On 22/08/18 19:38, Hagen Buliwyf wrote:
Am 15.08.2018 um 11:23 schrieb Basil Chupin:
I am running Leap 15.0 but with 2 "non-standard" files:
#1 - kernel-4.18.0-1, which comes from repo. '.../stable/standard/'; and
#2 - Firefox v62.0b1x, which I download directly from Mozilla.
I have no problems re the kernel but I mention it here to show that there is at least this file which is not 'standard' in my installation of Leap 15.0.
However, I have just experienced something regarding the version of Firefox which I did not expect and something which didn't happen in the past (as in many moons ago when I last used a Nightly version of either Firefox or Thunderbird). And what happened raised in my mind whether this is a security problem for a Linux system (ie, openSUSE).
Let me explain.
Since 28 July I have been downloading and using Firefox downloaded from Mozilla site -- the file is a *.tar.bz2 file which I then unarchive (using the F2 option in Midnight Commander (mc)); I then copy the '/firefox' directory resulting from this un-archiving to my /home directory.
To use this [new] version of Firefox I then edit the Firefox entry in the Applications menu and edit the Command to read '~/firefox/firefox %u'.
When I began doing this I started with Firefox v61.0.1, but on 5 August I downloaded and started to use FF v62.0b14, followed by v62.0b15 on 10 August.
For all of the (3) preceding files I downloaded the files myself, unarchived them, deleted/renamed the '/firefox' directory in '/home', and copied across the new version of FF to my '/home'.
Until today.
What occurred today is something which I did not expect on a Linux system: Firefox *UPGRADED* *ITSELF* to version 62.0b17.
Some useful information on this can be found here:
https://www.ghacks.net/2018/07/28/mozilla-makes-it-more-difficult-to-block-f...
As I did in the past to download the latest version of FF, I clicked on HELP and when the box-menu appeared there was the message, normally seen on a Windows installation, "Restart Firefox to <something>' and the version number showing was 62.0b17.
===
Now that I have written the above, I just now looked inside the '/firefox' directory in my '/home' and found to my surprise 2 files: 'updater' (156, 296 bytes big), and 'updater.ini' (681 bytes big). The contents of *.ini' is attached.
The only conclusion I can come to is that Firefox updated itself -- similarly to what it does in Windows! But how is this allowed in openSUSE/Linux?
I do understand that I manually installed Firefox in my /home directory and that it wasn't installed in the directory /usr/lib64/firefox accessed only by root but I certainly do not expect a program to self-update/upgrade without my manual intervention.
If openSUSE now allows the execution of the 'installer' in Firefox what is there to stop that 'installer' being modified to cause damage to the system?
(BTW, the same 'installer' is present in Thunderbird downloadable from Mozilla -- and I am using TB v60.0 [created 1 Aug].)
Is this ability in Firefox, and Thunderbird, acceptable behaviour or am I being paranoid?
BC
Thank you, Hagen, for the above reference, and I have read it -- interesting. However, it seems that everyone has missed or simply ignored the main issue I was trying to raise and get an answer for and that is, as I asked, "Is this ability [of updating iteself] in Firefox, and Thunderbird, acceptable behaviour or am I being paranoid?". I wouldn't be asking this if I was using Windows but I am using a Linux system, openSUSE. Now, to update anything in openSUSE/Linux one needs *root* access to be able to use either YaST2 or zypper and in doing so some 'executable' file in openSUSE then executes the installation/update of a file. OK, in my case I unpacked a copy of Firefox and copied the created '/firefox' directory into my '/home' where I am a *user* and not *root* and yet FF sitting in '/home' is able to update itself. We all know that it is possible to delete the file containing the root's password when one has forgotten what that password is and create a new one -- and this is done while sitting at the computer and cannot be done easily (as far as I know, but what do I know?) from the "outside", ie hacking. Suppose someone in mozilla goes "funny" and inserts malware, which resets the root's password, into Firefox and someone like me comes along, downloads that copy and "installs" (for want of a better word) it and then when FF updates itself, as it did in my case, the root's password file is wiped et al. So, my question was: am I being paranoid about this with Leap 15 allowing FF to update itself and without Leap jumping in and saying, "WHOA! You can't do this without root privileges!". BC -- "Truth isn't truth." Rudy Guiliani, Donald Trump's lawyer, 20 August 2018 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org