Bug 8526 - Drakconf opens browser as superuser
Summary: Drakconf opens browser as superuser
Status: RESOLVED DUPLICATE of bug 18288
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: x86_64 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Thierry Vignaud
QA Contact:
URL:
Whiteboard: MGA4TOO
Keywords:
Depends on: 11125
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-27 19:11 CET by Konrad Bernlöhr
Modified: 2016-06-03 16:18 CEST (History)
4 users (show)

See Also:
Source RPM: drakconf-12.33-1.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Konrad Bernlöhr 2012-12-27 19:11:14 CET 
When Help topics are selected in the Mageia Control Center, a web browser (typically firefox) is started as superuser. While we all may trust the Mageia web pages, the fact that firefox runs as root is not obvious and most likely soon forgotten. This puts the system under unnecessary security risks. The browser should instead be opened for the user who logged in.
Comment 1 Manuel Hiebel 2012-12-28 17:59:16 CET 
same with project url of any package in rpmdrake ?
Comment 2 Marja Van Waes 2015-04-16 22:31:30 CEST 
Sorry, but this bug saw no action since over 2 yrs ago - no cauldron package has stayed the same - and is still assigned to Bug Squad.

Closing as OLD

Please reopen if this report is still valid for _current_ cauldron and/or fully
updated Mageia 4

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 3 Konrad Bernlöhr 2015-04-16 22:53:05 CEST 
Noboby may have worked on it but it did not disappear by itself.

Just run rpmdrake, select a package, select 'Details:' and click on
the given URL. For me firefox opens and 'ps aux | grep firefox' says:

root      3571 35.4  3.6 1643792 296980 pts/27 Sl+  22:36   0:07 firefox http://p11-glue.freedesktop.org/p11-kit.html

That actually is the 'feature' pointed out by Manuel Hiebel.

Concerning the problem originally reported (and I am convinced both
are due to the same security problem): 
Run 'drakconf', Select 'Help' -> 'Release notes' and firefox opens up
(after having been closed before that) and 'ps' says:

root      4448 24.6  3.3 1357424 266704 pts/27 Sl+  22:46   0:03 /usr/bin/firefox http://wiki.mageia.org/en/Mageia_4_Release_Notes

Works the same way with any other help item in drakconf, either at
top-level or inside its sub-pages.

Status: RESOLVED => REOPENED
Resolution: OLD => (none)

Sander Lepik 2015-04-18 09:24:31 CEST

CC: (none) => mageia, mageia, thierry.vignaud

Comment 4 Marja Van Waes 2015-04-18 16:32:53 CEST 
Thanks Konrad.

I can confirm, for both MCC -> Help -> Release notes
and for
MCC -> <a package> -> Details -> URL

Firefox is indeed started as root again.

This was fixed before (see https://bugs.mageia.org/show_bug.cgi?id=287 )
Don't know what caused the regression.

CC: (none) => marja11
Assignee: bugsquad => thierry.vignaud

Marja Van Waes 2015-04-18 16:33:14 CEST

Whiteboard: (none) => MGA4TOO

Comment 5 Thierry Vignaud 2016-06-03 16:18:03 CEST 
I just guessed it's because of the switch to polkit.
I tag this one as a duplicate of the BR where this was identified

*** This bug has been marked as a duplicate of bug 18288 ***

Status: REOPENED => RESOLVED
Depends on: (none) => 11125
Resolution: (none) => DUPLICATE
Note You need to log in before you can comment on or make changes to this bug.