Problems with Sandbox when installing Vivaldi in a non-standard directory

Hello!

Today we will look at the main problem with installing Vivaldi browser in a non-standard directory (including standalone / USB installation) on Linux systems. In the second part of the article we will talk about the installation already in detail.

Brief description of the problem
')
The main problem that occurs when launching the Vivaldi browser from a non-standard directory on Linux systems is associated with the sandbox Chromium (sandbox), a key element of security. The Chromium sandbox in Linux requires superuser privileges. This is achieved by using SUID - passing the admin access rights to the sandbox to the user.

Depending on the version of your Linux kernel and its configuration, the sandbox may not require admin rights from the user. Generally speaking, this is not required for the Linux kernel version 3.17 and higher. But in some distributions (like Arch, for example), the problem remains with a more recent kernel. Therefore, in this case, by offering a solution to the problem below, we provide “unofficial” support for installing the browser in a non-standard directory, since not for all users this will work.

Why sandbox requires admin rights

The security process has administrator rights to control other processes and prevent them from doing something they should not do. This is not the only utility that works in this way for security purposes. Many components of operating systems run as administrator, including the classic chroot utility.

I can reassure those who are worried about what is happening in the sandbox - this code is part of Chromium and is available for viewing and auditing. You can even compile this code yourself and replace it with the one presented in the browser.

Since it was deemed impractical to escalate the privileges of the user in the process, the sandbox code has recently been modified to use alternative methods supported by the Linux kernel. You can independently check whether your browser uses the SUID method for the sandbox by typing the address vivaldi in the address bar : // sandbox . If the “SUID Sandbox” is set to “No” and the comment says that “You are in the correct test environment”, then this method is no longer used on your system.

How it complicates the installation in a non-standard directory

In a typical installation, which is performed with administrator rights (sometimes using sudo ) to the public system directory (for example, in / opt ), the sandbox binary code is always installed with the appropriate SUID access rights. The SUID sandbox method will be used if it is impossible to provide security with more modern methods.

Users who carry out a non-standard installation, as a rule, want to launch a browser from a directory, access rights to which are restricted by user access rights. This may be the case if the user is not an administrator on the installed system, or if the user wants, instead of installing, to simply unpack the installation package and launch the browser directly. Both options are quite possible if the Linux kernel supports alternative security methods required by the sandbox. if the kernel does not have this support, an error message will appear when trying to start the browser in the terminal, stating that the sandbox does not have sufficient permissions to do so.

Some users who encountered this problem tried to disable the sandbox, but this is not a good idea, because this way you disable the browser's main security system. Also, the user can try to change permissions for the sandbox. This is possible only if the user has administrator privileges and the directory in which the browser is located is not mounted with the " nosuid " option (a very common situation for the home directory of the user / home on many distributions).

Is there a safe, affordable solution to this problem?

If the system already has a correctly installed sandbox with a previous version of the Vivaldi browser (or another browser based on Chromium), you can tell the browser to install outside the box to use an existing sandbox instead of the one that comes with the package being installed. To do this, delete (or move to another directory) the sandbox from a non-standard installation and specify for the CHROME_DEVEL_SANDBOX variable the already installed sandbox. For example, in " ~ / .bash_profile " (or in another suitable script) you can do the following statement:

export CHROME_DEVEL_SANDBOX=/opt/google/chrome/chrome-sandbox 

Note: You should have a fresh version of the sandbox available (ideally the same as the version in the browser installed outside the box), otherwise you may encounter various problems or the installed sandbox may not have the latest security updates.

In the next article we will talk about the installation package of the Vivaldi browser and about the various installation options.