[fixed 6.3.5] mintInstall 6.3.4: Runs browser as root

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read this

[fixed 6.3.5] mintInstall 6.3.4: Runs browser as root

Postby eswald on Fri Jul 03, 2009 10:01 pm

While in mintInstall 6.3.4, the Visit button in each package's information panel opens the web browser (Firefox by default) with root privileges. In addition to the security risks involved, this replaces the user's bookmarks with the defaults.
eswald
Level 1
Level 1
 
Posts: 1
Joined: Fri Jul 03, 2009 9:34 pm

Linux Mint is funded by ads and donations.
 

Re: mintInstall 6.3.4: Runs browser as root

Postby DrHu on Fri Jul 03, 2009 10:56 pm

eswald wrote:While in mintInstall 6.3.4, the Visit button in each package's information panel opens the web browser (Firefox by default) with root privileges.

How do you know that?

Second..
Mintinstall as well as synaptic (Software manager) on the Mint menu, both run under the first user's authorization, it is not quite root, since the root account is disabled by default in the Linux mint 7 - gloria installation

Third
You don't have to visit any web page, there is usually enough information provided in the description or the short description title to decide whether or not to install that software
--if there wasn't (enough information being provided) you would be blindly installing any/all packages just to see what they were or how they worked..

And you need a certain level of access to install applications, unless you do it manually and perhaps direct an installation to a private directory, such as /home/usr/myapps
--and you could control the pseudo root access to when it was needed, if at all..

eswald wrote:In addition to the security risks involved, this replaces the user's bookmarks with the defaults

I just ran mintinstall, used the Visit button for an application, and nothing in my bookmarks was changed..
In addition to the security risks involved
I don't see the risk here!, my session would have to be intercepted by the web page I visit or otherwise..
--of course I usually have JavaScript turned off, and noscript running in firefox..
  • With JavaScript turned off, the Visit button still works in mintinstall
  • the ISP has a router firewall, which protects my connection
    --they (ISPs') do this as much for themselves as me, it also protects their network.
    One of the reasons you shouldn't buy into do you want our Internet security package deal, unless you want to help them out financially..
User avatar
DrHu
Level 16
Level 16
 
Posts: 6798
Joined: Wed Jun 17, 2009 8:20 pm

Re: mintInstall 6.3.4: Runs browser as root

Postby emorrp1 on Fri Jul 10, 2009 10:39 am

Thank you for the bug report eswald: I can confirm this bug with mintInstall 6.3.4 on a fresh install - steps to reproduce:
1) close all firefox instances
2) verify no firefox processes are running (e.g. system monitor/top)
3) "visit" an app's site from mintInstall
4) note the firefox process is running as user root

DrHu wrote:
eswald wrote:While in mintInstall 6.3.4, the Visit button in each package's information panel opens the web browser (Firefox by default) with root privileges.

How do you know that?

Go to System Monitor, enable the user field, then you'll see the firefox process running as root

DrHu wrote:Second..
Mintinstall as well as synaptic (Software manager) on the Mint menu, both run under the first user's authorization, it is not quite root, since the root account is disabled by default in the Linux mint 7 - gloria installation

While it is true that mintInstall uses gksu rather than root, the effect is the same, in that the firefox process is indeed run as root. Also the root account is not actually disabled at all in Gloria as it was in previous releases, instead it is created with the same password as the initial user on install.

DrHu wrote:Third
You don't have to visit any web page, there is usually enough information provided in the description or the short description title to decide whether or not to install that software
--if there wasn't (enough information being provided) you would be blindly installing any/all packages just to see what they were or how they worked..

And you need a certain level of access to install applications, unless you do it manually and perhaps direct an installation to a private directory, such as /home/usr/myapps
--and you could control the pseudo root access to when it was needed, if at all..

While all true, it's kind of irrelevant, since the visit functionality is there, and is not tied in to the installation process

DrHu wrote:
eswald wrote:In addition to the security risks involved, this replaces the user's bookmarks with the defaults

I just ran mintinstall, used the Visit button for an application, and nothing in my bookmarks was changed..
In addition to the security risks involved
I don't see the risk here!, my session would have to be intercepted by the web page I visit or otherwise..
--of course I usually have JavaScript turned off, and noscript running in firefox..
  • With JavaScript turned off, the Visit button still works in mintinstall
  • the ISP has a router firewall, which protects my connection
    --they (ISPs') do this as much for themselves as me, it also protects their network.
    One of the reasons you shouldn't buy into do you want our Internet security package deal, unless you want to help them out financially..

Nevertheless, the is a minor security risk, and there's no need to run the browser as root, so we may as well not.
If you have a question that has been answered and solved, then please edit your original post and put a [SOLVED] at the end of your subject header
Hint - use a google search including the search term site:forums.linuxmint.com
emorrp1
Level 8
Level 8
 
Posts: 2322
Joined: Thu Feb 26, 2009 8:58 pm

Re: mintInstall 6.3.4: Runs browser as root

Postby Fred on Fri Jul 10, 2009 11:45 am

No browser should ever be allowed to run as root when it has access to the network. There are too many security issues this enables. If this isn't a major bug, it should be.

Fred
Insanity: Doing the same thing over and over and each time expecting a different result.

Democracy is 2 wolves and a lamb voting on the menu. Liberty is an armed lamb protesting the electoral outcome. A Republic negates the need for an armed protest.
User avatar
Fred
Level 10
Level 10
 
Posts: 3356
Joined: Fri Jan 04, 2008 11:59 am
Location: NC USA

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Postby Husse on Sat Jul 11, 2009 5:32 pm

I agree with Fred - this is because mintInstall now opens as root which you will notice as it demands your password to open
A child process (as Firefox here) runs as the user that starts it as far as I know
Think Clem needs to take a look at this asap
Image
Don't fix it if it ain't broken, don't break it if you can't fix it
Husse
Level 21
Level 21
 
Posts: 19703
Joined: Sun Feb 11, 2007 7:22 am
Location: Near Borås Sweden

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Postby midas on Sun Jul 12, 2009 6:14 am

Yeah, I think it is really a major security issue. For the time being it is better to download from the official repo (synaptic) only. I hope it will be solved as soon as possible...
Linux Mint 16 Cinnamon (64 bits)
midas
Level 4
Level 4
 
Posts: 274
Joined: Sun Nov 25, 2007 3:47 am
Location: The Netherlands

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Postby Husse on Sun Jul 12, 2009 7:52 am

No no - mintInstall is not compromised - it's as safe as ever - it's only any Firefox that you open using the links in it that is compromised
Image
Don't fix it if it ain't broken, don't break it if you can't fix it
Husse
Level 21
Level 21
 
Posts: 19703
Joined: Sun Feb 11, 2007 7:22 am
Location: Near Borås Sweden

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Postby midas on Sun Jul 12, 2009 11:48 am

OK Husse...I do understand now. But that possibly means not using the software portal at www.linuxmint.com? Because for that Firefox is kept open during the install-procedure. Could you please clarify that a bit? Thanks!
Linux Mint 16 Cinnamon (64 bits)
midas
Level 4
Level 4
 
Posts: 274
Joined: Sun Nov 25, 2007 3:47 am
Location: The Netherlands

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Postby clem on Sun Jul 12, 2009 11:54 am

Hi,

Thanks for reporting this bug. I'll release a fix for it asap.

Clem.
Image
User avatar
clem
Level 15
Level 15
 
Posts: 5548
Joined: Wed Nov 15, 2006 8:34 am

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Postby emorrp1 on Sun Jul 12, 2009 12:23 pm

midas: the problem only arises if you click the "visit" link within mintInstall, all other ways of using it are as perfectly safe as they're meant to be.
If you have a question that has been answered and solved, then please edit your original post and put a [SOLVED] at the end of your subject header
Hint - use a google search including the search term site:forums.linuxmint.com
emorrp1
Level 8
Level 8
 
Posts: 2322
Joined: Thu Feb 26, 2009 8:58 pm

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Postby clem on Sun Jul 12, 2009 1:12 pm

Well, there's also the link button in "More Info", and then a series of buttons in the Search dialog...

Anyway, I fixed all that and released mintInstall 6.3.5. Please upgrade and report any other problems.

Philip, can you test with the new version and mark this bug as fixed?

Thanks,
Clem.
Image
User avatar
clem
Level 15
Level 15
 
Posts: 5548
Joined: Wed Nov 15, 2006 8:34 am

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Postby emorrp1 on Sun Jul 12, 2009 1:26 pm

Ahh, slight issue there clem, I have the community repo enabled, which means I'm already at v6.3.5 when merlwiz79 went through and enabled the text beside icons option in the toolbars. The update therefore won't show up in mintUpdate, nor can I force version in synaptic.
If you have a question that has been answered and solved, then please edit your original post and put a [SOLVED] at the end of your subject header
Hint - use a google search including the search term site:forums.linuxmint.com
emorrp1
Level 8
Level 8
 
Posts: 2322
Joined: Thu Feb 26, 2009 8:58 pm

Re: [solved] mintInstall 6.3.4: Runs browser as root

Postby Husse on Sun Jul 12, 2009 3:26 pm

At least the visit button did not make FF run as root
Image
Don't fix it if it ain't broken, don't break it if you can't fix it
Husse
Level 21
Level 21
 
Posts: 19703
Joined: Sun Feb 11, 2007 7:22 am
Location: Near Borås Sweden

Re: [solved] mintInstall 6.3.4: Runs browser as root

Postby Fred on Sun Jul 12, 2009 3:33 pm

Husse,

I agree. That is a very important point.

+1 :-)

Fred
Insanity: Doing the same thing over and over and each time expecting a different result.

Democracy is 2 wolves and a lamb voting on the menu. Liberty is an armed lamb protesting the electoral outcome. A Republic negates the need for an armed protest.
User avatar
Fred
Level 10
Level 10
 
Posts: 3356
Joined: Fri Jan 04, 2008 11:59 am
Location: NC USA

Re: [fixed 6.3.5] mintInstall 6.3.4: Runs browser as root

Postby emorrp1 on Sun Jul 12, 2009 4:18 pm

confirmed fix in virtualbox for the "visit" button, and clicking on the url in "more info", couldn't find any other ways to launch firefox from mintInstall
If you have a question that has been answered and solved, then please edit your original post and put a [SOLVED] at the end of your subject header
Hint - use a google search including the search term site:forums.linuxmint.com
emorrp1
Level 8
Level 8
 
Posts: 2322
Joined: Thu Feb 26, 2009 8:58 pm

Re: [fixed 6.3.5] mintInstall 6.3.4: Runs browser as root

Postby midas on Mon Jul 13, 2009 1:17 am

Thanks everyone for the very fast action and testing!

Midas
Linux Mint 16 Cinnamon (64 bits)
midas
Level 4
Level 4
 
Posts: 274
Joined: Sun Nov 25, 2007 3:47 am
Location: The Netherlands

Linux Mint is funded by ads and donations.
 

Return to Newbie Questions

Who is online

Users browsing this forum: Bing [Bot], bobww99, Yatoom and 26 guests