On Sat, Aug 25, 2018 at 11:23 PM Basil Chupin
However, it seems that everyone has missed or simply ignored the main issue I was trying to raise and get an answer for and that is, as I asked, "Is this ability [of updating iteself] in Firefox, and Thunderbird, acceptable behaviour or am I being paranoid?".
A little paranoid...
Now, to update anything in openSUSE/Linux one needs *root* access to be able to use either YaST2 or zypper and in doing so some 'executable' file in openSUSE then executes the installation/update of a file.
This is incorrect and only applies when using the package manager to install packages, Firefox is not touching zypper or YaST. The updater is writing files directly to the directory. Firefox is only able to update itself because you installed it into a directory where *your user* has full permissions. Firefox is downloading the updated files to that directory using your account. You do NOT need root to do this, it is not using elevated permissions at all. If you want to completely prevent this, even without modifying random settings within Firefox, you could change the permissions and/or ownership of that directory so that you, and thus Firefox, are unable to write to it.
Suppose someone in mozilla goes "funny" and inserts malware, which resets the root's password, into Firefox and someone like me comes along, downloads that copy and "installs" (for want of a better word) it and then when FF updates itself, as it did in my case, the root's password file is wiped et al.
This would only happen if you were running Firefox as root, which is a bad idea anyway. It could only affect things that your user account has access to. As it stands, it is "acceptable"; there is more or less nothing for the distribution to do to prevent you and applications you run under your user from reading and writing to your home directory (or one you have granted permissions to). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org