Should I run chromium-sandbox or plain chromium?
by max.b from LinuxQuestions.org on (#5R63R)
Debian 11 includes both chromium and chromium-sandbox.
It's my understanding that, while on the one hand, chromiums-sandbox prevents some attacks, it also increases other risks by being setuid.
What's the net effect? Is there a consensus on this?
===
I also noticed, by running aa-status, that AppArmor is running, and it confines some apps, like evince and man, but it does nothing for firefox-esr and chromium. Isn't this odd, considering that browsers are probably the most dangerous things you run?
Chrome gets 200+ CVEs/year, and Firefox gets 100 CVEs/year (some say the latter number is only smaller because Firefox gets less attention).
It's my understanding that, while on the one hand, chromiums-sandbox prevents some attacks, it also increases other risks by being setuid.
What's the net effect? Is there a consensus on this?
===
I also noticed, by running aa-status, that AppArmor is running, and it confines some apps, like evince and man, but it does nothing for firefox-esr and chromium. Isn't this odd, considering that browsers are probably the most dangerous things you run?
Chrome gets 200+ CVEs/year, and Firefox gets 100 CVEs/year (some say the latter number is only smaller because Firefox gets less attention).