Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Is Chromium safe?

If none of the specific sub-forums seem right for your thread, ask here.
Message
Author
User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Is Chromium safe?

#21 Post by Head_on_a_Stick »

MagicPoulp wrote:Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?
Yes, I have several Debian packages in an OBS repository and it would be very simple to add a post-install script to do whatever the hell I wanted to unsuspecting users' systems.

Here is the post-install script from Google's Chrome .deb:

https://paste.debian.net/1072888/

^ They could put literally anything in that script and APT would just execute it, there are *no* safety checks whatsoever.
deadbang

debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

#22 Post by debiandonder »

Head_on_a_Stick wrote:
MagicPoulp wrote:Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?
Yes, I have several Debian packages in an OBS repository and it would be very simple to add a post-install script to do whatever the hell I wanted to unsuspecting users' systems.

Here is the post-install script from Google's Chrome .deb:

https://paste.debian.net/1072888/

^ They could put literally anything in that script and APT would just execute it, there are *no* safety checks whatsoever.
I just going with what works. Chrome seems to be causing the least problems for me as apposed to chromium or something else.

Reliability is more important than privacy, I don't have worries, I'm not a Russian or Chinese spy.

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#23 Post by MagicPoulp »

Head_on_a_Stick wrote:
MagicPoulp wrote:Can anyone else confirm if dpkg can give total sudo access to the creator of a deb package using post-preinstalled scripts?
Yes, I have several Debian packages in an OBS repository and it would be very simple to add a post-install script to do whatever the hell I wanted to unsuspecting users' systems.

Here is the post-install script from Google's Chrome .deb:

https://paste.debian.net/1072888/

^ They could put literally anything in that script and APT would just execute it, there are *no* safety checks whatsoever.
OK then I was wrong.

question
Can updates via the registered repository also execute whatever they want via install scripts?

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Is Chromium safe?

#24 Post by dilberts_left_nut »

Yes.
AdrianTM wrote:There's no hacker in my grandma...

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#25 Post by MagicPoulp »

I may be wrong again, but it seems to me that for Red Hat distros, the rpm packages have more secure pre/post-install scripts. The different macros seem to give access to certain things, like systemd. One cananot for example put "rm -rf /" in the scriptlet.

https://docs.fedoraproject.org/en-US/pa ... criptlets/

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Is Chromium safe?

#26 Post by Head_on_a_Stick »

MagicPoulp wrote:it seems to me that for Red Hat distros, the rpm packages have more secure pre/post-install scripts. The different macros seem to give access to certain things, like systemd. One cananot for example put "rm -rf /" in the scriptlet.
From the documentation:
The scriptlet can contain any valid sh commands.
...which includes `rm -rf`

And systemd unit files can certainly be included (which may also have `rm -rf` as an ExecStart), the scriptlets can then start said unit files to do whatever the packager wants.

@OP: sorry for the diversion.
deadbang

debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

#27 Post by debiandonder »

dilberts_left_nut wrote:Yes.
Maybe Chromium is save, but why then did it freeze my system like I described in a earlier post? Chrome didn't do that ever, just Firefox and only once.

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#28 Post by MagicPoulp »

debiandonder wrote:
dilberts_left_nut wrote:Yes.
Maybe Chromium is save, but why then did it freeze my system like I described in a earlier post? Chrome didn't do that ever, just Firefox and only once.
You need to look at the /var/log/syslog
It is good to wait a few minutes before you reboot so you can track the timestamp and the last thing that happens.

Usually it is due to driver errors.

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#29 Post by MagicPoulp »

Head_on_a_Stick wrote: ...which includes `rm -rf`
How can such a system be considered secured? Whatever package you install can do anything without limitations on your system. Many installations could consist only of copying files.

debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

#30 Post by debiandonder »

My thought exactly! How can one program freeze a whole system in this day and age?

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#31 Post by MagicPoulp »

Probably because they try to do very unstable things with the graphics card. And certain graphics card or drivers would not support it.

Chrome got a lot of popularity because it was known to be faster than other browsers.

shep
Posts: 423
Joined: 2011-03-15 15:22

Re: Is Chromium safe?

#32 Post by shep »

Maybe Chromium is save, but why then did it freeze my system like I described in a earlier post? Chrome didn't do that ever, just Firefox and only once.
You may be able to mitigate some of this behavior. Under settings Advanced: Disable anything that sends data to Google/Web services, web cam access, microphone access, resolution of navigation errors, payment methods, content settings, and the ability to run background apps when chrome is closed.

The iridium project essentially tries to remove all these features from chromium source.

https://iridiumbrowser.de/

Unfortunately, they develop deb packages in Ubuntu and the debian packages have not worked, without backporting libfontconfig, for some time.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Is Chromium safe?

#33 Post by Head_on_a_Stick »

MagicPoulp wrote:
Head_on_a_Stick wrote: ...which includes `rm -rf`
How can such a system be considered secured?
Security is assured by APT's insistence on authenticating the repositories: https://wiki.debian.org/SecureApt

This is in contrast to, for example, Arch Linux wherein the AUR packages can be installed without any checks at all.
deadbang

No_windows
Posts: 505
Joined: 2015-08-05 03:03

Re: Is Chromium safe?

#34 Post by No_windows »

debiandonder wrote:My thought exactly! How can one program freeze a whole system in this day and age?
I assume by tying up resources... that happens on my old laptop all the time. Sometimes it's only the browser, other times everything stalls.

MagicPoulp
Posts: 431
Joined: 2018-11-05 21:30

Re: Is Chromium safe?

#35 Post by MagicPoulp »

Head_on_a_Stick wrote:
MagicPoulp wrote:
Head_on_a_Stick wrote: ...which includes `rm -rf`
How can such a system be considered secured?
Security is assured by APT's insistence on authenticating the repositories: https://wiki.debian.org/SecureApt

This is in contrast to, for example, Arch Linux wherein the AUR packages can be installed without any checks at all.
Install scripts or scriptlets are not always used. I don't udnerstand why there is not an option to install packages while disabling install scripts, or making sure no install scripts is used.

On Windows, a program install cannot do whatever it wants ever with root priviledges (UAC). Sorry for the reference to Windows. Maybe I don't understand why it must be the way it is on linux.

debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

#36 Post by debiandonder »

No_windows wrote:
debiandonder wrote:My thought exactly! How can one program freeze a whole system in this day and age?
I assume by tying up resources... that happens on my old laptop all the time. Sometimes it's only the browser, other times everything stalls.
That is true and I have had that before. When the browser started acting up and consumed all my 8 gigs of RAM and started to use the SWAP file. Everything slowed down to slow motion. I was able to close the program in the system monitor and everything returned to normal.

The last incident I had was with Chromium 72, latest version in the Debian repository. IT completely froze everything solid. Later I switched to Chrome 73 and no problem.

I am using the latest version of Firefox 65 now and so far so good.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Is Chromium safe?

#37 Post by Head_on_a_Stick »

MagicPoulp wrote:Install scripts or scriptlets are not always used. I don't udnerstand why there is not an option to install packages while disabling install scripts, or making sure no install scripts is used.
Because any install scripts that are provided are usually necessary for the package to work correctly.

And as I already mentioned systemd unit files can also be used maliciously and will be enabled and started automatically by APT so that wouldn't remove the risk completely.
MagicPoulp wrote:On Windows, a program install cannot do whatever it wants ever with root priviledges (UAC).
That's because Windows users don't have official package repositories from which software can be safely installed so they end up downloading software from random websites, which is *very* risky indeed. And I think most users just click away the UAC crap without even reading it...
MagicPoulp wrote:Maybe I don't understand why it must be the way it is on linux.
Doug Gwyn wrote:UNIX was not designed to stop its users from doing stupid things, as that would also stop them from doing clever things.
deadbang

debiandonder
Posts: 128
Joined: 2019-02-11 17:22

Re: Is Chromium safe?

#38 Post by debiandonder »

Great! Debian 9 froze again today and this time it was 0 A.D. Last week it was chromium.

Solid freeze, no input devices work.

Ubuntu did not freeze that much.

Simple setup, with no graphics card and only using opensource drivers.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Is Chromium safe?

#39 Post by Head_on_a_Stick »

https://packages.debian.org/stretch/memtester?

Sounds like a hardware problem to me.

Or mixed sources.
deadbang

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Is Chromium safe?

#40 Post by stevepusser »

shep wrote:
Maybe Chromium is save, but why then did it freeze my system like I described in a earlier post? Chrome didn't do that ever, just Firefox and only once.
You may be able to mitigate some of this behavior. Under settings Advanced: Disable anything that sends data to Google/Web services, web cam access, microphone access, resolution of navigation errors, payment methods, content settings, and the ability to run background apps when chrome is closed.

The iridium project essentially tries to remove all these features from chromium source.

https://iridiumbrowser.de/

Unfortunately, they develop deb packages in Ubuntu and the debian packages have not worked, without backporting libfontconfig, for some time.
The MX 17 Linux version is built on and should work with vanilla Stretch, ASFAIK:

http://mxrepo.com/mx/repo/pool/main/i/iridium-browser/

You can see from the size of the source why I'm a bit reluctant to burden the OBS with a separate build, but anyone else is welcome to give it a go. It needs a lot of RAM to build, I seem to remember--the OBS uses eight threads by default.
MX Linux packager and developer

Locked