Problems with Sandbox when installing Vivaldi in a non-standard directory

    Hello!

    Today we will consider the main problem with installing the Vivaldi browser in a non-standard directory (including standalone / USB installation) on Linux systems. In the second part of the article we will talk about the installation in detail.

    A brief description of the problem

    The main problem that occurs when starting the Vivaldi browser from a non-standard directory on Linux systems is associated with the Chromium sandbox (sandbox), a key security element. The Chromium sandbox on Linux requires root privileges. This is achieved by using SUID - transferring admin access rights to the sandbox to the user.

    Depending on the version of your Linux kernel and its configuration, the sandbox may not require admin rights from the user. Generally speaking, this is not required for the Linux kernel version 3.17 and higher. But in some distributions (like Arch, for example), the problem remains with a more recent kernel. Therefore, in this case, by offering a solution to the problem below, we provide “unofficial” support for installing the browser in a non-standard directory, because not for all users this will work.

    Why does the sandbox require administrator rights

    The security process has administrator privileges to control other processes and prevent them from doing something that they should not do. This is not the only utility working in this way for security reasons. Many components of operating systems run with administrator privileges, including the classic chroot utility .

    I can reassure those who are worried about what is happening in the sandbox - this code is part of Chromium and is available for viewing and auditing. You can even compile this code yourself and replace it with the one presented in the browser.

    Since it was deemed impractical to increase user privileges while working, the sandbox code has recently been modified to use alternative methods supported by the Linux kernel. You can independently check whether your browser uses the SUID method for the sandbox by entering the address vivaldi: // sandbox in the address bar . If the “SUID Sandbox” is set to “No”, and the comment says “You are in the correct test environment”, then this method is no longer used in your system.

    How does this complicate installation in a non-standard directory

    During a typical installation, which is performed with administrator rights (sometimes using sudo ) in a public system directory (for example, in / opt), the sandbox binary is always set with the appropriate SUID permissions. The SUID sandbox method will be used if it is impossible to provide security with more modern methods.

    Non-standard installation users usually want to launch a browser from a directory whose access rights are limited by the user's access rights. This may be the case if the user is not an administrator in the installed system, or if the user instead of installing wants to simply unzip the installation package and launch the browser directly. Both options are possible if the Linux kernel supports the alternative security features required by the sandbox. if the kernel does not have such support, when you try to start the browser in the terminal, an error message appears informing that the sandbox does not have sufficient rights for such an action.

    Some users who have encountered a similar problem have tried disabling the sandbox, but this is not a good idea, because this way you disable the main browser security system. The user can also try changing the permissions for the sandbox. This is possible only if the user has administrator access rights and the directory in which the browser is located is not mounted with the " nosuid " option (a very common situation for the user’s home directory / home on many distributions).

    Is there a safe, affordable solution to this problem?

    If the system already has a correctly installed sandbox with the previous version of the Vivaldi browser (or with another browser based on Chromium), you can tell the browser to be installed non-standard to use the existing sandbox instead of the one that comes with the installed package. To do this, delete (or move to another directory) the sandbox from the non-standard installation and specify the already installed sandbox for the CHROME_DEVEL_SANDBOX variable. For example, in " ~ / .bash_profile " (or in another suitable script) you can do the following:

    export CHROME_DEVEL_SANDBOX=/opt/google/chrome/chrome-sandbox


    Note: You must have a fresh version of the sandbox available (ideally the same as the version in the non-standard installed browser), otherwise you may encounter various problems or the installed sandbox may not have the latest security updates.

    In the next article, we will talk about the installation package of the Vivaldi browser and various installation options.

    Also popular now: