When starting a sudo session, Firefox passes your credentials to the form, despite it shouldn't

RESOLVED INCOMPLETE

Status

()

Toolkit
Startup and Profile System
RESOLVED INCOMPLETE
6 years ago
6 years ago

People

(Reporter: sowji.k11, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.168 Safari/535.19

Comment 1

6 years ago
Could you be more specific? If you are using "sudo -i" then we will use the home directory associated with the target user. If you aren't, then the environment doesn't change and we use the home directory associated with you. This is according to the design of `sudo`.

Arguably Firefox should probably refuse to run as root ever, since that's pretty much never a good idea, but that's a different bug.

Not something that needs to remain security-private.
Group: core-security
Component: Untriaged → Startup and Profile System
Product: Firefox → Toolkit
QA Contact: untriaged → startup
Whiteboard: closeme 1-jun-2012
Version: 6 Branch → unspecified
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #1)
> Could you be more specific? If you are using "sudo -i" then we will use the
> home directory associated with the target user. If you aren't, then the
> environment doesn't change and we use the home directory associated with
> you. This is according to the design of `sudo`.

To add some verbosity, this means that:
- the sudo'ed firefox will use your profile, which means it will get all the credentials, history, etc. from it.
- it will overwrite some files from your profile with new files with root permission. Running Firefox again without sudo on this profile may remove these files because they aren't readable, and you may lose some data.
 
> Arguably Firefox should probably refuse to run as root ever, since that's
> pretty much never a good idea, but that's a different bug.

FWIW, in Iceweasel, I check the sudo environment variables and if they match sudo not being called with -i/-H, I change HOME as if sudo was called with -H. I was considering filing a bug to do that in firefox too.

Comment 3

6 years ago
Resolved per whiteboard
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INCOMPLETE
Whiteboard: closeme 1-jun-2012
You need to log in before you can comment on or make changes to this bug.