Bug#494641: Clickable bug links open browser as 'root' if update-manager invoked by update-notifier

Sun, 10 Aug 2008 21:28:17 -0700 

Package: update-manager
Version: 0.68.debian-6
Severity: normal
Tags: patch

    When 'update-notifier' is clicked, 'update-manager' is invoked with 'gksu'. 
 If
a link to a closed bug report (in the 'Changes' window) is clicked, 
'ChangelogViewer.py'
checks if the uid is 0 (true) and if the 'SUDO_USER' environment key is set 
(false),
so the 'gnome-open' command is run as root and root's default browser is used.

    I think gksu remembers the invoking user in the environment key 'USERNAME',
so if 'SUDO_USER' is not set the gnome-open command can be run under the user
named in 'USERNAME'.  I will send a proposed patch to ChangelogViewer.py.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.24 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages update-manager depends on:
ii  gconf2                   2.22.0-1        GNOME configuration database syste
ii  libgnome2-perl           1.042-1+b1      Perl interface to the GNOME librar
ii  python                   2.5.2-1         An interactive high-level object-o
ii  python-dbus              0.82.4-2        simple interprocess messaging syst
ii  python-glade2            2.12.1-6        GTK+ bindings: Glade support
ii  python-gnome2            2.22.0-1        Python bindings for the GNOME desk
ii  python-support           0.8.4           automated rebuilding support for P
ii  python-vte               1:0.16.14-1     Python bindings for the VTE widget
ii  software-properties-gtk  0.60.debian-1.1 manage the repositories that you i
ii  synaptic                 0.62.1          Graphical package manager
ii  update-manager-core      0.68.debian-6   APT update manager core functional

update-manager recommends no packages.

Versions of packages update-manager suggests:
ii  update-notifier          0.70.7.debian-3 Daemon which notifies about packag

-- no debconf information

--- ChangelogViewer.py.save     2008-08-10 23:44:47.000000000 -0400
+++ ChangelogViewer.py  2008-08-10 23:49:46.000000000 -0400
@@ -162,7 +162,7 @@
         # call open_url if an URL is assigned to the iter
         tags = iter.get_tags()
         for tag in tags:
-            url = tag.get_data("url")
+            url = tag.get_data("url") 
             if url != None:
                 self.open_url(url)
                 break
@@ -176,8 +176,13 @@
             command = ['x-www-browser', url]
 
         # Avoid to run the browser as user root
-        if os.getuid() == 0 and os.environ.has_key('SUDO_USER'):
-            command = ['sudo', '-u', os.environ['SUDO_USER']] + command
+        if os.getuid() == 0: 
+           # Called by sudo or gksudo
+           if os.environ.has_key('SUDO_USER'):
+               command = ['sudo', '-u', os.environ['SUDO_USER']] + command
+           # Called by su or gksu
+           else:
+               command = ['sudo', '-u', os.environ['USERNAME']] + command
 
         subprocess.Popen(command)

Reply via email to