Skip to content

Linux Security Basics

If you choose to use Linux on your ChromeOS Device, you should understand some of the basics of managing a basic Linux system. ChromeOS does have several security measures built into the Linux environment to prevent it from being used as an attack vector.

In the ChromeOS security model, your Linux environment is considered untrusted at all times and measures are put in place to ensure that the Linux installation cannot access files on your device without the user explicitly granting access to the files. Linux's applications cannot access the contents of your screen or interact with other hardware unless access is granted by the user.

This section will provide a basic overview of security on Linux. However, you should refer to the dedicated chapter involving Linux for additional details.

Super User (sudo) Security

The Linux Environment on ChromeOS allows users to perform commands as the superuser or root user via the "sudo" command. When you set up your Linux environment, the user account that is created is added to the sudo group, which allows you to elevate commands. Any commands done with the sudo command apply globally to your entire Linux container, however, these changes cannot escape the Linux container and make changes to ChromeOS.

You should always be careful when running commands with sudo privileges, as you can cause your Linux container to be rendered unstable with certain commands. Be especially careful when following tutorials online that require running commands as root, to ensure you understand what the commands are doing and what changes are being made to your device.

You can read more about the sudo on the ChromeOS Guide Command Line Refrence.

Installing 3rd Party Packages

You should always be weary when installing third-party packages such as those distributed in binary form, via a tarball or via a Debian package to ensure that you understand what the package is installing and what the package is capable of doing. When possible, you should only install applications from the Debian repository (via apt-get install package-name) instead of standalone binaries downloaded from the internet, as these packages can be updated with a single command. If you install a package downloaded from the internet, you are responsible for downloading and installing updates.

Updating Packages

You should ensure that you periodically update all installed packages to ensure that you have installed the latest security patches. Please see the section in this book "Updating Your Linux Container and Packages" which is found in the chapter named "Linux Application Support" for instructions.

Running Scripts On The Internet

There are plenty of websites that contain useful scripts and command line applications that you can run to accomplish tasks. Most of these commands are innocent and will work as expected. However, there are a few websites that contain malicious scripts for a user to run. It is important to look at the contents of any script that you run to ensure there are no dangerous commands.