No , i didnt build it!..
I am alarmed because i read about security issues and i have the feeling that we are in a scam wave that is reinforced by the cryptofrenzie.
I am not feeling easy with a system that has as a base a stable debian bun on top of it i have 10-20 appimages or flatpacks , steam , gog installers , itch.io etc .. (not to mention that firefox scares me when once in a while it startsh eating my ram) ..and you got the point. In security terms i think that such a system has an attack surface getting larger and larger...
So i try to find a way to run off-repo apps in a more secure way. Sorry if i was misunderstood initially.
In that spirit i keep finding posts on internet that appimages that intergrate electron framework have the same issue in debian.
For example:
lossless-cut
where is suggested :
Quote:
cd LosslessCut-linux
sudo chown root:root chrome-sandbox
sudo chmod 4755 chrome-sandbox
|
a note taking appimage '
joplin'
a messanging appimage '
patchwork' ,
and a game appimage '
Thrive'
In that discussion is interesting that althouth chrome-sandbox comes with chrome the game in order to avoid dependencies and be self contained it offers its own chrome-sandbox , so we get to an interesting? situation of a game wanting root ?
Also here is the related
discussion in the electon github page.
Electron has chromium as a basic part of its package.
And regarding the option to run the appimage after configuring the kernel with
Quote:
$ sudo sysctl kernel.unprivileged_userns_clone=1
|
that worked!.. There are opinions that by doing that you soften the debian patched kernel but is seems preferable to gaving root permissions to chrome-sandbox. Althought i dont understand how can avoid that after having set a kernel parameter..
What does enabling kernel.unprivileged_userns_clone do?
And
another related discussion.
So what processes must be owned by root?
What if another app package asks the same for another
program? Is that an issue of a postinstallation script
forgetting to set a permission so we should report an issue to the
distro bugtracker or we have a certain jail tech that want tobe root but that practice is not necessarily endorsed by the distro policies?
Is this the program that some appimages need ?:
$ apt-file search chrome-sandbox
chromium-sandbox: /usr/lib/chromium/chrome-sandbox