1

I am experiencing very weird and suspicious issue on debian 12.

For context, I am using grsecurity + RBAC, which gives me the possibility to see what files each program wants to access. My issue is not caused by RBAC. but RBAC brought my attention to this issue.

SO, I have upgraded chromium browser to: 138.0.7204.49

and suddenly when chromium starts, in addition to trying to access the usual files in my home, such as ~/.config/chromium or ~/.cache , it now tries to access sensitive folders on my system:

~/.ssh/ ~/.gnupg/ ~/.dbus/ /boot/

(while ~/.dbus is not as immediately alarming as the others, Chromium accessing this when it didn't before is still a change in behavior that deserves scrutiny)

this never happened before. I am sure, because the RBAC rules that I am using would have alerted me.

this is highly suspicious and potentially a serious security issue !

this issue was originally reported on chromium 138, fixed in next version, and now it's back in version 140.0.7339.80

I have reported this as debian bug, but nobody cares.

Is this normal behaviour? does it come from upstream, or did Debian add this "feature" ?

Improve this question
12
  • 1
    @MartinVegter no, but that isn't relevant or a comparable situation. The point is that reading some of those files is actually perfectly reasonable. It's entirely reasonable for a browser to use your public keys, so both .ssh/ and .gnupg directories are something that a browser may have valid reasons to access. As for /boot and ~/.dbus/ there isn't really anything sensitive there, so I don't see an issue. Commented Sep 21 at 9:13
  • 1
    ~/.dbus makes much sense to me, you want your browser to interact with the rest of the system via dbus (e.g. for audio settings, notifications); the .ssh and .gpg accesses sound like you're using an authentication provider that checks for presence of files, i.e., this might just be libraries inserted into the chromium process by your OS configuration e.g. via PAM mechanisms, which happens when checking for NSS configuration. checking /boot sounds a bit like there's an enumeration of mount points, which I've seen happen for WebUSB support. None of this sounds like big red flags to me. Commented Sep 21 at 11:24
  • 2
    "Nobody cares" is definitely incorrect; you've received a reply from someone who cares and have yet to give them the information they explicitly asked for! Commented Sep 21 at 11:25
  • 1
    @terdon IMO it is a comparable situation. Also IMO, it's not at all reasonable for a browser (or any other program - but especially for a program written by a corporation infamous for its surveillance habits & technology) to use my public keys without popping up a dialog box asking for permission - that's if it is the browser doing that - as Marcus suggested, it might be PAM or NSS. And while this situation may or may not be entirely benign, it's perfectly appropriate and reasonable to be suspicious of software doing things you don't expect it to do. Commented Sep 21 at 11:45
  • 2
    BTW, I've held the chromium packages on my systems at 130.0.6723.91-2 and have no intention of upgrading them ever again, as that's the last version I know of that uMatrix and uBlock Origin still work on. And if that version of chromium breaks in the future due to library incompatibility or something I'll either stop using chromium or run it in a VM or container. I mostly use firefox anyway, and only use chromium for a few sites Commented Sep 21 at 11:49

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.