Linux Mint Forums

eswald wrote:While in mintInstall 6.3.4, the Visit button in each package's information panel opens the web browser (Firefox by default) with root privileges.

How do you know that?

Second..
Mintinstall as well as synaptic (Software manager) on the Mint menu, both run under the first user's authorization, it is not quite root, since the root account is disabled by default in the Linux mint 7 - gloria installation

Third
You don't have to visit any web page, there is usually enough information provided in the description or the short description title to decide whether or not to install that software
--if there wasn't (enough information being provided) you would be blindly installing any/all packages just to see what they were or how they worked..

And you need a certain level of access to install applications, unless you do it manually and perhaps direct an installation to a private directory, such as /home/usr/myapps
--and you could control the pseudo root access to when it was needed, if at all..

eswald wrote:In addition to the security risks involved, this replaces the user's bookmarks with the defaults

I just ran mintinstall, used the Visit button for an application, and nothing in my bookmarks was changed..
In addition to the security risks involved
I don't see the risk here!, my session would have to be intercepted by the web page I visit or otherwise..
--of course I usually have JavaScript turned off, and noscript running in firefox..

• With JavaScript turned off, the Visit button still works in mintinstall
• the ISP has a router firewall, which protects my connection
  --they (ISPs') do this as much for themselves as me, it also protects their network.
  One of the reasons you shouldn't buy into do you want our Internet security package deal, unless you want to help them out financially..

Thank you for the bug report eswald: I can confirm this bug with mintInstall 6.3.4 on a fresh install - steps to reproduce:
1) close all firefox instances
2) verify no firefox processes are running (e.g. system monitor/top)
3) "visit" an app's site from mintInstall
4) note the firefox process is running as user root

DrHu wrote:

eswald wrote:While in mintInstall 6.3.4, the Visit button in each package's information panel opens the web browser (Firefox by default) with root privileges.

How do you know that?

Go to System Monitor, enable the user field, then you'll see the firefox process running as root

DrHu wrote:Second..
Mintinstall as well as synaptic (Software manager) on the Mint menu, both run under the first user's authorization, it is not quite root, since the root account is disabled by default in the Linux mint 7 - gloria installation

While it is true that mintInstall uses gksu rather than root, the effect is the same, in that the firefox process is indeed run as root. Also the root account is not actually disabled at all in Gloria as it was in previous releases, instead it is created with the same password as the initial user on install.

DrHu wrote:Third
You don't have to visit any web page, there is usually enough information provided in the description or the short description title to decide whether or not to install that software
--if there wasn't (enough information being provided) you would be blindly installing any/all packages just to see what they were or how they worked..

And you need a certain level of access to install applications, unless you do it manually and perhaps direct an installation to a private directory, such as /home/usr/myapps
--and you could control the pseudo root access to when it was needed, if at all..

While all true, it's kind of irrelevant, since the visit functionality is there, and is not tied in to the installation process

DrHu wrote:

eswald wrote:In addition to the security risks involved, this replaces the user's bookmarks with the defaults

I just ran mintinstall, used the Visit button for an application, and nothing in my bookmarks was changed..
In addition to the security risks involved
I don't see the risk here!, my session would have to be intercepted by the web page I visit or otherwise..
--of course I usually have JavaScript turned off, and noscript running in firefox..

• With JavaScript turned off, the Visit button still works in mintinstall
• the ISP has a router firewall, which protects my connection
  --they (ISPs') do this as much for themselves as me, it also protects their network.
  One of the reasons you shouldn't buy into do you want our Internet security package deal, unless you want to help them out financially..

Nevertheless, the is a minor security risk, and there's no need to run the browser as root, so we may as well not.

No browser should ever be allowed to run as root when it has access to the network. There are too many security issues this enables. If this isn't a major bug, it should be.

Fred

I agree with Fred - this is because mintInstall now opens as root which you will notice as it demands your password to open
A child process (as Firefox here) runs as the user that starts it as far as I know
Think Clem needs to take a look at this asap

Yeah, I think it is really a major security issue. For the time being it is better to download from the official repo (synaptic) only. I hope it will be solved as soon as possible...

No no - mintInstall is not compromised - it's as safe as ever - it's only any Firefox that you open using the links in it that is compromised

OK Husse...I do understand now. But that possibly means not using the software portal at www.linuxmint.com? Because for that Firefox is kept open during the install-procedure. Could you please clarify that a bit? Thanks!

Hi,

Thanks for reporting this bug. I'll release a fix for it asap.

Clem.

midas: the problem only arises if you click the "visit" link within mintInstall, all other ways of using it are as perfectly safe as they're meant to be.

Well, there's also the link button in "More Info", and then a series of buttons in the Search dialog...

Anyway, I fixed all that and released mintInstall 6.3.5. Please upgrade and report any other problems.

Philip, can you test with the new version and mark this bug as fixed?

Thanks,
Clem.

Ahh, slight issue there clem, I have the community repo enabled, which means I'm already at v6.3.5 when merlwiz79 went through and enabled the text beside icons option in the toolbars. The update therefore won't show up in mintUpdate, nor can I force version in synaptic.

At least the visit button did not make FF run as root

Husse,

I agree. That is a very important point.

+1

Fred

confirmed fix in virtualbox for the "visit" button, and clicking on the url in "more info", couldn't find any other ways to launch firefox from mintInstall

Thanks everyone for the very fast action and testing!

Midas