(old)Puppy Linux Discussion Forum

@ mjmikulcik:-

I didn't rush an updated package of that 'point' release out, because I knew the new version (73) would be out any day now. Thanks for the 'heads-up', all the same. Appreciated.

The new version will be available for download later this evening. The mitigations for the referenced weakness should, of course, be in this new release.


Mike.

Evening, all.

The current stable version of Chrome - Google_Chrome-73.0.3683.75-amd64 - is now available for download, from the location referenced in post #1.

------------------------------------------------

Changes and updates in this release are as explained here, on the regular Chrome blog page.

60 security issues, including the recently-discovered 'critical' one (mentioned by mjmikulcik above) have been addressed since the previous release.

----------------------------------------------------

A small script, which has been placed in /usr/sbin & sym-linked into /root/Startup, now automatically runs the glib-compile-schemas compile command at boot time. Downloads/uploads, therefore, work as they should.

The 'Spot2Root' file permissions changer has also been updated. It now works with uploads as well as downloads.....as explained in an earlier post. Following an exchange of ideas & points raised via PM with mikeslr, I've added an extra line to the 'spot-to-root' module of the Permissions Changer which sits in the task-bar; when you select 'Spot-to-Root (for downloads)' in the GUI, ROX (or whatever your default file-manager happens to be) will now open on your 'Downloads' directory, ready to retrieve the newly-downloaded item.

------------------------------------------------------------------

Credits (as usual) :-

Battleshooter - for help with the self-contained NSS libs'n'stuff several releases back.
belham2 - for cobbling together the 'launch' script that is now employed.
And further back, 01Micko (the 'head honcho'), and iguleder - both of whom have indirectly helped keep this thread going for as long as it has, with references & links.

Thanks must also go to OscarTalks and peebee, for suggestions and assistance over the last couple of years.

---------------------------------

Any problems, boys & girls, you know where to find me.

Enjoy.


Mike.

Mike Walsh wrote:Evening, ... stable version of Chrome
... available for download ... location
referenced in post #1 ... problems, boys
& girls, you know where ...

I would like a question if possible to be
addressed, and here's the peshat of it:
can this application be run in a
"portable" folder as I am doing with the
FireFox program even now as I post this?

Thanks in advance, Kelikaku. B'H.

@ MrDuckGuy:-

Mm. Never really thought about it, TBH. In its current format, no (there's too many extra additions & bits'n'bobs in other directories to permit that). I could look into it, though it would be a perhaps 'stripped-down' version - some of the additional functionality (like the permissions changer for uploads/downloads, and the 'glib-schemas' compiler script) might have to be installed as separate .pets before you started using it.

When I started doing this a few years back I never envisaged running it that way. Consequently, it wasn't built with portability in mind.

I'll look into it, OK? Just don't expect to see it any time soon.....I have a lot on my plate most days (I'm a full-time carer, y'see). I'll put my considering cap on, and have a think about the best way to do this....


Mike.

Mike, as our resident Chrome expert, what are the limitations, if any, imposed by running google chrome with the --no-sandbox switch?

I'm not concerned about running as root with no sandboxing as I'm already containing chrome within a restricted environment anyway i.e. FatDog 8 with a Barry like containment (Xephyr, unshare, chroot with capsh (capabilities for sys_admin and chroot dropped)), so pretty much a heavily restricted 'root' - comparable to a low privilege/restricted userid that's isolated from the main FatDog X system. Providing you don't keep sensitive data/stuff within that container then that's impervious to even a zero day vulnerability. But I was wondering what limitations running with --no-sandbox might impose.

TIA.

rufwoof wrote:Mike, as our resident Chrome expert, what are the limitations, if any, imposed by running google chrome with the --no-sandbox switch?

I'm not concerned about running as root with no sandboxing as I'm already containing chrome within a restricted environment anyway i.e. FatDog 8 with a Barry like containment (Xephyr, unshare, chroot with capsh (capabilities for sys_admin and chroot dropped)), so pretty much a heavily restricted 'root' - comparable to a low privilege/restricted userid that's isolated from the main FatDog X system. Providing you don't keep sensitive data/stuff within that container then that's impervious to even a zero day vulnerability. But I was wondering what limitations running with --no-sandbox might impose.

TIA.

On could always do a "run as spot", script but it's still worth discussing. On my TazPup64, I'm thinking of adding an environmental variable that determines whether the --no-sandbox is used vs "run as some restricted user".

P.S. on another thread, I mentioned your restricted containers to someone.

Morning, ruffers.

Hoo... Y'know, to be perfectly honest, I've never really looked into the security aspects of it. Not in anywhere near the same way that I know you yourself do, quite regularly. (And I definitely dispute the 'expert' tag. I'm a bumbler, really, although I managed to assemble all the various bits that many other folks helped with over the last few years.....without making too many mistakes. I mean, it runs..... )

I digress.

Y'see, this is where the differences between the various Chromium 'clones' begins to show through. Chromium itself, as released, will run without the sandbox, although it doesn't like it.

-----------------------------------------------

SRWare's Iron, although using the 'chrome' shared library/binary thingy (it's not a binary executable in the true sense of the word, though it's where the bulk of the program lies), will also run without the sandbox.

-----------------------------------------------

FlashPeak, with recent releases of SlimJet, have coded things so that you've got to run it as a restricted user. No arguments. Try using the --no-sandbox switch, it just won't run.

-----------------------------------------------

Google, with Chrome, have done much the same. In true Google style, though, they've enhanced the standard sandbox set-up even further so that the browser uses around 5 different sandboxes, all interacting with each other. Which in part accounts for the huge size these browsers are now ballooning into. It decidedly will not run without the sandboxing enabled, and, moreover, that sandboxing is linked into the use as a restricted user. If you don't get all the conditions just right, it simply doesn't want to know.

I don't think, for your purposes, it would make any difference that you're already running it inside a container. The 'sandboxing' is fully internal to the browser process, and if you enable the switch, it wouldn't start.

Hope that throws some light on things.....though it's far from a complete answer.


Mike.

Oooerrr! Confused now!

I'm running google chrome as root inside that container with the --no-sandbox and it runs seemingly OK. Just has a bar come up initially saying that sandbox is disabled and security/functionality is compromised.

s243a wrote:P.S. on another thread, I mentioned your restricted containers to someone.

I have much the same set up in FatDog 8 now. What I've done for that is to have the main systems tray at the top of screen, and the containers tray at the default bottom of screen location. I set the Xephyr window to be undecorated (no title bar) and size it to 32 less height and Y offset by 32 ... so it doesn't overlay the main systems tray. That way you can activate menu's or the tray items in either the main or container quickly/easily.

The main quirks are that sometimes the mouse gets locked inside the container and you have to ctrl-shift to release it again. And you have to be aware of which windows are in which environment as you can't for instance cut from a container window and paste into a main system window.

Not so confident about spot myself. I have found it easy to elevate to root from spot in a number of Puppy's to the extent I considered it pointless in most cases. Fatdog 8 is one of the exceptions.

rufwoof wrote:Oooerrr! Confused now!

I'm running google chrome as root inside that container with the --no-sandbox and it runs seemingly OK. Just has a bar come up initially saying that sandbox is disabled and security/functionality is compromised.

Hm. Well, that's news to me.....and something I've learnt. Under normal circumstances, it won't work for me; perhaps running inside the container has changed its ability to run without the sandbox enabled.

Can't say, mate.


Mike.

Whatever its going, with chrome just showing the puppy forum web page, all child processes spawned by chrome also have the --no-sandbox parameter. So yes does work.

Maybe because that container has cap_sys_admin and cap_sys_chroot capabilities dropped - chrome might perhaps be able to detect its not a full blown root. Running without the --no-sandbox however and it does complain/not run.

It would seem that running chrome with its sandbox requires root level chroot capabilities. Drop chroot capability and you have to use the --no-sandbox command line parameter. In a chroot container however you don't want chroot capabilities, otherwise you (or potential cracker) can just chroot out of the container.

So the choices would seem to be to either run as spot inside a container with chroot capabilities, but perhaps where spot doesn't have chroot potential, or run as root with no chroot capabilities at all.

Weighing things up, fundamentally do you put total faith in chrome's containment, and hope that spot can't elevate to root, or run chrome as root inside the Xephyr/unshare/chroot/capsh environment, with no-sandbox. Of the two the latter seems the better choice IMO, more so given recent chrome zero day bugs that potentially opened up the system. Also I have little faith in spot not being able to potentially elevate to root - potentially relatively easily, which further adds to the appeal of not permitting chroot capabilities.

In short I think Xephyr/unshare/chroot/capsh with chrome running as root with --no-sandbox is the better choice compared to trying to run chrome as spot within a container.

cd /pub
more beer

rufwoof wrote:Mike, as our resident Chrome expert, what are the limitations, if any, imposed by running google chrome with the --no-sandbox switch?

I'm not concerned about running as root with no sandboxing as I'm already containing chrome within a restricted environment anyway i.e. FatDog 8 with a Barry like containment (Xephyr, unshare, chroot with capsh (capabilities for sys_admin and chroot dropped)), so pretty much a heavily restricted 'root' - comparable to a low privilege/restricted userid that's isolated from the main FatDog X system. Providing you don't keep sensitive data/stuff within that container then that's impervious to even a zero day vulnerability. But I was wondering what limitations running with --no-sandbox might impose.

TIA.

I noticed something weird about Opera (and possibly other chrome clones), when running with the --no-sandbox tag. On my TazPup64 I'm working on I had opera running under jwm. I exited Xorg and started LXDE. I noticed Opera was running like it had never shut down when I exited XOrg. To me this behavior is undesirable because then cntrl-alt-backspace is less likely to unfreeze the system if for some reason the system freezes.

Perhaps I can add a command to specifically kill chrome (and it's clones) in whatever script ("presumably wmexit") is called when I press cntrl-alt-backspace.

Note that, I didn't yet check to see what Opera related process might continue to run when the Xserver shuts down.

Evening, all.

The current stable version of Chrome - Google_Chrome-74.0.3729.108-amd64 - is now available for download, from the location referenced in post #1.

------------------------------------------------

Changes and updates in this release are as explained here, on the regular Chrome blog page.

39 security issues have been addressed since the previous release.

----------------------------------------------------

A small script, which has been placed in /usr/sbin & sym-linked into /root/Startup, now automatically runs the glib-compile-schemas compile command at boot time. Downloads/uploads, therefore, work as they should.

The 'Spot2Root' file permissions changer has also been updated. It now works with uploads as well as downloads.....as explained in an earlier post. Following an exchange of ideas & points raised via PM with mikeslr, I've added an extra line to the 'spot-to-root' module of the Permissions Changer which sits in the task-bar; when you select 'Spot-to-Root (for downloads)' in the GUI, ROX (or whatever your default file-manager happens to be) will now open on your 'Downloads' directory, ready to retrieve the newly-downloaded item.

It's also been re-written to remove the need for the intermediate 'Spot2Root' directory in /usr/share. Following some research using the Linux man pages, I've finally discovered how to move stuff from one directory to another and change permissions in the process, all in the one single line of code....

I'm steadily learning.

------------------------------------------------------------------

Credits (as usual) :-

Battleshooter - for help with the self-contained NSS libs'n'stuff several releases back.
belham2 - for cobbling together the 'launch' script that is now employed.
And further back, 01Micko (the 'head honcho'), and iguleder - both of whom have indirectly helped keep this thread going for as long as it has, with references & links.

Thanks must also go to OscarTalks and peebee, for suggestions and assistance over the last couple of years.

---------------------------------

Any issues, I'm usually kicking around somewhere on the Forums. You know how to get in touch.

Have fun!


Mike.

@Mike Walsh

Thank you so much Mike for keeping Chrome up to date, it's my favorite browser too. We are very lucky to have great people like you and the others in the forum who devote their free time to provide us with various software.

I don't know if this has been answered already, but I couldn't find it in search. I'm running TahrPup64 and SFS version. Chrome crashes if I try to change the downloads location. It also crashes if I set Downloads to "ask where to save", when trying to download before the choose location menu comes up.

I'm not sure if I'm doing something wrong, as I'm a newcomer to GNU/Linux, and still struggling with the technical stuff.
.

@ albertox:-

Umm. Mm-hm.

I always did have 'issues' with up-to-date Chrome in Tahrpup64. It's part of the reason why I switched to doing my development/packaging work in Xenialpup64.....it never gave me any problems.

Tahr64 was 666philb's very first 64-bit Puppy. Naturally, it was a learning curve, not only for him, but for the rest of us, too. By the time Xenial Xerus 16.04 LTS was released, Phil had learnt a lot of 'tricks' from his first 64-bit attempt, with the result that Xenialpup64 has just been that much smoother, and more stable, from the outset. We all learn from our mistakes.....it's how the human learning process works.

Not being funny, but I would definitely suggest upgrading to Xenialpup64. 'Trusty Tahr' went EOL on the 30th April (day before yesterday), so is now unsupported. (I mean, Puppies are in fact 'timeless', as we all know.....but even Puppies have to move on in order to be able to run newer software.)

I vaguely recall the problem in Tahr64 being something to do with the available version of GTK-3.0; newer versions wouldn't 'play nice' with the system libraries, etc (and too many things needed upgrading to make it worthwhile 'fixing').

------------------------

Try this. I assume you're trying to run the newest version I've just published, yes? If so, run
.....in the terminal, and let me have the output, please. (There'll be a lot of it; the Chromium 'clones' are incredibly 'verbose' and 'noisy' in the terminal; part of the reason is that this is where debug info comes from for the developers).


Mike.

Thank you Mike for your reply.

Yes, I'm currently running your latest chrome V.74.0.3729.108, but I also had the same issue with the previous version. Please find attached a file containing the output, but please don't busy yourself a lot with this issue. It's not really that important.

You know, I have fallen in love with Puppy, and I think I probably have most of the popular Pups installed on USB sticks, TahrPup, Slacko, Xenialpup, Bionicpup, LxPup, Dpup Stretch-7.5 and Fatdog64. I have a bit of a convenience reason for using Tahrpup64. It's the highest Pup version which could fit on a 250MB SD card I pulled from a dead old camera. My favorite laptop HP EliteBook can boot from SD card, so this works great as having two drives, and I don't need to dual boot with Windows, or should I say Windoze as I have seen you call it in some posts
.

Will it work in Bionicpup64 without having to mess around with missing dependencies etc? If yes which is better the .pet or .sfs from a RAM consumption POV?

@ amn87:-

amn87 wrote:Will it work in Bionicpup64 without having to mess around with missing dependencies etc? If yes which is better the .pet or .sfs from a RAM consumption POV?

It should fire straight up. It's self-contained, as far as dependencies are concerned. And Bionicpup64 was the Puppy that prompted the relocation from /root/spot to /home/spot, bringing it more into line with Big Brother's "requirements".

The browser will use exactly the same amount of RAM in the un-packed, i.e., running condition. The .pet package or SFS are simply different ways of installation, though the SFS is recommended; these are big browsers, occupying something like 340 MB of RAM simply 'ticking-over'. By using the SFS, you can unload it when not required, thereby freeing-up RAM for other uses.

The .pet package will permanently occupy space in your save-file/folder. I built those for certain of Barry's experimental OSs, where they cannot apparently make use of SFSs, since they're installed in 'full' mode. For everybody else, the SFS is the method I recommend.


Mike.

I have got Debian Dog on a flashdrive but it's as slow as a wet week

dancytron wrote:/offtopic

If you are looking for another good platform for Chrome, take a look at Debian Dog 64. Main advantage is that you can install it straight off the Chrome website and it automatically adds the repository so that you can keep it updated via apt-get like any other application. You can then run it as root with a simple script.

I did an explanation of how to do it, I'll add the link as soon as I find it.

edit:here it is

http://www.murga-linux.com/puppy/viewto ... 150d32909c