Usually in the "Details" section about a package there is a link. When clicked, the link opens a browser as root user which, considering the filesystem level access, presents a possible security issue. With firefox it also shows a message first time about not having used firefox in a while and asks to "refresh" it for you. eg. $ ps aux | grep firefox root 25423 65.2 4.2 2281028 344632 ? Sl 13:15 0:15 firefox http://sourceforge.net/projects/bwbasic The obvious solution is to open the browser as the regular user who called polkit, how simple that is in practise I've no idea.
Would imagine Cauldron is the same.
CC: (none) => marja11Assignee: bugsquad => mageiatools
Currently, such link seems to open firefox as I see a moving firefox icon next to mouse cursor. But, firefox never displays. Assigning to Cauldron to further investigation. Also, link should not be open in a root owned window. -- Mageia Bugsquad
Priority: Normal => HighCC: (none) => ouaurelienSeverity: normal => majorVersion: 6 => Cauldron
Hi, This is High priority bug for a good reason. Making Mageia even better than ever is best direction. In order to do right thing, this bug should be examined and fixed as soon as possible. Packagers, please make the status to Assigned when you are working on this. Feel free to reassign the bug if bad-triaged. Also, if bug is old, please close it. On October 1st 2020, we will drop priority to normal.
Hello, @Aurelien: Currently, such link seems to open firefox as I see a moving firefox icon next to mouse cursor. But, firefox never displays. => In fact, i think that your root account is using Firefox as default web browser. Consequently, the link is tried to be launched using this browser. But launching Firefox ( or Konqueror ( for the test i made)) doesn't allow running it using root account when the the XAUTHORITY file is own by a regular user (here is what i get when trying to run drakrpm from konsole and open link in drakrpm, usertest is the user session used): "Running Firefox as root in a regular user's session is not supported. ($XAUTHORITY is /tmp/xauth-1002-_0 which is owned by usertest.)" For Konqueror i get an error message indicating that running chromium as root without --no-sandbox is not allowed. Not tested other browser to know if one is allowing to run as root ;-) After some search ( but maybe i'm wrong), it seems that rpmdrake is creating a gtklinkbutton (line 265 of /usr/share/perl5/vendor_perl/Rpmdrake/gui.pm) with link that is the package description. According to gtk reference manual (https://developer.gnome.org/gtk3//3.6/GtkLinkButton.html#gtk-link-button-new), the default action of a such button is to call gtk_show_uri() function. And that function first line of description is "This is a convenience function for launching the default application to show the uri.", so Firefox in our case. According the gtk reference page above, the default behaviour can be overriden, using the activate-link signal on the created gtklinkbutton, that should allow launch custom action.As Firefox is able to determine that the XAUHTORITY file is owned by a regular user, i suppose that it can be done in rpmdrake to launch the browser with rights of the xautorithy file owner (using su ?). But i'm not a gtk or Perl develloper...
CC: (none) => joe_c_moi
CC: joe_c_moi => (none)
Hello, Tested with ( with Mageia 7, i have not installed Cauldron): Falkon, otter-browser => same error as for Konqueror ( need --no-sandbox to run as root), so nothing seems to be launched Midori => browser is launched as root and webpage is opened ! [usertest@linux ~]$ ps -ajx | grep midori 1 16729 16678 16638 pts/0 16678 Sl+ 0 0:01 midori http://play0ad.com/ netsurf => netsurf browser is launched as root with a "little" bug on my vm : the page is not launched and it open a lot of browser windows of netsurf ( around 219 in my case (before i close drakrpm) !) ps -ajx | grep netsurf 1 18212 18159 18119 pts/0 18119 SLl 0 0:00 netsurf-gtk http://play0ad.com/ 1 18218 18159 18119 pts/0 18119 SLl 0 0:00 netsurf-gtk http://play0ad.com/ 1 18225 18159 18119 pts/0 18119 SLl 0 0:00 netsurf-gtk http://play0ad.com Also I was not able to open any webpage with Netsurf ( but it is another story ;-) )...