[MeeGo-community] Fwd: Re: [Meego-security-discussion] Chromium browser security, installing Firefox 4 on MeeGo, and request for packaging

Ryan Ware ware at linux.intel.com
Mon Apr 11 11:29:46 PDT 2011 

Oops.  Forgot to add meego-community.  My response from 
meego-security-discussion below.

Ryan

-------- Original Message --------
Subject: 	Re: [Meego-security-discussion] Chromium browser security, 
installing Firefox 4 on MeeGo, and request for packaging
Date: 	Sun, 10 Apr 2011 17:23:42 -0700
From: 	Ryan Ware <ware at linux.intel.com>
To: 	meego-security-discussion at lists.meego.com



On 04/10/2011 02:14 PM, Niels Mayer wrote:
>  Firefox 4 was released recently (
>  http://www.mozilla.com/en-US/firefox/4.0/releasenotes/ ) and it really
>  is a nicer and potentially more secure browsing experience than
>  Chromium on MeeGo.
I think the "nicer" is more of a qualitative issue and not
quantitative.  I don't know that FF4 offers a greater amount of security
than Chromium, but it at least is starting to approach Chromium.
>  I got it running using MeeGo-Lem: http://wiki.meego.com/MeeGo-Lem-Firefox4
>  using the Fedora 14 RPMs as suggested by:
>  http://www.if-not-true-then-false.com/2010/install-firefox-4-on-fedora/
>
>  Works very nicely on a MeeGo 1.2 touchscreen netbook, especially after
>  installing http://grabanddrag.mozdev.org/index.html
>
>  Any chance Firefox 4 can be packaged and made available with MeeGo Netbooks?
I'd suggest either filing a feature request in the MeeGo Bugzilla for
this if you want it in MeeGo proper or try getting it packaged in the
Community OBS if you feel that's an option.
>  In addition to offering a different/better browsing experience,
>  Firefox4 may offer better sandboxing and security for Linux. In
>  contrast, it appears that chromium's sandboxing isn't necessarily
>  present on their Linux distributions , per
>  http://code.google.com/p/chromium/wiki/LinuxSandboxing and
>  http://code.google.com/p/chromium/wiki/LinuxSUIDSandbox ...
>
>  For Linux, it's possible that FF4 is actually more secure. Based on
>  https://wiki.mozilla.org/Electrolysis "already in use in Firefox to
>  isolate browser plugins like Flash, which fortunately means that users
>  are insulated from the instability of such plugins" (
>  http://arstechnica.com/open-source/reviews/2011/03/ars-reviews-firefox-4.ars
>  ).
Chromium also isolates plugins in separate processes.  On my current system:

     /opt/google/chrome/chrome --type=plugin
--plugin-path=/var/lib/flashplugin-installer/npwrapper.libflashplayer.so
--lang=en-US --plugin-data-dir=/blah/blah/blah
--channel=2370.0x514bc00.718012511
>  For example, the latest "trunk" chromium for MeeGo is not secure
>  (after instaling via:
>  "zypper in http://download.meego.com/live/devel:/base/Trunk/i586/chromium-11.0.678.0-8.17.i586.rpm
>  " ) "about:sandbox" reports:
>
>>  Sandbox Status
>>  SUID Sandbox	No
>>  Seccomp sandbox	No
>>  You are not adequately sandboxed!
This is...unfortunate.  Could you please take a moment Niels and file a
bug in the MeeGo Bugzilla under the security component for this?
>  Installing "google-chrome-beta" ("8.0.552.200 beta") from repo
>  http://dl.google.com/linux/rpm/stable/i386  gives a slightly more
>  secure, but still inadequate setup:
>
>>  Sandbox Status
>>
>>  SUID Sandbox	Yes
>>  Seccomp sandbox	No
>>  You are not adequately sandboxed!
>  (for some reason, google-chrome-stable ia32 chrome browsers are still
>  at version 7, the google-chrome-beta is at version 8 and
>  google-chrome-experimental is at version 11.)
>
>  Whereas on my Fedora desktop, google-chrome-stable x86_64
>  (10.0.648.204) "about:sandbox" reports a more secure configuration:
>
>>  Sandbox Status
>>  SUID Sandbox	Yes
>>    PID namespaces	Yes
>>    Network namespaces	Yes
>>  Seccomp sandbox	No
>>  You are adequately sandboxed.
>  Could MeeGo's chromium browsers be built with adequate sandboxing like
>  those distributed by Google for x86_64??
They *should* be more akin to this and I'm extremely disappointed to see
that it's not.  I will get this fixed, but please file a bug.  It will
give additional impetus to getting it fixed if people see it came from
external.

Ryan
_______________________________________________
MeeGo-security-discussion mailing list
MeeGo-security-discussion at lists.meego.com
http://lists.meego.com/listinfo/meego-security-discussion

More information about the MeeGo-community mailing list