Firejail/Flatpak applications display "as superuser" on window title

[slazur]

Applications launched under Firejail and Flatpak include "(as superuser)" in their window's title even though they're not actually being ran as root.

More information from Firejail's issues tracker: (as superuser) in title bar.

Debian stretch, marco 1.16.0, firejail 0.9.44.2, flatpak 0.6.14.

[monsta]

It's up to them to solve this, MATE apps know nothing about Firejail or Flatpak.

[smitsohu]

For the record: This is probably a result of PID namespaces, and the effect should be observable with many sandboxing tools (firejail, bubblewrap, flatpack, ...)

The PID from inside the sandbox, often a single digit number, is used to set _NET_WM_PID, and then probably the window manager checks outside the sandbox if this _NET_WM_PID belongs to the superuser (which it usually does).

[halfline]

I'd suggest you use the XResource extension to query the LOCAL_CLIENT_PID value for the window from the X server rather than trust _NET_WM_PID which may be faked or running inside a different pid namespace. @monsta don't know if you want to reopen given the last couple of comments ?

[davidedmundson]

(I got linked to here from a KDE bug report with a similar problem)

That's not a terrible idea, but blindly switching will break just as many places as it fixes.
Like smplayer which have mplayer and the GUI as separate processes, but deliberately have a NET_WM_PID which is "faked"

[halfline]

shouldnt matter unless one of the separate processes runs as root right?

[SivaMachina]

I wonder if this issue is related to why some of the flatpaks don't fit in with the DE I am using. Kinda like if I were actually running them as root.

[LorenzoAncora]

The bug is still present on Marco 1.20.3-1 [Debian GNU/Linux 10 (buster)].
End users don't care which team fixes it, @monsta.

[damianatorrpm]

I have tried LOCAL_CLIENT_PID
https://stackoverflow.com/questions/37283179/python-pid-to-x11-window-id-using-xresqueryclientids/37309217#37309217

This does not work either for sandboxed applications.

[hamishmb]

Still a problem for me on Mint 19.3 with Flatpak apps.

[AsciiWolf]

Same issue on Linux Mint 20 Mate with Flatpak applications.

[stavultras]

4 years have passed and the issue still exists. I just tried telegram with Mint Mate 20 and the taskbar title says "(as super user)" without "telegram" word at all. Will it be fixed one day?

[tidux]

This bug does not present on any other DE or Wayland compositor, so I think it is up to Marco to fix it.

[raveit65]

I can't reproduce this, Brackets and libreoffice installed via flatpak from flathub in fedora 32, installation can be done as normal user ;)

Same when i install libreoffice from snapd.

[mikhailmakarov]

Linux Mint MATE 20.1
Skype from flathub

[dpotter4]

I too am having this problem. In my case I have a flatpak version of KeePassXC which opens with superuser in the titlebar. I am concerned with this as KeePassXC has access to the internet. This only happens on the Mate desktop. It does not happen for example on XFCE.

[dtantsur]

Maybe the issue is app-dependent? I see it on Slack and Zoom. MATE 1.26.0, Gtk 3.24.31.

[raveit65]

I can confirm this weird behavior with com.jetbrains.IntelliJ-IDEA-Community.
But it seems to be a false positive because it runs as my normal user (rave).

ps aux | grep IntelliJ-IDEA-Community
rave       60707  9.8  2.5 10848068 825680 pts/4 Sl+  14:31   0:25 /app/idea-IC/jbr/bin/java -classpath /app/idea-IC/lib/util.jar:/app/idea-IC/lib/bootstrap.jar:/lib/tools.jar -Xms128m -Xmx750m -XX:ReservedCodeCacheSize=512m -XX:+IgnoreUnrecognizedVMOptions -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=50 -XX:CICompilerCount=2 -XX:+HeapDumpOnOutOfMemoryError -XX:-OmitStackTraceInFastThrow -ea -Dsun.io.useCanonCaches=false -Djdk.http.auth.tunneling.disabledSchemes="" -Djdk.attach.allowAttachSelf=true -Djdk.module.illegalAccess.silent=true -Dkotlinx.coroutines.debug=off -Dsun.tools.attach.tmp.only=true -Xmx2048m -XX:ErrorFile=/home/rave/java_error_in_idea_%p.log -XX:HeapDumpPath=/home/rave/java_error_in_idea_.hprof -Djb.vmOptionsFile=/home/rave/.var/app/com.jetbrains.IntelliJ-IDEA-Community/config/JetBrains/IdeaIC2021.3/idea64.vmoptions -Djava.system.class.loader=com.intellij.util.lang.PathClassLoader -Didea.vendor.name=JetBrains -Didea.paths.selector=IdeaIC2021.3 -Didea.platform.prefix=Idea -Didea.jre.check=true -Dsplash=true com.intellij.idea.Main

[raveit65]

Same with org.nmap.Zenmap

[rave@mother ~]$ ps aux | grep Zenmap
rave       62802  0.0  0.0 221416   852 pts/5    S+   14:43   0:00 grep --color=auto Zenmap

So it isn't nice but not really a security problem.

[raveit65]

Confirmed, the issue doesn't exists when using metacity WM in Mate session.
What the hell is different again comparing marco and metacity....... :/

[hamishmb]

Interesting...

[lambdanil]

btw if you are really bothered by this you can remove the "(as superuser)" altogether (even for root processes!) like so:
2e50276

[hamishmb]

The code section there makes it look like it might be simple to add a check for Firejail and/or Flatpak.

[lukefromdc]

Can you see if #742 (just merged) fixes this? If so it can be closed

[lambdanil]

Can you see if #742 (just merged) fixes this? If so it can be closed

It doesn't seem to fix the issue for flatpaks

[raveit65]

The fix is here (merged) #741
So this can be closed.

[raveit65]

Opps 741 needs to be merged. I will do that later.

[raveit65]

now it is merged :)

[LorenzoAncora]

@raveit65, @CuBeRJAN I've compiled Marco from source (commit 2540175e5a5b15e65aecaf94a29f208e6a3836c9) and launched org.kde.okteta, the issue appears to be solved. ✅
Thank you, I'll stay tuned for the next release on Debian. 👋🏻

[wakeUPslow]

Hello, Vorta Flatpak runs as "superuser". Any suggestion on what i should or shouldn't do would be appreciated. Or am i in wrong place? Our distro package Vorta version 0.8.3-1 is messed up too, reason i went to flatpak, should i find different backup software?

[krotow]

Still present in Linux Mint 21.3 MATE. Fresh system install with first time online updates. All Flatpak apps that are launched from user account, has "as superuser" in title. Problem persists also after built-in flatpak 1.12.7 replacing to 1.14.6 from Flatpak PPA.

[msz59]

Same (still present) on Ubuntu 24.04 with ubuntu-mate-desktop installed.
flatpak 1.14.6-1
marco 1.26.2-4build4

[saiballo]

Same on Ubuntu 22.04 with mate-desktop installed.

Microsoft dropped the support for skype deb package... so it's a shame that after many years the bug is still present.