On Thu, 04 Feb 2016 12:24:09 +0200 Nick T. wrote: > Package: apt-listbugs > Version: 0.1.17 > Severity: wishlist > Tags: security
Hello Nick, thanks for your bug report. > > apt-listbugs when asked to display bug information in browser it starts the > browser as root. Yes, it does so (when run as root). > Needless to say this is not a good idea and in specific circumstances a > security issue. I am aware of the possible security implications, but the matter is not easy. There used to be a user-switching feature for the browser invocation, but it had to be disabled: please see https://bugs.debian.org/662865 for the details. In addition to that, https://bugs.debian.org/662983 https://bugs.debian.org/671728 may also be of interest... > listbugs should drop the superuser privileges before doing so. My > recommendation is to launch the browser as 'nobody' by default and add a > config option to set a custom user. Mmmmh, I have to think about this possible approach. I'll let you know as soon as possible: please stay tuned. -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! ..................................................... Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
pgpAGw_RPLEp8.pgp
Description: PGP signature
