Bug 21926 - Clicking a link in drakrpm or MageiaUpdate opens a browser as root - security implications
Summary: Clicking a link in drakrpm or MageiaUpdate opens a browser as root - security...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: High major
Target Milestone: ---
Assignee: Mageia tools maintainers
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-24 14:28 CEST by claire robinson
Modified: 2020-09-19 18:09 CEST (History)
2 users (show)

See Also:
Source RPM: rpmdrake
CVE:
Status comment:


Attachments

Description claire robinson 2017-10-24 14:28:04 CEST
Usually in the "Details" section about a package there is a link. When clicked, the link opens a browser as root user which, considering the filesystem level access, presents a possible security issue.

With firefox it also shows a message first time about not having used firefox in a while and asks to "refresh" it for you.

eg.
$ ps aux | grep firefox
root     25423 65.2  4.2 2281028 344632 ?      Sl   13:15   0:15 firefox http://sourceforge.net/projects/bwbasic


The obvious solution is to open the browser as the regular user who called polkit, how simple that is in practise I've no idea.
Comment 1 claire robinson 2017-10-24 14:28:36 CEST
Would imagine Cauldron is the same.
Marja Van Waes 2017-10-25 09:51:02 CEST

CC: (none) => marja11
Assignee: bugsquad => mageiatools

Comment 2 Aurelien Oudelet 2020-08-05 16:33:15 CEST
Currently, such link seems to open firefox as I see a moving firefox icon next to mouse cursor. But, firefox never displays.

Assigning to Cauldron to further investigation.

Also, link should not be open in a root owned window.
--
Mageia Bugsquad

CC: (none) => ouaurelien
Priority: Normal => High
Severity: normal => major
Version: 6 => Cauldron

Comment 3 Aurelien Oudelet 2020-09-19 18:09:01 CEST
Hi,
This is High priority bug for a good reason.

Making Mageia even better than ever is best direction.
In order to do right thing, this bug should be examined and fixed as soon as possible.

Packagers, please make the status to Assigned when you are working on this.
Feel free to reassign the bug if bad-triaged. Also, if bug is old, please close it.

On October 1st 2020, we will drop priority to normal.

Note You need to log in before you can comment on or make changes to this bug.