3

README from https://ungoogled-software.github.io/ungoogled-chromium-binaries/releases/linux_portable/64bit/ instructs me, before I run ungoogled-chromium, to setup my system by using the user namespace sandbox so that the browser's sandboxing will work. How do I go about this?

My environment: Ubuntu Desktop 22.04 LTS. Let's say that the username of my admin-user is leo.

Raffa
  • 32,237
John Smith
  • 199
  • I cannot find sandbox (and/or namespace) here https://github.com/ungoogled-software/ungoogled-chromium-debian#readme, so, please explain. – Luuk Jul 02 '23 at 09:40
  • @Luuk I updated the URL in my question. The README file is in the archive. – John Smith Jul 02 '23 at 10:01

1 Answers1

5

What is it?

That is a kernel feature that allows unprivileged users to create namespaces that can run isolated processes with elevated privileges on those contained/sandboxed namespaces like e.g. utilizing unshare:

$ whoami
ubuntu
$
$ unshare --map-root-user
#
# whoami
root
#

where, as an example, your current effective user and group IDs get mapped to the superuser UID and GID in the newly created user namespace which makes it possible to conveniently gain capabilities needed to manage various aspects of the newly created namespaces (such as configuring interfaces in the network namespace or mounting filesystems in the mount namespace) even when run unprivileged.

Oftentimes, you don't need to set such user namespace yourself, but rather your application requiring that feature should do that automatically as needed.

How to use it?

It should be enabled by default on recent releases of Ubuntu ... Check it with:

sysctl kernel.unprivileged_userns_clone

and if it prints:

kernel.unprivileged_userns_clone = 1

as it should, then you are good to go and your application set to make use of that feature will just run fine ... And you can see this happening by listing the namespaces created/used after running the script ./chrome-wrapper from the extracted portable ungoogled-chromium archive you linked to in your question with e.g.:

lsns -o ns,pid,type,command | grep 'ungoogled-chromium'

If, however, it outputs:

kernel.unprivileged_userns_clone = 0

which means it's disabled ... Then, you can enable it until next reboot with:

sudo sysctl -w kernel.unprivileged_userns_clone=1

and you can make that change permanent by adding this line:

kernel.unprivileged_userns_clone=1

to the file /etc/sysctl.conf

Raffa
  • 32,237
  • Do you have any insight as to why this is enabled by default in Ubuntu? At a cursory glance it does seem like a possible vulnerability according to the answer to this (now old) post: https://security.stackexchange.com/questions/209529/what-does-enabling-kernel-unprivileged-userns-clone-do – stephematician Sep 06 '23 at 00:23
  • 1
    @stephematician Many apps offer/require sand-boxing of certain sub-processes that are both critical to their functionality and pose risks to other system processes ... For the app to do that in the past, it needed root privileges (i.e. trust the app developers or sacrifice either functionality or security), but now it can sand-box unprivileged so actually it's two layers of security ... This feature is actually enabled by default on most distribution using newer kernels ... The option to disable it is available on Ubuntu but not all other distros have it. – Raffa Sep 06 '23 at 11:42
  • 1
    @stephematician Another example is this situation I want /ts to reference ~/.local/ts without root/admin privileges? ... Where aside from it being not possible without root in the past, but doing it with user namespace is much safer than doing it with root privileges. – Raffa Sep 06 '23 at 11:56
  • @stephematician Bottom line, those vulnerabilities come from applications that are installed on the system and not from the kernel-space itself per-se and the best way to avoid them is to not install those applications ... But, user's need applications ... Which will be more secure running those applications as root or confined in unprivileged user namespace? ... That's what I know and apologies if I came short from fully answering your question. – Raffa Sep 06 '23 at 12:08