Chromium sandbox and SUID root executable

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Installed the Chromium browser (beta) yesterday to take a look and test a
web site.

Today, due to a security report, I noticed that the Chromium package
installed a SUID root executable, /usr/lib64/chromium-browser/chrome-sandbox

My question is, why would a browser need a SUID root executable? Why would
it need or want root access?

Restricting a process exposed to the internet is a good idea but would it
not be better to use the security infrastructure already present in Linux
instead of creating some custom sandbox that needs SUID root and is a
potential risk in it self?!

Security report:

Security Warning: change in Suid Root files found :
-   Added Suid Root files : /usr/lib64/chromium-browser/chrome-sandbox

Security Warning: change in SUID files MD5 checksum found :
-   Added SUID files MD5 checksum : 6c8503155cb994371b89782fcfa6d56e  

Security Warning: change in packages found :
-   Added packages : chromium-browser-


Re: Chromium sandbox and SUID root executable

Quoted text here. Click to load it

On a theoretical level? suid is an adventure. A small suid tool that
does one small thing can be more secure than relying on someone else's
non-cross-platform suid infrastructure. I'd be curious to see the
source code and see what that utility does, and it should be available
for review at /.

Quoted text here. Click to load it

Site Timeline