Mailinglist Archive: opensuse (1108 mails)

< Previous Next >
Re: [opensuse] Firefox: is this a possible security problem?
On Sat, Aug 25, 2018 at 11:23 PM Basil Chupin <blchupin@xxxxxxxxxxxx> wrote:
However, it seems that everyone has missed or simply ignored the main
issue I was trying to raise and get an answer for and that is, as I
asked, "Is this ability [of updating iteself] in Firefox, and
Thunderbird, acceptable behaviour or am
I being paranoid?".

A little paranoid...

Now, to update anything in openSUSE/Linux one needs *root* access to be
able to use either YaST2 or zypper and in doing so some 'executable'
file in openSUSE then executes the installation/update of a file.

This is incorrect and only applies when using the package manager to
install packages, Firefox is not touching zypper or YaST. The updater
is writing files directly to the directory.

Firefox is only able to update itself because you installed it into a
directory where *your user* has full permissions. Firefox is
downloading the updated files to that directory using your account.
You do NOT need root to do this, it is not using elevated permissions
at all. If you want to completely prevent this, even without modifying
random settings within Firefox, you could change the permissions
and/or ownership of that directory so that you, and thus Firefox, are
unable to write to it.

Suppose someone in mozilla goes "funny" and inserts malware, which
resets the root's password, into Firefox and someone like me comes
along, downloads that copy and "installs" (for want of a better word) it
and then when FF updates itself, as it did in my case, the root's
password file is wiped et al.

This would only happen if you were running Firefox as root, which is a
bad idea anyway. It could only affect things that your user account
has access to.

As it stands, it is "acceptable"; there is more or less nothing for
the distribution to do to prevent you and applications you run under
your user from reading and writing to your home directory (or one you
have granted permissions to).

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >