back everything was frozen. Mouse didn't work keyboard din't work. Just Chromium staring at me.

This is the second time this year that I had a complete system freeze. The previous time was with Firefox Snap version on Ubuntu 14.04.

I beginning to wonder I should just try Manjaro to see if it's more stable than Debian or Ubuntu.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Is Chromium safe?

#21 Post by Head_on_a_Stick »

MagicPoulp wrote:Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?
Yes, I have several Debian packages in an OBS repository and it would be very simple to add a post-install script to do whatever the hell I wanted to unsuspecting users' systems.

Here is the post-install script from Google's Chrome .deb:

https://paste.debian.net/1072888/

^ They could put literally anything in that script and APT would just execute it, there are *no* safety checks whatsoever.
deadbang

debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

#22 Post by debiandonder »

Head_on_a_Stick wrote:
MagicPoulp wrote:Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?
Yes, I have several Debian packages in an OBS repository and it would be very simple to add a post-install script to do whatever the hell I wanted to unsuspecting users' systems.

Here is the post-install script from Google's Chrome .deb:

https://paste.debian.net/1072888/

^ They could put literally anything in that script and APT would just execute it, there are *no* safety checks whatsoever.
I just going with what works. Chrome seems to be causing the least problems for me as apposed to chromium or something else.

Reliability is more important than privacy, I don't have worries, I'm not a Russian or Chinese spy.

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#23 Post by MagicPoulp »

Head_on_a_Stick wrote:
MagicPoulp wrote:Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?
Yes, I have several Debian packages in an OBS repository and it would be very simple to add a post-install script to do whatever the hell I wanted to unsuspecting users' systems.

Here is the post-install script from Google's Chrome .deb:

https://paste.debian.net/1072888/

^ They could put literally anything in that script and APT would just execute it, there are *no* safety checks whatsoever.
OK then I was wrong.

question
Can updates via the registered repository also execute whatever they want via install scripts?

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Is Chromium safe?

#24 Post by dilberts_left_nut »

Yes.
AdrianTM wrote:There's no hacker in my grandma...

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#25 Post by MagicPoulp »

I may be wrong again, but it seems to me that for Red Hat distros, the rpm packages have more secure pre/post-install scripts. The different macros seem to give access to certain things, like systemd. One cananot for example put "rm -rf /" in the scriptlet.

https://docs.fedoraproject.org/en-US/pa ... criptlets/

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Is Chromium safe?

#26 Post by Head_on_a_Stick »

MagicPoulp wrote:it seems to me that for Red Hat distros, the rpm packages have more secure pre/post-install scripts. The different macros seem to give access to certain things, like systemd. One cananot for example put "rm -rf /" in the scriptlet.
From the documentation:
The scriptlet can contain any valid sh commands.
...which includes `rm -rf`

And systemd unit files can certainly be included (which may also have `rm -rf` as an ExecStart), the scriptlets can then start said unit files to do whatever the packager wants.

@OP: sorry for the diversion.
deadbang

debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

#27 Post by debiandonder »

dilberts_left_nut wrote:Yes.
Maybe Chromium is save, but why then did it freeze my system like I described in a earlier post? Chrome didn't do that ever, just Firefox and only once.

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#28 Post by MagicPoulp »

debiandonder wrote:
dilberts_left_nut wrote:Yes.
Maybe Chromium is save, but why then did it freeze my system like I described in a earlier post? Chrome didn't do that ever, just Firefox and only once.
You need to look at the /var/log/syslog
It is good to wait a few minutes before you reboot so you can track the timestamp and the last thing that happens.

Usually it is due to driver errors.

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#29 Post by MagicPoulp »

Head_on_a_Stick wrote: ...which includes `rm -rf`
How can such a system be considered secured? Whatever package you install can do anything without limitations on your system. Many installations could consist only of copying files.

debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

#30 Post by debiandonder »

My thought exactly! How can one program freeze a whole system in this day and age?

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#31 Post by MagicPoulp »

Probably because they try to do very unstable things with the graphics card. And certain graphics card or drivers would not support it.

Chrome got a lot of popularity because it was known to be faster than other browsers.

shep
Posts: 423
Joined: 2011-03-15 15:22

Re: Is Chromium safe?

#32 Post by shep »

Maybe Chromium is save, but why then did it freeze my system like I described in a earlier post? Chrome didn't do that ever, just Firefox and only once.
You may be able to mitigate some of this behavior. Under settings Advanced: Disable anything that sends data to Google/Web services, web cam access, microphone access, resolution of navigation errors, payment methods, content settings, and the ability to run background apps when chrome is closed.

The iridium project essentially tries to remove all these features from chromium source.

https://iridiumbrowser.de/

Unfortunately, they develop deb packages in Ubuntu and the debian packages have not worked, without backporting libfontconfig, for some time.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Is Chromium safe?

#33 Post by Head_on_a_Stick »

MagicPoulp wrote:
Head_on_a_Stick wrote: ...which includes `rm -rf`
How can such a system be considered secured?
Security is assured by APT's insistence on authenticating the repositories: https://wiki.debian.org/SecureApt

This is in contrast to, for example, Arch Linux wherein the AUR packages can be installed without any checks at all.
deadbang

No_windows
Posts: 505
Joined: 2015-08-05 03:03

Re: Is Chromium safe?

#34 Post by No_windows »

debiandonder wrote:My thought exactly! How can one program freeze a whole system in this day and age?
I assume by tying up resources... that happens on my old laptop all the time. Sometimes it's only the browser, other times everything stalls.

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#35 Post by MagicPoulp »

Head_on_a_Stick wrote:
MagicPoulp wrote:
Head_on_a_Stick wrote: ...which includes `rm -rf`
How can such a system be considered secured?
Security is assured by APT's insistence on authenticating the repositories: https://wiki.debian.org/SecureApt

This is in contrast to, for example, Arch Linux wherein the AUR packages can be installed without any checks at all.
Install scripts or scriptlets are not always used. I don't udnerstand why there is not an option to install packages while disabling install scripts, or making sure no install scripts is used.

On Windows, a program install cannot do whatever it wants ever with root priviledges (UAC). Sorry for the reference to Windows. Maybe I don't understand why it must be the way it is on linux.

Locked