riot-web installs a setuid root binary

[foresto]

Description

On linux, the riot-web package installs /opt/Riot/chrome-sandbox as suid root, granting it superuser privileges to my entire system. This is a security risk.

I realize that this is probably baggage from Electron, but I do not particularly trust Electron or Chromium with system level privileges, and frankly, nobody should be expected to do so just for a chat application. Especially one so focused on privacy and security.

Version information

• Platform: desktop
• OS: Xubuntu Linux
• Version: 1.5.7

[jryans]

Yes, you guessed correctly, it's required by the Chromium sandboxing approach that Electron inherits. element-hq/element-web#10509 (comment) provides a summary of the available options, both of which aren't very palatable.

I don't think Riot itself has much choice here unless Chromium makes a change or the desktop app is entirely rebuilt with [insert other tech stack here].