Closed Bug 576863 Opened 15 years ago Closed 7 years ago

Running firefox as root allows privilege hijacking by local users

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: masala.wallah, Unassigned)

References

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 I found a behaviour in Firefox with is actually disturbing: If any firefox (or seamonkey, and perhaps other products as well) process owned by root is currently running, will give the a window controlled by the root-owned process. Since firefox can be used as a kind of file browsers, this basically means arbitrary file access for everyone. Reproducible: Always Steps to Reproduce: 1.As root, start firefox and leave it open. 2.As user, start firefox on the same machine, for example, in another virtual desktop. Actual Results: The new firefox window created in step 2, which is controlled by the invoking user, inherits root privileges. It can be used to read and overwrite pretty any file on the system. Expected Results: The new firefox window should be run by a process with is owned by the invoking user. I think the problem comes from firefox' try to avoid multiple browser instances. On startup, it tries to communicate with other firefox processes. If that works, any arguments are passed to the older firefox process, and the new one exits. Normally, this is likely to separate users as they can send messages only to processes owned by themselves. However, root can talk to everyone.Consequently, root and user are not separated. I am running SuSE 11.2 with kernel 2.6.31
What do you mean 'root can talk to everyone' in which you assume that other users can't ? This is implemented using the X Display, which everyone can use as long as you have given access (using the "xhost +" command for instance). Root isn't anything special in that regard. You can even do this from a remote connection, there no inter-process communication involved. Now, your real problem is that you're running a browser under root (aw!), AND you have opened your screen for remote access (double aw !). That's an extremely bad idea.
Yeah, the real problem here is the insecure X setup. Given the setup described, anyone can open windows that root would interact with without realizing they're opened by an attacker (and in particular, stealing root's credentials in this setup would be really easy).
Component: General → Security
Depends on: 1323302
If you have a root-owned Firefox on your display, another X client could also inject keyboard/pointer events (e.g., to use the Browser Console to run arbitrary commands), so this is just a bad idea in general if all X clients aren't equally trusted. In any case, running Firefox as root in a non-root session should now be much more difficult to do by accident; see bug 1323302.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.