VirtualBox/setuid binaries
Michael Thayer
michael.thayer at oracle.com
Fri Nov 16 08:50:51 UTC 2018
16.11.18 00:32, Matthew Leeds wrote:
> On Thu, Nov 15, 2018 at 4:42 AM Robert McQueen <rob at endlessm.com> wrote:
>>
>> That said, Endless OS does something pretty nasty to make a Google
>> Chrome (which has a setuid sandbox helper) "flatpak", so here are two
>> tricks you can potentially combine to make something that works:
>>
>> - There is an "apply_extra" script which is run locally on the system
>> after the third party files have been downloaded for an "extra data"
>> Flatpak where additional files are fetched directly by the client,
>> rather than all being included inside the Flatpak (for software where
>> the Flatpak publisher does not have redistribution rights). This is the
>> closest Flatpak ever gets to a "maintainer script" in that it is run on
>> the Flatpak app after it has been deployed, and /app/extra is made
>> writable in this sandbox. If you create or make files setuid in this
>> script, they will be setuid on the real filesystem.
>>
>
> Just to note, this will no longer work after
> https://github.com/flatpak/flatpak/pull/2323
> and Endless will have to find another way to make Chrome work.
A way to run a script with root privileges and a prominent warning to
the user at installation time would of course be helpful for my and
Robert's use case. I can of course see that the Flatpak developers
might consider it a dangerous temptation for application developers;
then again I think that you check what gets onto Flathub and could
forbid most uses there. I could do this anyway, the main problem would
be that I would have to tell the user to run the script manually and
work out the location in the file system, which is not very user-friendly.
Regards
Michael
--
Michael Thayer | VirtualBox engineer
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | D-71384 Weinstadt
ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstraße 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Nederland, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 2468 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20181116/e2049710/attachment.key>
More information about the Flatpak
mailing list