[fixed 6.3.5] mintInstall 6.3.4: Runs browser as root

Quick to answer questions about finding your way around Linux Mint as a new user.
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
DrHu

Re: mintInstall 6.3.4: Runs browser as root

Post by DrHu »

eswald wrote:While in mintInstall 6.3.4, the Visit button in each package's information panel opens the web browser (Firefox by default) with root privileges.
How do you know that?

Second..
Mintinstall as well as synaptic (Software manager) on the Mint menu, both run under the first user's authorization, it is not quite root, since the root account is disabled by default in the Linux mint 7 - gloria installation

Third
You don't have to visit any web page, there is usually enough information provided in the description or the short description title to decide whether or not to install that software
--if there wasn't (enough information being provided) you would be blindly installing any/all packages just to see what they were or how they worked..

And you need a certain level of access to install applications, unless you do it manually and perhaps direct an installation to a private directory, such as /home/usr/myapps
--and you could control the pseudo root access to when it was needed, if at all..
eswald wrote:In addition to the security risks involved, this replaces the user's bookmarks with the defaults
I just ran mintinstall, used the Visit button for an application, and nothing in my bookmarks was changed..
In addition to the security risks involved
I don't see the risk here!, my session would have to be intercepted by the web page I visit or otherwise..
--of course I usually have JavaScript turned off, and noscript running in firefox..
  • With JavaScript turned off, the Visit button still works in mintinstall
  • the ISP has a router firewall, which protects my connection
    --they (ISPs') do this as much for themselves as me, it also protects their network.
    One of the reasons you shouldn't buy into do you want our Internet security package deal, unless you want to help them out financially..
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
emorrp1

Re: mintInstall 6.3.4: Runs browser as root

Post by emorrp1 »

Thank you for the bug report eswald: I can confirm this bug with mintInstall 6.3.4 on a fresh install - steps to reproduce:
1) close all firefox instances
2) verify no firefox processes are running (e.g. system monitor/top)
3) "visit" an app's site from mintInstall
4) note the firefox process is running as user root
DrHu wrote:
eswald wrote:While in mintInstall 6.3.4, the Visit button in each package's information panel opens the web browser (Firefox by default) with root privileges.
How do you know that?
Go to System Monitor, enable the user field, then you'll see the firefox process running as root
DrHu wrote:Second..
Mintinstall as well as synaptic (Software manager) on the Mint menu, both run under the first user's authorization, it is not quite root, since the root account is disabled by default in the Linux mint 7 - gloria installation
While it is true that mintInstall uses gksu rather than root, the effect is the same, in that the firefox process is indeed run as root. Also the root account is not actually disabled at all in Gloria as it was in previous releases, instead it is created with the same password as the initial user on install.
DrHu wrote:Third
You don't have to visit any web page, there is usually enough information provided in the description or the short description title to decide whether or not to install that software
--if there wasn't (enough information being provided) you would be blindly installing any/all packages just to see what they were or how they worked..

And you need a certain level of access to install applications, unless you do it manually and perhaps direct an installation to a private directory, such as /home/usr/myapps
--and you could control the pseudo root access to when it was needed, if at all..
While all true, it's kind of irrelevant, since the visit functionality is there, and is not tied in to the installation process
DrHu wrote:
eswald wrote:In addition to the security risks involved, this replaces the user's bookmarks with the defaults
I just ran mintinstall, used the Visit button for an application, and nothing in my bookmarks was changed..
In addition to the security risks involved
I don't see the risk here!, my session would have to be intercepted by the web page I visit or otherwise..
--of course I usually have JavaScript turned off, and noscript running in firefox..
  • With JavaScript turned off, the Visit button still works in mintinstall
  • the ISP has a router firewall, which protects my connection
    --they (ISPs') do this as much for themselves as me, it also protects their network.
    One of the reasons you shouldn't buy into do you want our Internet security package deal, unless you want to help them out financially..
Nevertheless, the is a minor security risk, and there's no need to run the browser as root, so we may as well not.
Fred

Re: mintInstall 6.3.4: Runs browser as root

Post by Fred »

No browser should ever be allowed to run as root when it has access to the network. There are too many security issues this enables. If this isn't a major bug, it should be.

Fred
Husse

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Post by Husse »

I agree with Fred - this is because mintInstall now opens as root which you will notice as it demands your password to open
A child process (as Firefox here) runs as the user that starts it as far as I know
Think Clem needs to take a look at this asap
midas
Level 4
Level 4
Posts: 278
Joined: Sun Nov 25, 2007 3:47 am
Location: The Netherlands

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Post by midas »

Yeah, I think it is really a major security issue. For the time being it is better to download from the official repo (synaptic) only. I hope it will be solved as soon as possible...
Linux Mint 17.3 Cinnamon (64 bits)
Husse

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Post by Husse »

No no - mintInstall is not compromised - it's as safe as ever - it's only any Firefox that you open using the links in it that is compromised
midas
Level 4
Level 4
Posts: 278
Joined: Sun Nov 25, 2007 3:47 am
Location: The Netherlands

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Post by midas »

OK Husse...I do understand now. But that possibly means not using the software portal at www.linuxmint.com? Because for that Firefox is kept open during the install-procedure. Could you please clarify that a bit? Thanks!
Linux Mint 17.3 Cinnamon (64 bits)
User avatar
clem
Level 12
Level 12
Posts: 4303
Joined: Wed Nov 15, 2006 8:34 am
Contact:

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Post by clem »

Hi,

Thanks for reporting this bug. I'll release a fix for it asap.

Clem.
Image
emorrp1

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Post by emorrp1 »

midas: the problem only arises if you click the "visit" link within mintInstall, all other ways of using it are as perfectly safe as they're meant to be.
User avatar
clem
Level 12
Level 12
Posts: 4303
Joined: Wed Nov 15, 2006 8:34 am
Contact:

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Post by clem »

Well, there's also the link button in "More Info", and then a series of buttons in the Search dialog...

Anyway, I fixed all that and released mintInstall 6.3.5. Please upgrade and report any other problems.

Philip, can you test with the new version and mark this bug as fixed?

Thanks,
Clem.
Image
emorrp1

Re: [confirmed] mintInstall 6.3.4: Runs browser as root

Post by emorrp1 »

Ahh, slight issue there clem, I have the community repo enabled, which means I'm already at v6.3.5 when merlwiz79 went through and enabled the text beside icons option in the toolbars. The update therefore won't show up in mintUpdate, nor can I force version in synaptic.
Husse

Re: [solved] mintInstall 6.3.4: Runs browser as root

Post by Husse »

At least the visit button did not make FF run as root
Fred

Re: [solved] mintInstall 6.3.4: Runs browser as root

Post by Fred »

Husse,

I agree. That is a very important point.

+1 :-)

Fred
emorrp1

Re: [fixed 6.3.5] mintInstall 6.3.4: Runs browser as root

Post by emorrp1 »

confirmed fix in virtualbox for the "visit" button, and clicking on the url in "more info", couldn't find any other ways to launch firefox from mintInstall
midas
Level 4
Level 4
Posts: 278
Joined: Sun Nov 25, 2007 3:47 am
Location: The Netherlands

Re: [fixed 6.3.5] mintInstall 6.3.4: Runs browser as root

Post by midas »

Thanks everyone for the very fast action and testing!

Midas
Linux Mint 17.3 Cinnamon (64 bits)
Locked

Return to “Beginner Questions”