Bug 8526

Summary: Drakconf opens browser as superuser
Product: Mageia Reporter: Konrad Bernlöhr <Konrad.Bernloehr>
Component: RPM PackagesAssignee: Thierry Vignaud <thierry.vignaud>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: Normal CC: mageia, mageia, marja11, thierry.vignaud
Version: Cauldron   
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: MGA4TOO
Source RPM: drakconf-12.33-1.mga3.src.rpm CVE:
Status comment:
Bug Depends on: 11125    
Bug Blocks:    

Description Konrad Bernlöhr 2012-12-27 19:11:14 CET 
When Help topics are selected in the Mageia Control Center, a web browser (typically firefox) is started as superuser. While we all may trust the Mageia web pages, the fact that firefox runs as root is not obvious and most likely soon forgotten. This puts the system under unnecessary security risks. The browser should instead be opened for the user who logged in.
Comment 1 Manuel Hiebel 2012-12-28 17:59:16 CET 
same with project url of any package in rpmdrake ?
Comment 2 Marja Van Waes 2015-04-16 22:31:30 CEST 
Sorry, but this bug saw no action since over 2 yrs ago - no cauldron package has stayed the same - and is still assigned to Bug Squad.

Closing as OLD

Please reopen if this report is still valid for _current_ cauldron and/or fully
updated Mageia 4

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 3 Konrad Bernlöhr 2015-04-16 22:53:05 CEST 
Noboby may have worked on it but it did not disappear by itself.

Just run rpmdrake, select a package, select 'Details:' and click on
the given URL. For me firefox opens and 'ps aux | grep firefox' says:

root      3571 35.4  3.6 1643792 296980 pts/27 Sl+  22:36   0:07 firefox http://p11-glue.freedesktop.org/p11-kit.html

That actually is the 'feature' pointed out by Manuel Hiebel.

Concerning the problem originally reported (and I am convinced both
are due to the same security problem): 
Run 'drakconf', Select 'Help' -> 'Release notes' and firefox opens up
(after having been closed before that) and 'ps' says:

root      4448 24.6  3.3 1357424 266704 pts/27 Sl+  22:46   0:03 /usr/bin/firefox http://wiki.mageia.org/en/Mageia_4_Release_Notes

Works the same way with any other help item in drakconf, either at
top-level or inside its sub-pages.

Status: RESOLVED => REOPENED
Resolution: OLD => (none)

Sander Lepik 2015-04-18 09:24:31 CEST

CC: (none) => mageia, mageia, thierry.vignaud

Comment 4 Marja Van Waes 2015-04-18 16:32:53 CEST 
Thanks Konrad.

I can confirm, for both MCC -> Help -> Release notes
and for
MCC -> <a package> -> Details -> URL

Firefox is indeed started as root again.

This was fixed before (see https://bugs.mageia.org/show_bug.cgi?id=287 )
Don't know what caused the regression.

CC: (none) => marja11
Assignee: bugsquad => thierry.vignaud

Marja Van Waes 2015-04-18 16:33:14 CEST

Whiteboard: (none) => MGA4TOO

Comment 5 Thierry Vignaud 2016-06-03 16:18:03 CEST 
I just guessed it's because of the switch to polkit.
I tag this one as a duplicate of the BR where this was identified

*** This bug has been marked as a duplicate of bug 18288 ***

Status: REOPENED => RESOLVED
Depends on: (none) => 11125
Resolution: (none) => DUPLICATE