Noah Meyerhans napisaĆ(a):
I don't think this is a bug. I think this is what you get when you allow other users to access your X server. Mozilla-based browsers have always communicated via the X server. When you run root's browser and give it access to your display, then try running another instance of the browser, the second instace notices that there's already a browser running on the X display and signals it to spawn a new window. Thus, there's really only one instance of the browser running.What attack vector do you see here, anyway? You're already root on the machine, it's not like you're going to get elevated privilages. And it's not going to work across X displays, so you don't need to worry about this problem being used maliciously against unsuspecting users.
I can agree that this is not a security bug, but this behaviour is pretty useless. Take jEdit [not in Debian archive[1], but open source and apt-gettable[2]] for ezample - it attaches to existing instance, but keeps only one instance per user, so I can (and often do) have one jEdit for me and one jEdit to jEdit for root some config files at the same time. And this is done in Java, which has inherent problems with that :) I don't think I'd ever need two Firefoxes for two users, but this is much cleaner this way.
[1] It requires non-free Sun's Java as it uses some Swing magic [2] deb http://dl.sourceforge.net/sourceforge/jedit ./ deb-src http://dl.sourceforge.net/sourceforge/jedit ./ -KS
signature.asc
Description: OpenPGP digital signature
