VirtualBox/setuid binaries

Matthew Leeds matthew.leeds at endlessm.com
Thu Nov 15 23:32:49 UTC 2018


On Thu, Nov 15, 2018 at 4:42 AM Robert McQueen <rob at endlessm.com> wrote:
>
> That said, Endless OS does something pretty nasty to make a Google
> Chrome (which has a setuid sandbox helper) "flatpak", so here are two
> tricks you can potentially combine to make something that works:
>
>  - There is an "apply_extra" script which is run locally on the system
> after the third party files have been downloaded for an "extra data"
> Flatpak where additional files are fetched directly by the client,
> rather than all being included inside the Flatpak (for software where
> the Flatpak publisher does not have redistribution rights). This is the
> closest Flatpak ever gets to a "maintainer script" in that it is run on
> the Flatpak app after it has been deployed, and /app/extra is made
> writable in this sandbox. If you create or make files setuid in this
> script, they will be setuid on the real filesystem.
>

Just to note, this will no longer work after
https://github.com/flatpak/flatpak/pull/2323
and Endless will have to find another way to make Chrome work.

--

Matthew


More information about the Flatpak mailing list