Google Chrome 64-bit packages - [CLOSED]

[orrin]

Maybe you can point me to a link that explains what sand-boxing is and why do I need it!

Maybe this link will help, or confuse you all together...
https://chromium.googlesource.com/chrom ... 2065670614


Also take a look at this discussion too,
http://murga-linux.com/puppy/viewtopic.php?t=109527


@Mike, I haven't been using latest chrome for long time.
I just got busy in other things.
I will see if Fatdog's run as spot scripts make it run good when I go home from work (I am in maintenance so have to work when everyone's not).

Thanks for the information!

[peebee]

Here is the command line that I've found works for 32-bit Chromium-56 on LxPupSc:

Code: Select all

run-as-spot /usr/lib/chromium/chromium --ppapi-flash-path=/usr/lib/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=24.0.0.194 --disk-cache-size=10000000 --media-cache-size=10000000 --allow-outdated-plugins "$@"

Sandboxing is as before....downloads and config go to /root/spot/Downloads and /root/spot/.config/chromium....

[Mike Walsh]

Hiya, Peter.

That's done it..!

Using your example as a guide, I did some experimenting, and found that by changing the exec-line in /opt/google/google-chrome from

Code: Select all

exec -a "$0" /opt/google/chrome/chrome --user-data-dir=/root/.config/google-chrome --no-sandbox --disable-infobars "$@"

to

Code: Select all

exec -a "$0" run-as-spot /opt/google/chrome/chrome --user-data-dir=/root/spot/.config/google-chrome --disable-infobars "$@"

.....followed by doing

Code: Select all

chown spot:spot -R /opt/google

appears to have done the trick. (It's not quite the same for my own, personal set-up, as I run all my browsers from a remote partition, but that's what the publicly available version will now be like.)

So; I owe you a big 'Thanks' for that. Summat else I've learnt; I didn't know about the 'run-as-spot' parameter. I do now!

Cheers!

PS: The only peculiarity I've noticed is that the cursor configuration appears to reset to the default. I have the cursor themes pack installed, and use the 'Polar Cursors' theme. No biggie; I'm just curious as to why it does that. Permissions again, I suspect.....

Many thanks.


Mike.

[Mike Walsh]

Chrome now to run as 'Spot'

Afternoon, all.

Following peebee's timely intervention above (again, thanks for the advice!), the 'no-sandboxing' problem with the newest release of Chrome has now been resolved.

From now on, to get around the 'won't run as root' problem, my Chrome packages will henceforth be running as 'Spot'.

The /opt/google directory has had a

Code: Select all

chown spot:spot -R /opt/google

performed on it, and the launcher script in /opt/google/chrome (which is sym-linked into /usr/bin) now starts with 'run-as-spot', and directs the 'user-data-directory' to /root/spot/.config.

When you load & start this version of Chrome for the first time, it will act like a brand-new install, as it has to create a new profile in /root/spot/.config. Subsequent loading of new versions will act as before, since the profile now exists.

The easiest way to get Flash up-and-running for the first time is just to go to

http://www.adobe.com/software/flash/about/

Where the animated graphic usually shows at the top of the page, it will say 'Downloading...', followed shortly after by 'Please re-start Chrome to use Adobe Flash'. So re-start, and Flash will be working. Subsequent upgrades will happen in the background, as they have done for the last few releases.

I've also included a /root/spot/Downloads directory (with the appropriate permissions/ownership) for the first time, as this is where anything you download with Chrome will now go to.

Downloads are to be found in the usual location in post #1, as always.

-------------------------------------------------------------------------------

I would strongly urge anybody who's recently downloaded this version of Chrome in the last few days to download and use the new version instead, as proper 'sandboxing' is now restored, with its attendant increase in security.





Thanks are due to peebee, and also to drunkjedi (for making me consider this in the first place).

Feedback would be appreciated as to whether this works properly or not. It works for me, but I have a peculiar set-up, running from a remote partition with many, many sym-links..! I'd just like to know if this new package runs as it should. If it does, then I'll be building the Chrome packages this way in future.

Enjoy!


Mike.

[OscarTalks]

PS: The only peculiarity I've noticed is that the cursor configuration appears to reset to the default.

Hi Mike,
The custom cursor theme is read from the hidden $HOME/.icons directory.
$HOME is usually /root but if you run as spot it changes to /root/spot for the running program so it will revert back to default theme when hovering anywhere over the browser.
Try symlinking the .icons directory into /root/spot (or copy it if you prefer) and restart X of course.
Oh you may need to chown it to spot:spot as well.

[Brown Mouse]

Thanks Mike

I spent some hours today trying to get the latest Debian Chrome 64 bit working before I saw your thread.
The previous Debian Chrome version 55 worked without a problem but the latest version kept throwing up the 'run as route problem'.
Your sfs is running perfect in Tahr 6.0.5.3 so thank you once again

[Mike Walsh]

Hi, Brown Mouse.

Excellent! I'm so pleased to hear that.

Although I package these, I can't test them out on my main rig, as I have a peculiar setup......with all my browsers running on a remote partition, sym-linked into all my Pups. It would take too long to unlink everything, then re-link it all again afterwards.

I don't have a separate 64-bit 'testing' Pup set up for this; I suspect that's what I'll need to do.

Thanks for the confirmation it's working, anyway. I'm still a bit new to using 'chown', so I couldn't be certain I'd got it right in the SFS.

Do one thing for me? Open a new tab, and enter 'chrome://sandbox' in the address bar. Then hit 'Enter'. What does it give you?

And are downloads going to /root/spot/Downloads?


Mike.

[Mike Walsh]

Hi, Oscar.

PS: The only peculiarity I've noticed is that the cursor configuration appears to reset to the default.

Hi Mike,
The custom cursor theme is read from the hidden $HOME/.icons directory.
$HOME is usually /root but if you run as spot it changes to /root/spot for the running program so it will revert back to default theme when hovering anywhere over the browser.
Try symlinking the .icons directory into /root/spot (or copy it if you prefer) and restart X of course.
Oh you may need to chown it to spot:spot as well.

Makes sense. I'd three parts convinced myself it would be something to do with permissions. Thanks for the confirmation.

For my own use case it'll be simplest to copy over and chown spot:spot, rather than try sym-linking. It's not the kind of thing that's worth including in the package, since not everybody has the same oddball set-up as me.....and most folks seem to be happy to stick with the default settings, anyway.

Whadd'ya expect from a graphics nut?

Cheers.


Mike.

[Brown Mouse]

Do one thing for me? Open a new tab, and enter 'chrome://sandbox' in the address bar. Then hit 'Enter'. What does it give you?

And are downloads going to /root/spot/Downloads?


Mike.

Hi Mike.

This is what I'm seeing from chrome://sandbox

Sandbox Status

SUID Sandbox No
Namespace Sandbox Yes
PID name spaces Yes
Network namespaces Yes
Seccomp-BPF sandbox Yes
Seccomp-BPF sandbox supports TSYNC No
Yama LSM enforcing No
You are adequately sandboxed.

And yes,downloads are indeed going to /root/spot/Downloads.

[Mike Walsh]

Hi again, Brown Mouse.

Good, good. That's exactly what you should be seeing. Pup never quite gets all the sandboxes implemented in Chrome, for some reason.....but as long as everything apart from the top and bottom ones are implemented, you're quite safe enough.

Thanks for the feedback. Cheers! As the saying goes, 'Every little bit helps...'


Mike.

[orrin]

The new version running as 'spot' is working and the downloads are going to spot/downloads.... BUT, that ignores the download setting in the Chrome settings! I have that set to /mnt/sdc1, a usb drive so downloaded files and images can be accessed with another system for editing, etc.

I can move files to sdc1 from spot/downloads but with a lot of warnings about permissions.

Changing the download location in the chrome download dialog, results in a permission failure!

Any suggestions?? or do I have to go back to Chrome 55.

[Mike Walsh]

The new version running as 'spot' is working and the downloads are going to spot/downloads.... BUT, that ignores the download setting in the Chrome settings! I have that set to /mnt/sdc1, a usb drive so downloaded files and images can be accessed with another system for editing, etc.

I can move files to sdc1 from spot/downloads but with a lot of warnings about permissions.

Changing the download location in the chrome download dialog, results in a permission failure!

Any suggestions?? or do I have to go back to Chrome 55.

Mm. Yeah. I kinda thought this might happen.

That's the downside of using 'spot'. Puppy is not a true 'multi-user' system like most other Linux distros are. Downloading to the 'spot' Downloads folder is fine.....but then the rest of the system complains about working with them!

As I see it, you have two solutions. Either you have to keep running 'chown' - first one way, to 'root:root', in order to transfer - then back again, to 'spot:spot', in order to be able to download again.....or, you simply go back to using the original version of 56 that I produced a few days ago.

That's why I suggested you put it somewhere for safe keeping.....in case you weren't happy with this one, and wanted to go back to the old version.

I can't really offer any other solution at the moment. It all boils down to this; how bothered are you about having the sandbox working?

Y'see, in a true multi-user environment, each 'user' on a system has their own folder.....and all their apps run from that folder, with the appropriate ownership/permissions. Pup simply doesn't work like that.....it was designed, from the word go, to run as root. Simple as that.....which is why we've always had problems with popular apps which have been designed to work with multi-user systems. Unfortunately, that includes many of the more popular browsers.


Mike.

[Mike Walsh]

@ orrin:-

There's two ways I can go about this, actually. Either you use an intermediate 'transfer' folder, between Chrome's 'spot' Downloads folder, and use a small script to change permissions, before then moving your downloaded material to it's final destination.....or I simply build two different versions of Chrome in future; the 'spot' version (with full sand-boxing), and a 'standard' version (with no sandboxing, but everything owned by root.

I'll have a think about this one, and I'll get back to you. The 'change ownership' idea (with an intermediate directory) is a wee bit ungainly, but it's workable.....and not hard to implement. I may be able to package it as a .pet; we'll see.

It's also a more attractive idea, as it would only need to be built (and installed) the once. Chrome would need two versions building every time.....

Leave it with me.


Mike.

[Mike Walsh]

Hi again, orrin.

Now, then. I've come up with a solution which should do what you want, so that the files are usable by the rest of the system.....and you don't get permissions failures.

I've put together a .pet package, which I've called Spot2Root.

It creates a directory in /root, called Spot2Root. You move downloaded material from spot/Downloads into Spot2Root. You run the application (either from the Menu->Utility entry, or by dragging the /usr/share/applications .desktop entry to the desktop, and clicking on it there).

Quite simply, all it does is to change ownership of your downloaded data back to root:root, instead of spot:spot.....which means it can then be used by the rest of the system without complaints of permission failure. You can then move it on to your sdc1 flash drive.

Do bear in mind that this has to be performed manually, although it doesn't matter how many different files/folders you may be transferring; it will change ownership of everything in that directory simultaneously.

You can find it here:-

https://www.datafilehost.com/d/bae1105d

I may be able to modify it so that when you run the application, it will automatically move the data straight to its destination after changing the ownership permissions. That'll have to be tomorrow, though; it's after 2 a.m here, and past my bedtime!

Catch ya later.


Mike.

[orrin]

For the time being.... I have gone back to the original version 56!

[Mike Walsh]

That's fair comment..!

You obviously want to continue downloading straight to /mnt/sdc1 using the Chrome download dialogue.....because that's what you're used to doing. It's hard to break long-standing habits, I know.....'been there, done that, bought the T-shirt', etc.

Been doing some research, and I now know how to move files from one directory to another, as well as changing ownership permissions along the way. But no matter how good I can make the script I've worked out, it still has to be triggered manually by the user.....Chrome, being partially proprietary, doesn't allow you to directly modify it (and I wouldn't have a clue where to find the specific code anyway, even if you could find a way to 'look inside' the binary itself). At the moment, I don't understand how doing one thing can automatically trigger another to occur; I'm not quite that far along in my Linux 'education' yet.....though looking back to when I started with Pup, I could never have dreamt I'd be doing half the stuff I'm now doing.

Still, it's all good practice; I shall use the Spot2Root .pet myself in modified format, since it works just fine for what I want it to do. Sorry I couldn't help any further! I guess this means I'm gonna have to build different versions of Chrome now.....

No rest for the wicked!

------------------------------------

Just as a FWIW, I found out earlier this evening that the Linux version of the Chrome 'sandbox' is much more powerful than its Windows counterpart. Seemingly, in the 8-9 years Chrome's been available for Linux, not one hacker has yet managed to 'break' it...

Food for thought.


Mike.

[orrin]

Thankyou Mike for all your efforts!

I have now re-installed version 55 with sandboxing and the other features that I like.

My whole reason for using Puppy in the first place was to have a browser that the the banks and investment companies liked. Everything else I do is done with the underlying OpenSuse 11.3 system. That's why it is necessary to be able to download things directly to a common place (the USB drive).

My hardware is very old (Asus A8V) and upgrading OpenSuse or any other KDE distribution was not an option. (I tried several live-DVD's) Also since the distribution is no longer supported, there are no browser updates.

It will probably be a while before the banks will determine that Chrome 55 is out of date, but I will monitor the BB to see if any future versions of Chrome will fit my needs.

[Mike Walsh]

Current release of Chrome now re-uploaded, incorporating a 'fix' by iguleder. Running as 'Spot' not now required

Afternoon, all.

The current version of Chrome has been re-uploaded. It's now utilising a 'fix' by iguleder, which essentially 'fools' Chrome into thinking you're running as a normal user.....although you are still, in fact, running as root.

All of which means that it still runs as the previous few versions did, with full sandboxing, and downloads being directed through the d/l dialogue as normal.

I don't anticipate any problems, but if you have any, you know where to find me.

Big 'Thanks' are due to 01Micko (for alerting me to the 'fix'), iguleder (for the 'fix' itself), and to peebee, for converting the libpuppygc.so library that's enabled all this to work into 64-bit format.


Enjoy!


Mike.

[Mike Walsh]

New, current version re-uploaded

Newest version, Chrome 56.0.2924.87, now uploaded. Same 'fix' in place.

Enjoy.


Mike.

[orrin]

New, current version re-uploaded
Newest version, Chrome 56.0.2924.87, now uploaded. Same 'fix' in place.
Enjoy.

The new version of 56 seems to work OK for me! Thanks for your efforts.

Now you have to re-edit the thread title to get rid of the "Now running as SPOT"