Is Chromium safe?

If none of the more specific forums is the right place to ask

Re: Is Chromium safe?

Postby MagicPoulp » 2019-03-12 08:46

Head_on_a_Stick wrote:
MagicPoulp wrote:Why do you prefer to use chromium and not chrome?

Because Google will not release the full source code for Chrome.

What are they hiding, exactly?


Yes good point. They do tracking, and they collect data about people. Like the Javascript code injection they use with their front-end advertising script. But if they own the browser, it is even better.

But one can assume that one does not care. I already use google mail. So at this point, I don't really care using the proprietary google chrome.
MagicPoulp
 
Posts: 197
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

Postby MagicPoulp » 2019-03-12 08:51

Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?

It seems strange. But I did not check the internals of dpkg myself.

A chroot will not give sudo access to your real root folder but to a fake one.

dilberts_left_nut wrote:
MagicPoulp wrote:Installing a .deb from Google does not give sudo access to google on my computer.
No, but adding the repo lets them put whatever they want on your box.
Only the installation uses sudo not the execution of the program.
There is nothing (technical) stopping them including a data mining service that starts at boot and runs as root.
And the package manager is very smart.
It only copies files to the /usr/bin and put config files and libraries in other folders. It cannot do more than copy files.
Really?
... and the pre & post-inst script mechanisms?
dpkg only allowed to create a source file which refers to the package name.
sudo less /etc/apt/sources.list.d/google-chrome.list
That can be called anything and contain anything.
If really you don't want to run sudo, you can use a chroot, that is a fake root folder.
Which has nothing to do with the subject.
Besides, AppArmor will be by default in Buster. So applications will be even more protected.

Snake Oil salesmen are alive and doing well.
MagicPoulp
 
Posts: 197
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

Postby dilberts_left_nut » 2019-03-12 10:02

MagicPoulp wrote:Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?

It seems strange. But I did not check the internals of dpkg myself.

A chroot will not give sudo access to your real root folder but to a fake one.

You seem to be missing some basic concepts.
What does "sudo access" mean?
Using a chroot is indeed giving you full access to the filesystem you are chrooting into.

The package installation procedure must have root privileges to install system files, set owner and group permissions etc and run the install scripts to add users/groups and such and set up other environment requirements for the software being installed.

By adding a repo and installing packages you are handing control of your system to whoever can put code in that repo.

The Debian repo's have systems in place to ensure provided binaries match the source code, which is all reviewable and provides a chain of trust that is verifiable.

Closed source binaries (and random 'third party' repo's) do not - use at your own risk.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 5003
Joined: 2009-10-05 07:54
Location: enzed

Re: Is Chromium safe?

Postby MagicPoulp » 2019-03-12 14:18

OK you gave your opinion.

But I thought dpkg was smart. Waiting for somone else to clarify if dpkg is smart or not.
MagicPoulp
 
Posts: 197
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

Postby debiandonder » 2019-03-12 17:11

I don't know if Chromium Debian Stretch version is safe, because I was using it today, with two tabs open and went away to make some tea. When I came back everything was frozen. Mouse didn't work keyboard din't work. Just Chromium staring at me.

This is the second time this year that I had a complete system freeze. The previous time was with Firefox Snap version on Ubuntu 14.04.

I beginning to wonder I should just try Manjaro to see if it's more stable than Debian or Ubuntu.
debiandonder
 
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

Postby Head_on_a_Stick » 2019-03-12 19:26

MagicPoulp wrote:Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?

Yes, I have several Debian packages in an OBS repository and it would be very simple to add a post-install script to do whatever the hell I wanted to unsuspecting users' systems.

Here is the post-install script from Google's Chrome .deb:

https://paste.debian.net/1072888/

^ They could put literally anything in that script and APT would just execute it, there are *no* safety checks whatsoever.
User avatar
Head_on_a_Stick
 
Posts: 10377
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Is Chromium safe?

Postby debiandonder » 2019-03-12 19:39

Head_on_a_Stick wrote:
MagicPoulp wrote:Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?

Yes, I have several Debian packages in an OBS repository and it would be very simple to add a post-install script to do whatever the hell I wanted to unsuspecting users' systems.

Here is the post-install script from Google's Chrome .deb:

https://paste.debian.net/1072888/

^ They could put literally anything in that script and APT would just execute it, there are *no* safety checks whatsoever.


I just going with what works. Chrome seems to be causing the least problems for me as apposed to chromium or something else.

Reliability is more important than privacy, I don't have worries, I'm not a Russian or Chinese spy.
debiandonder
 
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

Postby MagicPoulp » 2019-03-13 08:34

Head_on_a_Stick wrote:
MagicPoulp wrote:Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?

Yes, I have several Debian packages in an OBS repository and it would be very simple to add a post-install script to do whatever the hell I wanted to unsuspecting users' systems.

Here is the post-install script from Google's Chrome .deb:

https://paste.debian.net/1072888/

^ They could put literally anything in that script and APT would just execute it, there are *no* safety checks whatsoever.


OK then I was wrong.

question
Can updates via the registered repository also execute whatever they want via install scripts?
MagicPoulp
 
Posts: 197
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

Postby dilberts_left_nut » 2019-03-13 09:21

Yes.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 5003
Joined: 2009-10-05 07:54
Location: enzed

Re: Is Chromium safe?

Postby MagicPoulp » 2019-03-13 11:56

I may be wrong again, but it seems to me that for Red Hat distros, the rpm packages have more secure pre/post-install scripts. The different macros seem to give access to certain things, like systemd. One cananot for example put "rm -rf /" in the scriptlet.

https://docs.fedoraproject.org/en-US/pa ... criptlets/
MagicPoulp
 
Posts: 197
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

Postby Head_on_a_Stick » 2019-03-13 18:49

MagicPoulp wrote:it seems to me that for Red Hat distros, the rpm packages have more secure pre/post-install scripts. The different macros seem to give access to certain things, like systemd. One cananot for example put "rm -rf /" in the scriptlet.

From the documentation:
The scriptlet can contain any valid sh commands.

...which includes `rm -rf`

And systemd unit files can certainly be included (which may also have `rm -rf` as an ExecStart), the scriptlets can then start said unit files to do whatever the packager wants.

@OP: sorry for the diversion.
User avatar
Head_on_a_Stick
 
Posts: 10377
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Is Chromium safe?

Postby debiandonder » 2019-03-13 20:12

dilberts_left_nut wrote:Yes.


Maybe Chromium is save, but why then did it freeze my system like I described in a earlier post? Chrome didn't do that ever, just Firefox and only once.
debiandonder
 
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

Postby MagicPoulp » 2019-03-14 08:29

debiandonder wrote:
dilberts_left_nut wrote:Yes.


Maybe Chromium is save, but why then did it freeze my system like I described in a earlier post? Chrome didn't do that ever, just Firefox and only once.


You need to look at the /var/log/syslog
It is good to wait a few minutes before you reboot so you can track the timestamp and the last thing that happens.

Usually it is due to driver errors.
MagicPoulp
 
Posts: 197
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

Postby MagicPoulp » 2019-03-14 08:32

Head_on_a_Stick wrote:...which includes `rm -rf`


How can such a system be considered secured? Whatever package you install can do anything without limitations on your system. Many installations could consist only of copying files.
MagicPoulp
 
Posts: 197
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

Postby debiandonder » 2019-03-14 10:10

My thought exactly! How can one program freeze a whole system in this day and age?
debiandonder
 
Posts: 128
Joined: 2019-02-11 17:22

PreviousNext

Return to General Questions

Who is online

Users browsing this forum: No registered users and 13 guests

fashionable