Firestarter Help runs Firefox as root

Bug #569 reported by Stuart Bishop on 2005-05-05
20
Affects Status Importance Assigned to Milestone
firestarter (Ubuntu)
High
MOTU Reviewers Team
Nominated for Feisty by JKFuhrmann
Nominated for Gutsy by JKFuhrmann

Bug Description

Choosing items from the Help menu fires off my preferred webbrowser to load the documentation

Choosing items from the Help menu fires off my preferred webbrowser to load the documentation. Unfortunatelly, as Firestarter is running as root so too is the spawned web browser.

Changed in firestarter:
assignee: nobody → gnome
Changed in firestarter:
assignee: gnome → motu
sam tygier (samtygier) on 2006-04-23
Changed in firestarter:
status: Unconfirmed → Confirmed
towsonu2003 (towsonu2003) wrote :

to confirm and to add my thoughts:

In Dapper Beta2 LiveCD, Firefox will be launched with root privileges thru Firestarter Help, risking the installation by:

1. opening up the system to firefox bugs
2. user may continue browsing with firefox, not knowing that s/he's browsing with ROOT privileges, opening up the system to firefox vulnerabilities.

Can't we use yelp, or make firestarter launch help with sudo'ing user's privileges?

This patch fixes the problem for me. Please double-check it though, I may have done something stupid. Thanks.

Don't forget gnome_url_show in preferences.c

Vassilis Pandis (pandisv) wrote :

Attached is a debdiff to fix this issue:

firestarter (1.0.3-1.2ubuntu2) edgy; urgency=low

  * Add "GNOME" to .desktop Categories (closes Ubuntu #42452, #42501)
  * Don't run browser as root (closes Ubuntu #569)

 -- Vassilis Pandis <email address hidden> Sat, 12 Aug 2006 04:31:15 +0300

Changed in firestarter:
assignee: motu → motureviewers
Barry deFreese (bddebian) wrote :

Uploaded. Please keep an eye out and close as Fix Released if all goes well. Thanks Vassilis.

Changed in firestarter:
status: Confirmed → Fix Committed
Vassilis Pandis (pandisv) wrote :

It's released. Thanks for uploading :-)

Changed in firestarter:
status: Fix Committed → Fix Released
towsonu2003 (towsonu2003) wrote :

why isn't this going to Dapper? this is a security update... and I don't see apt-get showing a firestarter update here.

Barry deFreese (bddebian) wrote :

You are right, this really should get updated in Dapper. I'll look into a security update for it. Thanks.

JKFuhrmann (bursar42) wrote :

This bug remains in Feisty. The Help menu continues to launch a web browser as root.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.