Public bug reported: Chromium can use two different techniques to sandbox itself: - SUID sandbox - User namespaces sandbox
User namespaces sandbox is preferred way and SUID sandbox is considered as legacy. Debian have to use SUID sandbox because they disable unprivileged user namespaces but Ubuntu doesn't and in fact use User namespaces sandbox currently thus the SUID bit on /usr/lib/chromium- browser/chrome-sandbox is unnecessary and may be seen as liability from security perspective. Please consider removing SUID bit from /usr/lib/chromium-browser/chrome- sandbox in Ubuntu packaging. ** Affects: chromium-browser (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1799983 Title: Remove SUID bit from /usr/lib/chromium-browser/chrome-sandbox Status in chromium-browser package in Ubuntu: New Bug description: Chromium can use two different techniques to sandbox itself: - SUID sandbox - User namespaces sandbox User namespaces sandbox is preferred way and SUID sandbox is considered as legacy. Debian have to use SUID sandbox because they disable unprivileged user namespaces but Ubuntu doesn't and in fact use User namespaces sandbox currently thus the SUID bit on /usr/lib /chromium-browser/chrome-sandbox is unnecessary and may be seen as liability from security perspective. Please consider removing SUID bit from /usr/lib/chromium-browser /chrome-sandbox in Ubuntu packaging. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1799983/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp