Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dont run browser as root #296

Merged
merged 3 commits into from
Oct 25, 2024
Merged

Dont run browser as root #296

merged 3 commits into from
Oct 25, 2024

Conversation

adamkankovsky
Copy link
Contributor

@adamkankovsky adamkankovsky commented Jun 4, 2024
edited
Loading

Separating WebUI stuff from PR:rhinstaller/anaconda#5058

  • LiveOS
  • BootISO

@KKoukiou KKoukiou marked this pull request as draft June 6, 2024 06:56
@adamkankovsky adamkankovsky force-pushed the dont-run-browser-as-root branch 2 times, most recently from 0a8d53d to 2cbc20f Compare October 9, 2024 12:54
@adamkankovsky adamkankovsky marked this pull request as ready for review October 9, 2024 13:16
@halfline @KKoukiou
webui: Handle XAUTHORITY and XDG_RUNTIME_DIR
d1ed075 
The titlebar with "Mozilla Firefox" has been fixed but there
are some more bits that can be cleaned up.

This commit achieves that by:

1. Make sure more of the environment is bubbled through anaconda to
   the webui launcher. In particular, we need XDG_CURRENT_DESKTOP, but
   this commit brings it all through, so firefox runs in an environment
   as close to getting run directly by the live user as possible.
2. Two exceptions are XAUTHORITY and XDG_RUNTIME_DIR which need to
   remain unset until we can run firefox as a normal user instead of root.
@halfline @KKoukiou
webui: Store browser in array
db1053d 
At the moment most of the firefox command line is getting placed
in a variable named $BROWSER and then getting run as

$BROWSER http://url

This only works if $BROWSER is at the very front of the line or if
it's run through eval.

Instead, make BROWSER into an array so it's positional arguments
get expanded positionally.
@halfline @KKoukiou
webui: Run browser as liveuser instead of root
f87161b 
It's not a good idea to run UI code as root if we can help it, and
since the webui separates front end from backend, we don't need to
run the front end code as root.

This commit changes webui-desktop to start firefox as the liveuser.

The entire script could probably be run unprivileged with a few
changes to the cockpit parts (different port, new polkit policy,
cockpit.spawn changes to run as superuser), but that's a change
for another time.
@KKoukiou
Copy link
Contributor

I rebased. It was quite tricky. Previous SHA pushed from @adamkankovsky was 2cbc20f for reference.

KKoukiou
KKoukiou approved these changes Oct 25, 2024
View reviewed changes
Copy link
Contributor

@KKoukiou KKoukiou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be released together with rhinstaller/anaconda#5689

Tested interactively the Workstation ISO and it worked as expected.

@KKoukiou KKoukiou merged commit c8c0686 into rhinstaller:main Oct 25, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KKoukiou KKoukiou KKoukiou approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adamkankovsky @KKoukiou @halfline