synaptic opens web browser with root privileges and settings

Bug #110224 reported by Christian Wiethoff on 2007-04-26
Affects Status Importance Assigned to Milestone
synaptic (Ubuntu)
Jean-Baptiste Lallement

Bug Description

Binary package hint: synaptic

System: Ubuntu feisty, up to date

When opening the synaptic website, linked in the synaptic help window the browser (firefox) opens with administrative rights, and the settings of root.

ProblemType: Bug
Architecture: i386
Date: Thu Apr 26 08:47:59 2007
DistroRelease: Ubuntu 7.04
ExecutablePath: /usr/sbin/synaptic
Package: synaptic
PackageArchitecture: i386
ProcCmdline: /usr/sbin/synaptic
ProcCwd: /home/stmuser
SourcePackage: synaptic
Uname: Linux quantumsr 2.6.20-15-generic #2 SMP Sun Apr 15 07:36:31 UTC 2007 i686 GNU/Linux

Related branches

Michael Vogt (mvo) wrote :

Thanks for your bugreport.

Do you have a regular ubuntu system installed? It should launch the "yelp" help browser on a gnome system. Do you use kde or xubuntu?


Changed in synaptic:
status: Unconfirmed → Needs Info

I use a regular ubuntu feisty.
In YELP in "about synaptic ..." is a link to the synaptic website. When
i click on it, firefox opens as user root.


Michael Vogt schrieb:
> Thanks for your bugreport.
> Do you have a regular ubuntu system installed? It should launch the
> "yelp" help browser on a gnome system. Do you use kde or xubuntu?
> Thanks,
> Michael
> ** Changed in: synaptic (Ubuntu)
> Status: Unconfirmed => Needs Info

sam tygier (samtygier) wrote :

i can confirm that on gutsy, with a default setup (one user in admin group). if i run synaptic, go to help->contents then yelp is started as root. (yelp is currently broken bug 130019), so i am not sure if yelp will launch firefox as root.

make sure that firefox is not open to start with when you test this, otherwise the link might be passed to the currently running instance.

Changed in synaptic:
importance: Undecided → Medium
status: Incomplete → Confirmed
sam tygier (samtygier) wrote :

still true in hardy

Marc Deslauriers (mdeslaur) wrote :

I'm not sure how this can be fixed. Synaptic is running as root, and can't drop privileges before starting yelp...

So user could use the same instance of the browser to view random websites? This undermines all efforts to make the system secure.

Removing the menu entry for help could disable the broken feature.

Jean-Baptiste Lallement (jibel) wrote :

Marking as triaged. Read for an explanation.


Changed in synaptic (Ubuntu):
status: Confirmed → Triaged
Jean-Baptiste Lallement (jibel) wrote :

since synaptic is run as root, running yelp with gksu $SUDO_USER should do the trick.

Changed in synaptic (Ubuntu):
assignee: nobody → Jean-Baptiste Lallement (jibel)
status: Triaged → In Progress

Fix committed to my branch

Changed in synaptic (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package synaptic - 0.63.1ubuntu2

synaptic (0.63.1ubuntu2) lucid; urgency=low

  [ Michael Vogt ]
  * po/uk.po:
    - updated, thanks to Serhij Dubyk
  * build from the lp:~ubuntu-core-dev/synaptic/lucid branch

  [ Jean-Baptiste Lallement ]
  * Fix sorting issues of the package list
    - Fix sort by name and by section (LP: #518509)
    - Improve sort by column performance
  * sort 'installed files' list in alphabetical order (LP: #32550)
  * Set version labels selectable in package properties (LP: #76568)
  * disable 'Lock Version' and 'Automatically installed' menu entries for a
    normal user (LP: #309906)
  * common/
    - in RPackageLister::xapianSearch() catch xapian exception to
      prevent crash when xapian interprets search string as a syntax
    - fix sorting in xapian search mode (LP: #508220)
  * gtk/
    - Start with focus set on fast search entry (LP: #326155)
  * Select first subview on view change (LP: #403165)
  * Fix Gtk-CRITICAL when the fast search entry is cleared (LP: #385739)
  * Ignore DEL accelerator when fast search has focus (LP: #294178)
  * Do not start help viewer as root but as SUDO_USER (LP: #110224)
  * wrap lines in textarea of dialog_update_failed (LP: #237455)
  * set textarea read-only in generic error dialog (LP: #403100)
  * Change 'Icon Legend' dialog to fixed size (LP: #374376)
 -- Michael Vogt <email address hidden> Tue, 16 Feb 2010 11:13:45 +0100

Changed in synaptic (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers