What kind of vulnerability does CROS test version have?

33 views
Skip to first unread message

Seongbin BAK

unread,
Nov 24, 2021, 5:51:38 AM11/24/21
to Chromium OS Development
1. fixed console pw test0000 (might be reset)
2. ssh connection without pw

anything else?

Seongbin BAK

unread,
Nov 25, 2021, 8:03:13 PM11/25/21
to Chromium OS Development, Seongbin BAK
3. cros deploy

Mike Frysinger

unread,
Nov 25, 2021, 8:40:51 PM11/25/21
to Seongbin BAK, Chromium OS Development
cros deploy just uses ssh
-mike

--
--
Chromium OS Developers mailing list: chromiu...@chromium.org
View archives, change email options, or unsubscribe:
https://groups.google.com/a/chromium.org/group/chromium-os-dev

ggg

unread,
Nov 27, 2021, 2:17:26 AM11/27/21
to Chromium OS Development, seon...@wayne-inc.com
Seong,
What is the point of your question?
What problem do you think needs solving with "CROS Test version"?

Sorry, your question makes no sense to me since CROS test images are not intended to be secure:  they can only run when the Chrome OS HW is in developer mode (ie not checking signature of boot kernel). But I'm likely just not clear what your goal is.

cheers,
grant

Seongbin BAK

unread,
Nov 27, 2021, 5:13:18 AM11/27/21
to Chromium OS Development, ggg, Seongbin BAK
Hi ggg.

I don't have any problem with it.
Just I am going over about replacing dev versions which is used in a factory to test versions, since the test version has many useful tools.
So for that, I need to make/care a list of MAJOR security issues.
If we know & care vurnerabilities well in CROS test version, it's more useful than dev in industry, I think.

Grant Grundler

unread,
Nov 28, 2021, 2:46:53 PM11/28/21
to Seongbin BAK, Chromium OS Development, ggg
On Sat, Nov 27, 2021 at 2:13 AM Seongbin BAK <seon...@wayne-inc.com> wrote:
Hi ggg.

I don't have any problem with it.
Just I am going over about replacing dev versions which is used in a factory to test versions, since the test version has many useful tools.

Ah ok. So in either case the chromium os device is in developer mode.
 
So for that, I need to make/care a list of MAJOR security issues.

Ok - "MAJOR" is pretty ambiguous. I guess you mean "easily exploitable" security issues? Issues not mitigated by limiting physical access and network access?

AFAIK, the utilities included in the test image builds don't offer any _new_ network access. But I could be wrong. Since test builds are not reviewed for security, it's possible the added utilities could allow someone to get network access and make use of python or other utilities that allow one to get root privilege. Keep in mind that python and other utilities aren't sandboxed like nearly all other binaries running in Chrome OS.

If we know & care vurnerabilities well in CROS test version, it's more useful than dev in industry, I think.

It's more useful if "in industry" they are running the same set of tests that Chrome OS and Chromium OS are regularly running and don't have security requirements (due to physical access constraints and network access constraints).  "Testing" (e.g. autotest or "tast") is the primary need for this image type, not security.

Anyone can modify Chromium OS dev image builds to include any other utilities that they want. In other words, restricting oneself to dev or test images misses the point of building a distribution that meets one's needs.

cheers,
grant
Reply all
Reply to author
Forward
0 new messages