[SOLVED]Iridium browser workaround: putting security at risk?

Forum rules
Post Reply
Message
Author
philotux
Posts: 280
Joined: Sun Apr 22, 2018 12:57 pm

[SOLVED]Iridium browser workaround: putting security at risk?

#1 Post by philotux »

Some days ago, I did the following in order to make Iridium to run on my MX:

Code: Select all

sudo touch /etc/sysctl.d/00-local-userns.conf
sudo echo kernel.unprivileged_userns_clone=1 > /etc/sysctl.d/00-local-userns.conf
sudo service procps restart
This was originally posted and linked to here.

Now I just read:
Note: The user namespace configuration item CONFIG_USER_NS is currently enabled in linux (v4.14.5 or later), linux-lts (v4.14.15 or later) and linux-hardened. Lack of it may prevent certain sandboxing features from being made available to applications. Unprivileged usage is disabled by default unless the kernel.unprivileged_userns_clone sysctl is set to 1, since it greatly increases the attack surface for local privilege escalation.
on Arch Wiki Security/Sanboxing applications.

Admittedly, I am at a loss as to determine if I have, by implementing the workaround, introduced a "security hole" in my system. The bolded (by me) statement above does sound a bit worrying.

I'll be grateful for any and all explanations/comments on this.
Last edited by philotux on Fri Jun 07, 2019 6:33 am, edited 1 time in total.
Top
philotux
Posts: 280
Joined: Sun Apr 22, 2018 12:57 pm

Re: Iridium browser workaround: putting security at risk?

#2 Post by philotux »

Hi all,

I'm still a bit preoccupied by this issue. I have used Iridium since I got it installed but if it would mean a decrease in the security of the system for having enabled kernel.unprivileged_userns_clone then I think I would give up on Iridium and revert the changes.

I would really appreciate if those with insight to this would want to shed some light on this.
Top
User avatar
Stevo
Developer
Posts: 12837
Joined: Fri Dec 15, 2006 8:07 pm

Re: Iridium browser workaround: putting security at risk?

#3 Post by Stevo »

I can run it with the Liquorix kernel without disabling the sandboxing. I think that's a common issue with Chromium-based browsers like Iridium and the Debian kernels.
Top
philotux
Posts: 280
Joined: Sun Apr 22, 2018 12:57 pm

Re: Iridium browser workaround: putting security at risk?

#4 Post by philotux »

Stevo wrote: Mon Mar 11, 2019 9:43 pm I can run it with the Liquorix kernel without disabling the sandboxing. I think that's a common issue with Chromium-based browsers like Iridium and the Debian kernels.
Thank you so much Stevo for your kind advice and I do apologize for my late response. Since my OP I have had to redo my MX Linux installation from scratch and at the moment I don't have Iridium installed. I will keep your suggestion in mind in the case of future installation of Iridium browser.

Thanks once again and greetings,
philotux
Top
Post Reply

Return to “Software / Configuration”