Puppy Linux Discussion Forum

Vivaldi browser offers pretty cool features:

https://vivaldi.com/en/download/

I think we have a SFS-file in the FatDog repository for quick installation. However, in this way you can obviously not update the browser like Chrome and Firefox in the FatDog control panel.

Do you have any idea how to always get / update the latest Vivaldi version in FatDog in a convenient way?

Thanks for your ideas!

I'd recommend just snagging the most current appimage: https://github.com/ivan-hc/Vivaldi-appi ... continuous. To update you just download the newest one and overwrite your existing one.

Thanks @m1k3, appimages are indeed an interesting idea and concept:

https://appimage.org/

Although, using an unoffically created browser package that does not come directly from the Vivaldi developer team could be a bit of a concern...

Mis-posted in wrong area

Neo_78 wrote: ↑Fri Jan 26, 2024 10:08 pm

Although, using an unoffically created browser package that does not come directly from the Vivaldi developer team could be a bit of a concern...

True, although in this case you can review the shell script used to build the appimage and see what the source is.

Vivaldi has an installer script here --> https://help.vivaldi.com/desktop/instal ... m-distros/

I also have the same script here --> https://disk.yandex.com/d/fM2bMyJ731GzEg named Update-Vivaldi.sh with two other files that will come in handy if you want to install Vivaldi and also an updater for it.

• Get the three files from the Yandex.Disk link (alternatively, get the script from the Vivaldi link and rename it Update-Vivaldi.sh)

• Make a folder /root/Vivaldi and put Update-Vivaldi.sh and v-check.png in it

• Make sure Update-Vivaldi.sh is executable

• Put vivaldi-updater.desktop in /usr/local/share/applications

• Make sure vivaldi-updater.desktop is executable

• In Menu>Internet you'll now see Vivaldi-Updater

• Click it to install Vivaldi, and click it any time you want later to update Vivaldi.

• Now look in usr/local/share/applications, you will see vivaldi-stable.desktop. Open it as a text file

• Change line 108 from Exec="/usr/local/share/vivaldi/vivaldi" %U to Exec=/usr/local/share/vivaldi/vivaldi --no-sandbox

• Make sure vivaldi-stable.desktop is executable

• Now you have Menu>Internet>Vivaldi to launch your browser

I don't entirely understand the --no-sandbox thing, but I ran into the same thing trying to install Brave browser. It has something to do with root. Vivaldi will not launch in Fatdog64 on my machine without this edit. You may be able to use spot and not need the --no-sandbox, I don't know. I also realize it's important to some people that it is sandboxed who may not want to do it this way. I still wanted to share this way of installing, you wind up with the browser and updater in your menu on Fatdog64.

trawglodyte wrote:

.... ... Exec=/usr/local/share/vivaldi/vivaldi --no-sandbox

To run as spot : Exec=run-as-spot /usr/local/share/vivaldi/vivaldi
EDIT: Or perhaps better /usr/local/share/vivaldi/vivaldi-bin, not sure.

fredx181 wrote: ↑Sat Jan 27, 2024 9:14 pm

trawglodyte wrote:

.... ... Exec=/usr/local/share/vivaldi/vivaldi --no-sandbox

To run as spot : Exec=run-as-spot /usr/local/share/vivaldi/vivaldi

run-as-spot may be much better for people than --no-sandbox. Brave browser has given me some warnings since doing it with --no-sandbox. You all probably know more about running as spot than me. The immediate thing I noticed was I went to upload a file and it was, of course, in /root/Documents or some other folder in /root that I couldn't easily reach as spot. But that is easy to remedy, and has some advantages, including being sure your browser is operating as intended in this case.

One other note, if you use the install script from Vivaldi it will give you vivaldi-snapshot by default. but if you do

sh /path/to/vivaldiscript.sh --final

it will give you vivaldi-stable. This is written into vivaldi-updater.desktop above.

@m1k3 Do you know the location of the build script that is being used to create the mentioned Vivaldi appimage to review the source?

Does anyone know the exact names and locations of the scripts that are being used to install the default Chrome and Firefox browsers in Fatdog? Maybe those could be adjusted to add additional browser options for Fatdog...

I am als not sure why many Chrome-based browser cannot be executed with the sandbox feature. Is the sandbox disabled automatically for Chrome when you execute it in FatDog?

Do you use any container tools to execute your browser?

I am still looking for an unprivileged container tool that is easy to use, can be executed by a normal user and does not require a crazy amount of configuration. Maybe unshare?!?

https://www.man7.org/linux/man-pages/ma ... are.1.html

Neo_78 wrote:

I am als not sure why many Chrome-based browser cannot be executed with the sandbox feature. Is the sandbox disabled automatically for Chrome when you execute it in FatDog?

Running as root (as Fatdog does) means that any Chromium/Chrome based browser cannot be executed with the (edit: chrome, builtin) sandbox feature (only when running as unprivileged user).

@Neo_78

Neo_78 wrote: ↑Sun Jan 28, 2024 1:19 pm

Does anyone know the exact names and locations of the scripts that are being used to install the default Chrome and Firefox browsers in Fatdog? Maybe those could be adjusted to add additional browser options for Fatdog.

There is no "default Chrome and Firefox" really. Firefox is in the repository, chrome seems not to be. Clicking on the Firefox Browser option in Menu>Internet accesses /usr/share/applications/firefox.desktop, which calls /usr/bin/firefox-spot, which allows the user to choose to run /usr/sbin/update-firefox.sh. That script allows the user to install the latest firefox direct from Mozilla, and updates various system files to function accordingly. The Chrome versions do similarly.

Likely they could be modified without too much trouble. Whether the team wants to use their time to do so is another thing, but an enterprising person could probably figure it out (best on a separate instance of FD64 during experimentation). Whether or not that happens, it might be worth your while to examine some of the .desktop files to get an idea of how they function.

Dan

Neo_78 wrote: ↑Sun Jan 28, 2024 1:19 pm

@m1k3 Do you know the location of the build script that is being used to create the mentioned Vivaldi appimage to review the source?

It was right in that repo that I linked to.

https://github.com/ivan-hc/Vivaldi-appi ... builder.sh

It sources the latest Vivaldi snapshot (deb package) from Vivaldi's server.

@Neo_78, I updated Vivaldi stable to 6.5.3206. Get it from SFS manager. The other answers you got are all equally valid to update Vivaldi on your own. Each answer balances convenience and control differently and yields the desired outcome.

Neo_78 wrote: ↑Sun Jan 28, 2024 1:19 pm

I am als not sure why many Chrome-based browser cannot be executed with the sandbox feature. Is the sandbox disabled automatically for Chrome when you execute it in FatDog?

Here's the magic stuff that everybody whispers about not never dares to ask.

Let's start with a plain fact: everytime you launched chrome, it will run as root.

ALWAYS

Even when you're logged in as a regular user, chrome is always run as root, when you first launches it.

NO EXCEPTION.

Why? Because chrome is a suid (set-suid) application. It is always launched with the privilege as root. Check the file permission of chrome-sandbox in your chrome installation directory and you'll see what I mean.

So, what gives? After it is run as root, chrome will make certain Linux syscalls to limit itself (=put itself in a sandbox). Having put itself in a sandbox, chrome then relinquishes the root privilege and changes its identify back into the original logged-in user, with all the sandbox restrictions already in place.

But why does it need to run as root first? Simple. Because the syscalls to "limit itself" can only be called as root. These syscalls don't work as a regular user.

It's just like somebody who impersonates as a prison guard. As a prison guard, he gets the key to a jailroom. Once he gets the key, he goes inside the jail, and lock himself in. The he takes off his prison guard clothing, and then throw both the clothing and the keys out of the jail. Now, you can only do that if you're impersonating as a prison guard in the first place. You can't just go to a prison and ask for key.

Hence, chrome needs to (ironically) launch as root in order to provide you with more security.

Okay, so far so good. But why can't chrome run with sandbox while running as root? Because chrome developers think that as root, you can always get out of the jail, because, well, you're root and you're capable of everything. Hence, the sandbox is useless when being used for root.

So, in their wisdom to prevent you from having a false sense of security, they disable the sandbox feature if you're root; but they want you to be aware that fact, hence they force you to use the --no-sandbox flag, or chrome will refuse to run at all.

But is it really true that no sandboxing can be done if one is running as root? Of course not. You can do sandboxing even when running as root, as @fatdoguser has shown again and again in his numerous posts about dropping the capability and running as "restricted root".

But perception matters. It's the same thing like forcing everybody to use HTTPS, because it makes things "oh more secure" (hint: it doesn't). Rather than giving (perhaps slightly limited) sandbox protection when running as root, they disable the feature all together and claim that running as root is unsafe.

fatdoguser wrote: ↑Fri Jan 26, 2024 10:28 pm

With chrome if the menu fonts are too big/small, use the --force-device-scale-factor=1.5 switch
/opt/google/chrome/chrome --force-device-scale-factor=1.5

Interesting. In almost 16 years of using Chrome, that's one --switch I wasn't aware of......though, given just how many --switches there ARE, that's hardly surprising. Fixes my "viewing" issues with the most recent releases of Chromium itself; they must think we're all youngsters with perfect 20/20 vision!

In my case, 1.3 seems to be just about right. Thanks for the info. Cheers!

Mike.

Standard original Fatdog64 901 with Vivaldi 6.5.3206.57 installed via SFS Manager and run as spot.
Entering vivaldi://sandbox in address bar indicates:

Sandbox Status
Layer 1 Sandbox Namespace
PID namespaces Yes
Network namespaces Yes
Seccomp-BPF sandbox Yes
Seccomp-BPF sandbox supports TSYNC Yes
Ptrace Protection with Yama LSM (Broker) No
Ptrace Protection with Yama LSM (Non-broker) No
You are adequately sandboxed.

Same as @fatdoguser's Chrome.

I'll throw in my 10¢ to the discussion about Vivaldi...

EasyOS has it in the menu, Internet category, "Download latest Vivaldi". It downloads the official .deb
and it gets installed to run as user "vivaldi", with home path at /home/vivaldi
and write permission in /home/vivaldi and under /files

The user can choose "Download latest Vivaldi" at any time to update to latest version.

Thanks @BarryK. Do you mind sharing your installation script?

Neo_78 wrote: ↑Sat Feb 03, 2024 10:12 pm

Thanks @BarryK. Do you mind sharing your installation script?

It's a pet, vivaldi-skel-ask-20230317.pet, here:

https://distro.ibiblio.org/easyos/noarc ... es-noarch/

Support to run each app as its own user is a unique feature of EasyOS, but the pet could be modified to work with spot.

I just had a look at the script; it uses the 'popup' utility, that is unique to EasyOS, but you could replace with gxmessage or gtkdialog.

You can get 'popup', it is in the 'pup-tools' package, from here:
https://distro.ibiblio.org/easyos/amd64 ... kirkstone/

...but that is compiled with glibc 2.35. If you are running an older glibc, then there's 'popup' compiled with glibc 2.25 here:
https://distro.ibiblio.org/easyos/amd64 ... t/oe/pyro/

The source for 'pup-tools' is here:
https://distro.ibiblio.org/easyos/sourc ... betical/p/
...but, 'popup' is written in Bacon. (https://www.basic-converter.org/)

Thanks @BarryK