Installer leads to root-owned files in user's profile

Problems with the Linux version of XAMPP, questions, comments, and anything related.

Installer leads to root-owned files in user's profile

Postby gonhidi » 30. September 2017 13:19

When XAMPP for Linux is installed it might create root-owned entries in the user's home directory (through the launch of the system's web browser) causing potential inconveniences for the user.

Steps to reproduce:

  1. Open Linux (up-to-date Ubuntu 16.04 x86-64 running as a VirtualBox guest, default installation plus guest additions) and start with a clean user profile. Do not launch the system's web browser (Firefox).
  2. Start the XAMPP (7.1.9) installation as per the FAQ: sudo <path to XAMPP installer>
  3. Let the installer launch the system's web browser (Firefox) by leaving the “Learn more about Bitnami for XAMPP” option checked (leaving the “Launch XAMPP” checkbox marked at the end of the installation will likely also work).
  4. Exit the web browser.
  5. Try to launch the web browser.

Expected results: The browser (Firefox) should open without a problem.

Actual results: The browser might not properly load. Given the listed examples, Firefox fails with a dialog reading “Your Firefox profile cannot be loaded. It may be missing or inaccessible” (on stdout/stderr: “Error. Access was denied while trying to open files in your profile directory”). This is due to the ~/.mozilla and ~/.cache/mozilla entries having been newly created as root-owned directories—with mode 700. Had Firefox been previously used the consequences might not be so obvious, but the conflict potential due to files that cannot be modified by the user is still there (e.g. new cache entries or perhaps modified profile files).

Observations: Comparing the user's home directory's contents ownership before and after the installer's execution I have also seen the apparition of ~/.dbus ~/.cache/ and an ~/.cache/event-sound-cache-* as root-owned entries which might also cause trouble.
gonhidi
 
Posts: 3
Joined: 30. September 2017 12:09
XAMPP version: 7.1.9
Operating System: Ubuntu 16.04 x86-64 (VBox VM)

Re: Installer leads to root-owned files in user's profile

Postby Nobbie » 30. September 2017 15:40

Thats not the installer, thats a known bug in Firefox. The installer simply starts Firefox. Nothing else.

I know this Firefox Bug since a long time, it sometimes uses to crash and after the profile etc. is corrupted for an unknown reason. I dont know if there is a bugfix for that behaviour, but it also happens when surfing "normally" in the internet. Actually i can install Bitnamis Xampp without any hassle and it does not destroy the Firefox profile. It depends on whatever, it happens randomly and i dont know why.
Nobbie
 
Posts: 13171
Joined: 09. March 2008 13:04

Re: Installer leads to root-owned files in user's profile

Postby gonhidi » 01. October 2017 11:44

Insofar as I saw, the firefox process seemed to be running with root privileges, which is to be expected if launched from the root-privileges-executed installer without taking specific measures. It is however undesirable, both due to the circumstances I described above (which won't destroy the profile, but might corrupt it in both subtle and obvious ways) and because of the risks involved in browsing the Internet in such a privileged state (I though it overkill to frame it as a security issue since that browser session is likely to last little or maybe even not be launched, but perhaps I should have mailed the security team instead of writing here?). If the installer were taking proper steps to launch Firefox with the user's privileges and yet it managed to run as root I would call that an OS bug, but perhaps I am missing some crucial detail on what is going on: do you happen to have a reference to the relevant report about that known Firefox bug in Mozilla's tracker so that I may have a look at it?
gonhidi
 
Posts: 3
Joined: 30. September 2017 12:09
XAMPP version: 7.1.9
Operating System: Ubuntu 16.04 x86-64 (VBox VM)

Re: Installer leads to root-owned files in user's profile

Postby Nobbie » 01. October 2017 12:44

gonhidi wrote:but perhaps I should have mailed the security team instead of writing here?)


Definately. This forum is only a "user helps user" forum, we have no influence on Bitnamis development.

gonhidi wrote:do you happen to have a reference to the relevant report about that known Firefox bug in Mozilla's tracker so that I may have a look at it?


Sorry, i dont. I changed to Chrome a couple of years ago (but of course Firefox is part of any fresh Linux installation). I simply remember that bug.
Nobbie
 
Posts: 13171
Joined: 09. March 2008 13:04

Re: Installer leads to root-owned files in user's profile

Postby gonhidi » 02. October 2017 16:18

Thanks for the info! :-)
gonhidi
 
Posts: 3
Joined: 30. September 2017 12:09
XAMPP version: 7.1.9
Operating System: Ubuntu 16.04 x86-64 (VBox VM)


Return to XAMPP for Linux

Who is online

Users browsing this forum: No registered users and 26 guests