Google Chrome 64-bit packages - [CLOSED]

Browsers, email, chat, etc.
Message
Author
User avatar
Mike Walsh
Posts: 6351
Joined: Sat 28 Jun 2014, 12:42
Location: King's Lynn, UK.

#256 Post by Mike Walsh »

@ mjmikulcik:-

I didn't rush an updated package of that 'point' release out, because I knew the new version (73) would be out any day now. Thanks for the 'heads-up', all the same. Appreciated. :)

The new version will be available for download later this evening. The mitigations for the referenced weakness should, of course, be in this new release.


Mike. :wink:
Last edited by Mike Walsh on Thu 14 Mar 2019, 22:17, edited 1 time in total.

User avatar
Mike Walsh
Posts: 6351
Joined: Sat 28 Jun 2014, 12:42
Location: King's Lynn, UK.

#257 Post by Mike Walsh »

Evening, all.

The current stable version of Chrome - Google_Chrome-73.0.3683.75-amd64 - is now available for download, from the location referenced in post #1.

------------------------------------------------

Changes and updates in this release are as explained here, on the regular Chrome blog page.

60 security issues, including the recently-discovered 'critical' one (mentioned by mjmikulcik above) have been addressed since the previous release.

----------------------------------------------------

A small script, which has been placed in /usr/sbin & sym-linked into /root/Startup, now automatically runs the glib-compile-schemas compile command at boot time. Downloads/uploads, therefore, work as they should.

The 'Spot2Root' file permissions changer has also been updated. It now works with uploads as well as downloads.....as explained in an earlier post. Following an exchange of ideas & points raised via PM with mikeslr, I've added an extra line to the 'spot-to-root' module of the Permissions Changer which sits in the task-bar; when you select 'Spot-to-Root (for downloads)' in the GUI, ROX (or whatever your default file-manager happens to be) will now open on your 'Downloads' directory, ready to retrieve the newly-downloaded item.

------------------------------------------------------------------

Credits (as usual) :-

Battleshooter - for help with the self-contained NSS libs'n'stuff several releases back.
belham2 - for cobbling together the 'launch' script that is now employed.
And further back, 01Micko (the 'head honcho'), and iguleder - both of whom have indirectly helped keep this thread going for as long as it has, with references & links.

Thanks must also go to OscarTalks and peebee, for suggestions and assistance over the last couple of years.

---------------------------------

Any problems, boys & girls, you know where to find me.

Enjoy.


Mike. :wink:

User avatar
MrDuckGuy
Posts: 155
Joined: Thu 31 Jan 2019, 09:06
Location: Hermosa Beach, CA, USA

Re: Google Chrome 64-bit PET & SFS packages

#258 Post by MrDuckGuy »

Mike Walsh wrote:Evening, ... stable version of Chrome
... available for download ... location
referenced in post #1 ... problems, boys
& girls, you know where ...
I would like a question if possible to be
addressed, and here's the peshat of it:
can this application be run in a
"portable" folder as I am doing with the
FireFox program even now as I post this?

Thanks in advance, Kelikaku. B'H.
Attachments
monkeyeatingalemon-2.jpg
This is an image of a monkey
eating a lemon, for
no particular reason. B'H.
(28.25 KiB) Downloaded 595 times

User avatar
Mike Walsh
Posts: 6351
Joined: Sat 28 Jun 2014, 12:42
Location: King's Lynn, UK.

#259 Post by Mike Walsh »

@ MrDuckGuy:-

Mm. Never really thought about it, TBH. In its current format, no (there's too many extra additions & bits'n'bobs in other directories to permit that). I could look into it, though it would be a perhaps 'stripped-down' version - some of the additional functionality (like the permissions changer for uploads/downloads, and the 'glib-schemas' compiler script) might have to be installed as separate .pets before you started using it.

When I started doing this a few years back I never envisaged running it that way. Consequently, it wasn't built with portability in mind.

I'll look into it, OK? Just don't expect to see it any time soon.....I have a lot on my plate most days (I'm a full-time carer, y'see). I'll put my considering cap on, and have a think about the best way to do this....


Mike. :wink:

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#260 Post by rufwoof »

Mike, as our resident Chrome expert, what are the limitations, if any, imposed by running google chrome with the --no-sandbox switch?

I'm not concerned about running as root with no sandboxing as I'm already containing chrome within a restricted environment anyway i.e. FatDog 8 with a Barry like containment (Xephyr, unshare, chroot with capsh (capabilities for sys_admin and chroot dropped)), so pretty much a heavily restricted 'root' - comparable to a low privilege/restricted userid that's isolated from the main FatDog X system. Providing you don't keep sensitive data/stuff within that container then that's impervious to even a zero day vulnerability. But I was wondering what limitations running with --no-sandbox might impose.

TIA.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#261 Post by s243a »

rufwoof wrote:Mike, as our resident Chrome expert, what are the limitations, if any, imposed by running google chrome with the --no-sandbox switch?

I'm not concerned about running as root with no sandboxing as I'm already containing chrome within a restricted environment anyway i.e. FatDog 8 with a Barry like containment (Xephyr, unshare, chroot with capsh (capabilities for sys_admin and chroot dropped)), so pretty much a heavily restricted 'root' - comparable to a low privilege/restricted userid that's isolated from the main FatDog X system. Providing you don't keep sensitive data/stuff within that container then that's impervious to even a zero day vulnerability. But I was wondering what limitations running with --no-sandbox might impose.

TIA.
On could always do a "run as spot", script but it's still worth discussing. On my TazPup64, I'm thinking of adding an environmental variable that determines whether the --no-sandbox is used vs "run as some restricted user".

P.S. on another thread, I mentioned your restricted containers to someone.

User avatar
Mike Walsh
Posts: 6351
Joined: Sat 28 Jun 2014, 12:42
Location: King's Lynn, UK.

#262 Post by Mike Walsh »

Morning, ruffers.

Hoo... Y'know, to be perfectly honest, I've never really looked into the security aspects of it. Not in anywhere near the same way that I know you yourself do, quite regularly. (And I definitely dispute the 'expert' tag. I'm a bumbler, really, although I managed to assemble all the various bits that many other folks helped with over the last few years.....without making too many mistakes. I mean, it runs..... :lol:)

I digress.

Y'see, this is where the differences between the various Chromium 'clones' begins to show through. Chromium itself, as released, will run without the sandbox, although it doesn't like it.

-----------------------------------------------

SRWare's Iron, although using the 'chrome' shared library/binary thingy (it's not a binary executable in the true sense of the word, though it's where the bulk of the program lies), will also run without the sandbox.

-----------------------------------------------

FlashPeak, with recent releases of SlimJet, have coded things so that you've got to run it as a restricted user. No arguments. Try using the --no-sandbox switch, it just won't run.

-----------------------------------------------

Google, with Chrome, have done much the same. In true Google style, though, they've enhanced the standard sandbox set-up even further so that the browser uses around 5 different sandboxes, all interacting with each other. Which in part accounts for the huge size these browsers are now ballooning into. It decidedly will not run without the sandboxing enabled, and, moreover, that sandboxing is linked into the use as a restricted user. If you don't get all the conditions just right, it simply doesn't want to know.

I don't think, for your purposes, it would make any difference that you're already running it inside a container. The 'sandboxing' is fully internal to the browser process, and if you enable the switch, it wouldn't start.

Hope that throws some light on things.....though it's far from a complete answer.


Mike. Image

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#263 Post by rufwoof »

Oooerrr! Confused now!

I'm running google chrome as root inside that container with the --no-sandbox and it runs seemingly OK. Just has a bar come up initially saying that sandbox is disabled and security/functionality is compromised.
Attachments
s.png
(38.51 KiB) Downloaded 452 times
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#264 Post by rufwoof »

s243a wrote:P.S. on another thread, I mentioned your restricted containers to someone.
I have much the same set up in FatDog 8 now. What I've done for that is to have the main systems tray at the top of screen, and the containers tray at the default bottom of screen location. I set the Xephyr window to be undecorated (no title bar) and size it to 32 less height and Y offset by 32 ... so it doesn't overlay the main systems tray. That way you can activate menu's or the tray items in either the main or container quickly/easily.

The main quirks are that sometimes the mouse gets locked inside the container and you have to ctrl-shift to release it again. And you have to be aware of which windows are in which environment as you can't for instance cut from a container window and paste into a main system window.

Not so confident about spot myself. I have found it easy to elevate to root from spot in a number of Puppy's to the extent I considered it pointless in most cases. Fatdog 8 is one of the exceptions.
Attachments
s.png
(89.08 KiB) Downloaded 453 times
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
Mike Walsh
Posts: 6351
Joined: Sat 28 Jun 2014, 12:42
Location: King's Lynn, UK.

#265 Post by Mike Walsh »

rufwoof wrote:Oooerrr! Confused now!

I'm running google chrome as root inside that container with the --no-sandbox and it runs seemingly OK. Just has a bar come up initially saying that sandbox is disabled and security/functionality is compromised.
Hm. Well, that's news to me.....and something I've learnt. Under normal circumstances, it won't work for me; perhaps running inside the container has changed its ability to run without the sandbox enabled.

Can't say, mate.


Mike. :wink:

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#266 Post by rufwoof »

Whatever its going, with chrome just showing the puppy forum web page, all child processes spawned by chrome also have the --no-sandbox parameter. So yes does work.

Maybe because that container has cap_sys_admin and cap_sys_chroot capabilities dropped - chrome might perhaps be able to detect its not a full blown root. Running without the --no-sandbox however and it does complain/not run.
Attachments
s.png
(74.11 KiB) Downloaded 429 times
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#267 Post by rufwoof »

It would seem that running chrome with its sandbox requires root level chroot capabilities. Drop chroot capability and you have to use the --no-sandbox command line parameter. In a chroot container however you don't want chroot capabilities, otherwise you (or potential cracker) can just chroot out of the container.

So the choices would seem to be to either run as spot inside a container with chroot capabilities, but perhaps where spot doesn't have chroot potential, or run as root with no chroot capabilities at all.

Weighing things up, fundamentally do you put total faith in chrome's containment, and hope that spot can't elevate to root, or run chrome as root inside the Xephyr/unshare/chroot/capsh environment, with no-sandbox. Of the two the latter seems the better choice IMO, more so given recent chrome zero day bugs that potentially opened up the system. Also I have little faith in spot not being able to potentially elevate to root - potentially relatively easily, which further adds to the appeal of not permitting chroot capabilities.

In short I think Xephyr/unshare/chroot/capsh with chrome running as root with --no-sandbox is the better choice compared to trying to run chrome as spot within a container.

cd /pub
more beer
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#268 Post by s243a »

rufwoof wrote:Mike, as our resident Chrome expert, what are the limitations, if any, imposed by running google chrome with the --no-sandbox switch?

I'm not concerned about running as root with no sandboxing as I'm already containing chrome within a restricted environment anyway i.e. FatDog 8 with a Barry like containment (Xephyr, unshare, chroot with capsh (capabilities for sys_admin and chroot dropped)), so pretty much a heavily restricted 'root' - comparable to a low privilege/restricted userid that's isolated from the main FatDog X system. Providing you don't keep sensitive data/stuff within that container then that's impervious to even a zero day vulnerability. But I was wondering what limitations running with --no-sandbox might impose.

TIA.
I noticed something weird about Opera (and possibly other chrome clones), when running with the --no-sandbox tag. On my TazPup64 I'm working on I had opera running under jwm. I exited Xorg and started LXDE. I noticed Opera was running like it had never shut down when I exited XOrg. To me this behavior is undesirable because then cntrl-alt-backspace is less likely to unfreeze the system if for some reason the system freezes.

Perhaps I can add a command to specifically kill chrome (and it's clones) in whatever script ("presumably wmexit") is called when I press cntrl-alt-backspace.

Note that, I didn't yet check to see what Opera related process might continue to run when the Xserver shuts down.

User avatar
Mike Walsh
Posts: 6351
Joined: Sat 28 Jun 2014, 12:42
Location: King's Lynn, UK.

#269 Post by Mike Walsh »

Evening, all.

The current stable version of Chrome - Google_Chrome-74.0.3729.108-amd64 - is now available for download, from the location referenced in post #1.

------------------------------------------------

Changes and updates in this release are as explained here, on the regular Chrome blog page.

39 security issues have been addressed since the previous release.

----------------------------------------------------

A small script, which has been placed in /usr/sbin & sym-linked into /root/Startup, now automatically runs the glib-compile-schemas compile command at boot time. Downloads/uploads, therefore, work as they should.

The 'Spot2Root' file permissions changer has also been updated. It now works with uploads as well as downloads.....as explained in an earlier post. Following an exchange of ideas & points raised via PM with mikeslr, I've added an extra line to the 'spot-to-root' module of the Permissions Changer which sits in the task-bar; when you select 'Spot-to-Root (for downloads)' in the GUI, ROX (or whatever your default file-manager happens to be) will now open on your 'Downloads' directory, ready to retrieve the newly-downloaded item.

It's also been re-written to remove the need for the intermediate 'Spot2Root' directory in /usr/share. Following some research using the Linux man pages, I've finally discovered how to move stuff from one directory to another and change permissions in the process, all in the one single line of code....

I'm steadily learning. :D

------------------------------------------------------------------

Credits (as usual) :-

Battleshooter - for help with the self-contained NSS libs'n'stuff several releases back.
belham2 - for cobbling together the 'launch' script that is now employed.
And further back, 01Micko (the 'head honcho'), and iguleder - both of whom have indirectly helped keep this thread going for as long as it has, with references & links.

Thanks must also go to OscarTalks and peebee, for suggestions and assistance over the last couple of years.

---------------------------------

Any issues, I'm usually kicking around somewhere on the Forums. You know how to get in touch.

Have fun!


Mike. :wink:
Last edited by Mike Walsh on Thu 02 May 2019, 14:50, edited 2 times in total.

albertox
Posts: 6
Joined: Wed 03 Apr 2019, 05:06
Location: Planet Earth , for now :)

Downloads Location

#270 Post by albertox »

@Mike Walsh

Thank you so much Mike for keeping Chrome up to date, it's my favorite browser too. We are very lucky to have great people like you and the others in the forum who devote their free time to provide us with various software.

I don't know if this has been answered already, but I couldn't find it in search. I'm running TahrPup64 and SFS version. Chrome crashes if I try to change the downloads location. It also crashes if I set Downloads to "ask where to save", when trying to download before the choose location menu comes up.

I'm not sure if I'm doing something wrong, as I'm a newcomer to GNU/Linux, and still struggling with the technical stuff.
.

User avatar
Mike Walsh
Posts: 6351
Joined: Sat 28 Jun 2014, 12:42
Location: King's Lynn, UK.

#271 Post by Mike Walsh »

@ albertox:-

Umm. Mm-hm.

I always did have 'issues' with up-to-date Chrome in Tahrpup64. It's part of the reason why I switched to doing my development/packaging work in Xenialpup64.....it never gave me any problems.

Tahr64 was 666philb's very first 64-bit Puppy. Naturally, it was a learning curve, not only for him, but for the rest of us, too. By the time Xenial Xerus 16.04 LTS was released, Phil had learnt a lot of 'tricks' from his first 64-bit attempt, with the result that Xenialpup64 has just been that much smoother, and more stable, from the outset. We all learn from our mistakes.....it's how the human learning process works.

Not being funny, but I would definitely suggest upgrading to Xenialpup64. 'Trusty Tahr' went EOL on the 30th April (day before yesterday), so is now unsupported. (I mean, Puppies are in fact 'timeless', as we all know.....but even Puppies have to move on in order to be able to run newer software.)

I vaguely recall the problem in Tahr64 being something to do with the available version of GTK-3.0; newer versions wouldn't 'play nice' with the system libraries, etc (and too many things needed upgrading to make it worthwhile 'fixing').

------------------------

Try this. I assume you're trying to run the newest version I've just published, yes? If so, run

Code: Select all

/home/spot/chrome.sh
.....in the terminal, and let me have the output, please. (There'll be a lot of it; the Chromium 'clones' are incredibly 'verbose' and 'noisy' in the terminal; part of the reason is that this is where debug info comes from for the developers).


Mike. :wink:

albertox
Posts: 6
Joined: Wed 03 Apr 2019, 05:06
Location: Planet Earth , for now :)

#272 Post by albertox »

Thank you Mike for your reply.

Yes, I'm currently running your latest chrome V.74.0.3729.108, but I also had the same issue with the previous version. Please find attached a file containing the output, but please don't busy yourself a lot with this issue. It's not really that important.

You know, I have fallen in love with Puppy, and I think I probably have most of the popular Pups installed on USB sticks, TahrPup, Slacko, Xenialpup, Bionicpup, LxPup, Dpup Stretch-7.5 and Fatdog64. I have a bit of a convenience reason for using Tahrpup64. It's the highest Pup version which could fit on a 250MB SD card I pulled from a dead old camera. My favorite laptop HP EliteBook can boot from SD card, so this works great as having two drives, and I don't need to dual boot with Windows, or should I say Windoze as I have seen you call it in some posts :)
.
Attachments
chrome.zip
/home/spot/chrome.sh output
(934 Bytes) Downloaded 411 times

amn87
Posts: 32
Joined: Mon 28 Mar 2016, 16:14

Bionicpup compatibility.

#273 Post by amn87 »

Will it work in Bionicpup64 without having to mess around with missing dependencies etc? If yes which is better the .pet or .sfs from a RAM consumption POV?

User avatar
Mike Walsh
Posts: 6351
Joined: Sat 28 Jun 2014, 12:42
Location: King's Lynn, UK.

Re: Bionicpup compatibility.

#274 Post by Mike Walsh »

@ amn87:-
amn87 wrote:Will it work in Bionicpup64 without having to mess around with missing dependencies etc? If yes which is better the .pet or .sfs from a RAM consumption POV?
It should fire straight up. It's self-contained, as far as dependencies are concerned. And Bionicpup64 was the Puppy that prompted the relocation from /root/spot to /home/spot, bringing it more into line with Big Brother's "requirements".

The browser will use exactly the same amount of RAM in the un-packed, i.e., running condition. The .pet package or SFS are simply different ways of installation, though the SFS is recommended; these are big browsers, occupying something like 340 MB of RAM simply 'ticking-over'. By using the SFS, you can unload it when not required, thereby freeing-up RAM for other uses.

The .pet package will permanently occupy space in your save-file/folder. I built those for certain of Barry's experimental OSs, where they cannot apparently make use of SFSs, since they're installed in 'full' mode. For everybody else, the SFS is the method I recommend.


Mike. :wink:

RickGT351
Posts: 289
Joined: Tue 27 Sep 2011, 22:02
Location: Auckland, New Zealand

#275 Post by RickGT351 »

I have got Debian Dog on a flashdrive but it's as slow as a wet week
dancytron wrote:/offtopic

If you are looking for another good platform for Chrome, take a look at Debian Dog 64. Main advantage is that you can install it straight off the Chrome website and it automatically adds the repository so that you can keep it updated via apt-get like any other application. You can then run it as root with a simple script.

I did an explanation of how to do it, I'll add the link as soon as I find it.

edit:here it is

http://www.murga-linux.com/puppy/viewto ... 150d32909c

Post Reply