[opensuse] Firefox: is this a possible security problem?
I am running Leap 15.0 but with 2 "non-standard" files: #1 - kernel-4.18.0-1, which comes from repo. '.../stable/standard/'; and #2 - Firefox v62.0b1x, which I download directly from Mozilla. I have no problems re the kernel but I mention it here to show that there is at least this file which is not 'standard' in my installation of Leap 15.0. However, I have just experienced something regarding the version of Firefox which I did not expect and something which didn't happen in the past (as in many moons ago when I last used a Nightly version of either Firefox or Thunderbird). And what happened raised in my mind whether this is a security problem for a Linux system (ie, openSUSE). Let me explain. Since 28 July I have been downloading and using Firefox downloaded from Mozilla site -- the file is a *.tar.bz2 file which I then unarchive (using the F2 option in Midnight Commander (mc)); I then copy the '/firefox' directory resulting from this un-archiving to my /home directory. To use this [new] version of Firefox I then edit the Firefox entry in the Applications menu and edit the Command to read '~/firefox/firefox %u'. When I began doing this I started with Firefox v61.0.1, but on 5 August I downloaded and started to use FF v62.0b14, followed by v62.0b15 on 10 August. For all of the (3) preceding files I downloaded the files myself, unarchived them, deleted/renamed the '/firefox' directory in '/home', and copied across the new version of FF to my '/home'. Until today. What occurred today is something which I did not expect on a Linux system: Firefox *UPGRADED* *ITSELF* to version 62.0b17. As I did in the past to download the latest version of FF, I clicked on HELP and when the box-menu appeared there was the message, normally seen on a Windows installation, "Restart Firefox to <something>' and the version number showing was 62.0b17. === Now that I have written the above, I just now looked inside the '/firefox' directory in my '/home' and found to my surprise 2 files: 'updater' (156, 296 bytes big), and 'updater.ini' (681 bytes big). The contents of *.ini' is attached. The only conclusion I can come to is that Firefox updated itself -- similarly to what it does in Windows! But how is this allowed in openSUSE/Linux? I do understand that I manually installed Firefox in my /home directory and that it wasn't installed in the directory /usr/lib64/firefox accessed only by root but I certainly do not expect a program to self-update/upgrade without my manual intervention. If openSUSE now allows the execution of the 'installer' in Firefox what is there to stop that 'installer' being modified to cause damage to the system? (BTW, the same 'installer' is present in Thunderbird downloadable from Mozilla -- and I am using TB v60.0 [created 1 Aug].) Is this ability in Firefox, and Thunderbird, acceptable behaviour or am I being paranoid? BC -- There comes a time in the affairs of a man when he has to take the bull by the tail and face the situation. W C Fields
On 2018-08-15 11:23, Basil Chupin wrote: ...
Until today.
What occurred today is something which I did not expect on a Linux system: Firefox *UPGRADED* *ITSELF* to version 62.0b17.
As I did in the past to download the latest version of FF, I clicked on HELP and when the box-menu appeared there was the message, normally seen on a Windows installation, "Restart Firefox to <something>' and the version number showing was 62.0b17.
This can only happen if FF has write permission on the directory you installed it. For example, if you install it under your {HOME}, or a system directory and you run it as root. Or some other combination that gives it permission. Check the permissions. However, you may wish this behaviour. I would. This doesn't happen normally on openSUSE because the feature is disabled by the packager, I guess. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Basil Chupin composed on 2018-08-15 19:23 (UTC+1000):
#2 - Firefox v62.0b1x, which I download directly from Mozilla. ... What occurred today is something which I did not expect on a Linux system: Firefox *UPGRADED* *ITSELF* to version 62.0b17. ... Is this ability in Firefox, and Thunderbird, acceptable behaviour or am I being paranoid?
It is a default behavior you can turn off via the last page of preferences if you do not like it. Packages provided by Linux distro package management systems turn it off, because they work with dependencies that must be kept in version sync. Mozilla.org builds are static, not dependent in the same way, so like Windows & Mac versions they can be automatically updated without affecting the operating system on which installed. -- "Wisdom is supreme; therefore get wisdom. Whatever else you get, get wisdom." Proverbs 4:7 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/15/2018 04:23 AM, Basil Chupin wrote:
What occurred today is something which I did not expect on a Linux system: Firefox *UPGRADED* *ITSELF* to version 62.0b17.
This has pissed me off about mozilla for a while. So much so that I explicitly prevent the install of the update tool (which you can if you install with a "Custom" install the first time, if not mozilla presumes you want it to automatically update itself. That is a software package out of control. I don't mind the package telling me that an update is available, but I do not way any software thinking it has the right to touch my system until I tell it to do so. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* David C. Rankin <drankinatty@suddenlinkmail.com> [08-15-18 20:23]:
On 08/15/2018 04:23 AM, Basil Chupin wrote:
What occurred today is something which I did not expect on a Linux system: Firefox *UPGRADED* *ITSELF* to version 62.0b17.
This has pissed me off about mozilla for a while. So much so that I explicitly prevent the install of the update tool (which you can if you install with a "Custom" install the first time, if not mozilla presumes you want it to automatically update itself. That is a software package out of control.
I don't mind the package telling me that an update is available, but I do not way any software thinking it has the right to touch my system until I tell it to do so.
don't use mozilla's repos. simple solution. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Patrick Shanahan composed on 2018-08-15 20:27 (UTC-0400):
* David C. Rankin [08-15-18 19:23]:
I don't mind the package telling me that an update is available, but I do not way any software thinking it has the right to touch my system until I tell it to do so.
don't use mozilla's repos. simple solution.
Too simple for any who cannot be content with a single installed version of one of its apps. For the rest, there are simple enough ways to avoid what David and others abhor: 1-user.js: an optional preferences preset file that 'zilla apps never write to, and incorporate into prefs.js at every startup 2-for those who can't manage #1, download the app, disconnect the network, install the app, change the default pref to ask first or never install, then reconnect network 3-alternative to #2, make the directory tree containing the 'zilla app readonly 4-block mozilla.org repos via hosts file -- "Wisdom is supreme; therefore get wisdom. Whatever else you get, get wisdom." Proverbs 4:7 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Felix Miata wrote:
Patrick Shanahan composed on 2018-08-15 20:27 (UTC-0400):
1-user.js: an optional preferences preset file that 'zilla apps never write to, and incorporate into prefs.js at every startup
Doesn't it have and respect the options in "about:config", like: app.update.auto (boolean false is palemoon default) and app.update.enabled (defaults to true) Also values for extensions.update.enabled. Just search on 'update' for the pref names and read through to see if it looks like it is enabled or not. Also, 1st thing to check. See if this is set: browser.preferences.instantApply (boolean true). That makes any pref you apply happen immediately rather than needing a restart. This is for pale moon -- a ff derivative, so it's possible they took these things out in newer browsers, but that woud surprise me. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
L A Walsh composed on 2018-08-21 18:31 (UTC-0700):
Felix Miata wrote:
1-user.js: an optional preferences preset file that 'zilla apps never write to, and incorporate into prefs.js at every startup
Doesn't it have and respect the options in "about:config", like:
user.js is an optional file that exists only if a user creates it. Unless something has changed that I don't know about, anything in it that is (or was) valid is applied on startup of Firefox, TB and SeaMonkey. -- "Wisdom is supreme; therefore get wisdom. Whatever else you get, get wisdom." Proverbs 4:7 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Felix Miata wrote:
L A Walsh composed on 2018-08-21 18:31 (UTC-0700):
Felix Miata wrote:
1-user.js: an optional preferences preset file that 'zilla apps never write to, and incorporate into prefs.js at every startup
Doesn't it have and respect the options in "about:config", like:
user.js is an optional file that exists only if a user creates it. Unless something has changed that I don't know about, anything in it that is (or was) valid is applied on startup of Firefox, TB and SeaMonkey.
Not disagreeing...how many ways can you find to do 'X'.... The problem with user.js, for me, is it is "empty" at the beginning, so you have to know all the names of the options you want to change before you can add them. Many of those options are listed out if you look at about:config so you can peruse and change ones you are sure of, or google ones that you aren't. But I need to know the names of the settings before I can add them to user.js and change them. Even then I may not be sure of the exact syntax I need to have so the browser understands what I meant in user.js. Whereas changing things in about:config -- click and new value. For me its an ease of use thing. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 22.08.2018 um 08:14 schrieb L A Walsh:
Felix Miata wrote:
L A Walsh composed on 2018-08-21 18:31 (UTC-0700):
Felix Miata wrote:
1-user.js: an optional preferences preset file that 'zilla apps never write to, and incorporate into prefs.js at every startup
Doesn't it have and respect the options in "about:config", like:
user.js is an optional file that exists only if a user creates it. Unless something has changed that I don't know about, anything in it that is (or was) valid is applied on startup of Firefox, TB and SeaMonkey.
Not disagreeing...how many ways can you find to do 'X'....
The problem with user.js, for me, is it is "empty" at the beginning, so you have to know all the names of the options you want to change before you can add them.
Many of those options are listed out if you look at about:config so you can peruse and change ones you are sure of, or google ones that you aren't.
But I need to know the names of the settings before I can add them to user.js and change them. Even then I may not be sure of the exact syntax I need to have so the browser understands what I meant in user.js.
This here https://github.com/ghacksuserjs/ghacks-user.js/releases helped me a lot to learn about the "important" about:config-options.
Whereas changing things in about:config -- click and new value. For me its an ease of use thing.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 15.08.2018 um 11:23 schrieb Basil Chupin:
I am running Leap 15.0 but with 2 "non-standard" files:
#1 - kernel-4.18.0-1, which comes from repo. '.../stable/standard/'; and
#2 - Firefox v62.0b1x, which I download directly from Mozilla.
I have no problems re the kernel but I mention it here to show that there is at least this file which is not 'standard' in my installation of Leap 15.0.
However, I have just experienced something regarding the version of Firefox which I did not expect and something which didn't happen in the past (as in many moons ago when I last used a Nightly version of either Firefox or Thunderbird). And what happened raised in my mind whether this is a security problem for a Linux system (ie, openSUSE).
Let me explain.
Since 28 July I have been downloading and using Firefox downloaded from Mozilla site -- the file is a *.tar.bz2 file which I then unarchive (using the F2 option in Midnight Commander (mc)); I then copy the '/firefox' directory resulting from this un-archiving to my /home directory.
To use this [new] version of Firefox I then edit the Firefox entry in the Applications menu and edit the Command to read '~/firefox/firefox %u'.
When I began doing this I started with Firefox v61.0.1, but on 5 August I downloaded and started to use FF v62.0b14, followed by v62.0b15 on 10 August.
For all of the (3) preceding files I downloaded the files myself, unarchived them, deleted/renamed the '/firefox' directory in '/home', and copied across the new version of FF to my '/home'.
Until today.
What occurred today is something which I did not expect on a Linux system: Firefox *UPGRADED* *ITSELF* to version 62.0b17.
Some useful information on this can be found here: https://www.ghacks.net/2018/07/28/mozilla-makes-it-more-difficult-to-block-f...
As I did in the past to download the latest version of FF, I clicked on HELP and when the box-menu appeared there was the message, normally seen on a Windows installation, "Restart Firefox to <something>' and the version number showing was 62.0b17.
===
Now that I have written the above, I just now looked inside the '/firefox' directory in my '/home' and found to my surprise 2 files: 'updater' (156, 296 bytes big), and 'updater.ini' (681 bytes big). The contents of *.ini' is attached.
The only conclusion I can come to is that Firefox updated itself -- similarly to what it does in Windows! But how is this allowed in openSUSE/Linux?
I do understand that I manually installed Firefox in my /home directory and that it wasn't installed in the directory /usr/lib64/firefox accessed only by root but I certainly do not expect a program to self-update/upgrade without my manual intervention.
If openSUSE now allows the execution of the 'installer' in Firefox what is there to stop that 'installer' being modified to cause damage to the system?
(BTW, the same 'installer' is present in Thunderbird downloadable from Mozilla -- and I am using TB v60.0 [created 1 Aug].)
Is this ability in Firefox, and Thunderbird, acceptable behaviour or am I being paranoid?
BC
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 22/08/18 19:38, Hagen Buliwyf wrote:
Am 15.08.2018 um 11:23 schrieb Basil Chupin:
I am running Leap 15.0 but with 2 "non-standard" files:
#1 - kernel-4.18.0-1, which comes from repo. '.../stable/standard/'; and
#2 - Firefox v62.0b1x, which I download directly from Mozilla.
I have no problems re the kernel but I mention it here to show that there is at least this file which is not 'standard' in my installation of Leap 15.0.
However, I have just experienced something regarding the version of Firefox which I did not expect and something which didn't happen in the past (as in many moons ago when I last used a Nightly version of either Firefox or Thunderbird). And what happened raised in my mind whether this is a security problem for a Linux system (ie, openSUSE).
Let me explain.
Since 28 July I have been downloading and using Firefox downloaded from Mozilla site -- the file is a *.tar.bz2 file which I then unarchive (using the F2 option in Midnight Commander (mc)); I then copy the '/firefox' directory resulting from this un-archiving to my /home directory.
To use this [new] version of Firefox I then edit the Firefox entry in the Applications menu and edit the Command to read '~/firefox/firefox %u'.
When I began doing this I started with Firefox v61.0.1, but on 5 August I downloaded and started to use FF v62.0b14, followed by v62.0b15 on 10 August.
For all of the (3) preceding files I downloaded the files myself, unarchived them, deleted/renamed the '/firefox' directory in '/home', and copied across the new version of FF to my '/home'.
Until today.
What occurred today is something which I did not expect on a Linux system: Firefox *UPGRADED* *ITSELF* to version 62.0b17.
Some useful information on this can be found here:
https://www.ghacks.net/2018/07/28/mozilla-makes-it-more-difficult-to-block-f...
As I did in the past to download the latest version of FF, I clicked on HELP and when the box-menu appeared there was the message, normally seen on a Windows installation, "Restart Firefox to <something>' and the version number showing was 62.0b17.
===
Now that I have written the above, I just now looked inside the '/firefox' directory in my '/home' and found to my surprise 2 files: 'updater' (156, 296 bytes big), and 'updater.ini' (681 bytes big). The contents of *.ini' is attached.
The only conclusion I can come to is that Firefox updated itself -- similarly to what it does in Windows! But how is this allowed in openSUSE/Linux?
I do understand that I manually installed Firefox in my /home directory and that it wasn't installed in the directory /usr/lib64/firefox accessed only by root but I certainly do not expect a program to self-update/upgrade without my manual intervention.
If openSUSE now allows the execution of the 'installer' in Firefox what is there to stop that 'installer' being modified to cause damage to the system?
(BTW, the same 'installer' is present in Thunderbird downloadable from Mozilla -- and I am using TB v60.0 [created 1 Aug].)
Is this ability in Firefox, and Thunderbird, acceptable behaviour or am I being paranoid?
BC
Thank you, Hagen, for the above reference, and I have read it -- interesting. However, it seems that everyone has missed or simply ignored the main issue I was trying to raise and get an answer for and that is, as I asked, "Is this ability [of updating iteself] in Firefox, and Thunderbird, acceptable behaviour or am I being paranoid?". I wouldn't be asking this if I was using Windows but I am using a Linux system, openSUSE. Now, to update anything in openSUSE/Linux one needs *root* access to be able to use either YaST2 or zypper and in doing so some 'executable' file in openSUSE then executes the installation/update of a file. OK, in my case I unpacked a copy of Firefox and copied the created '/firefox' directory into my '/home' where I am a *user* and not *root* and yet FF sitting in '/home' is able to update itself. We all know that it is possible to delete the file containing the root's password when one has forgotten what that password is and create a new one -- and this is done while sitting at the computer and cannot be done easily (as far as I know, but what do I know?) from the "outside", ie hacking. Suppose someone in mozilla goes "funny" and inserts malware, which resets the root's password, into Firefox and someone like me comes along, downloads that copy and "installs" (for want of a better word) it and then when FF updates itself, as it did in my case, the root's password file is wiped et al. So, my question was: am I being paranoid about this with Leap 15 allowing FF to update itself and without Leap jumping in and saying, "WHOA! You can't do this without root privileges!". BC -- "Truth isn't truth." Rudy Guiliani, Donald Trump's lawyer, 20 August 2018 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Aug 25, 2018 at 11:23 PM Basil Chupin <blchupin@iinet.net.au> wrote:
However, it seems that everyone has missed or simply ignored the main issue I was trying to raise and get an answer for and that is, as I asked, "Is this ability [of updating iteself] in Firefox, and Thunderbird, acceptable behaviour or am I being paranoid?".
A little paranoid...
Now, to update anything in openSUSE/Linux one needs *root* access to be able to use either YaST2 or zypper and in doing so some 'executable' file in openSUSE then executes the installation/update of a file.
This is incorrect and only applies when using the package manager to install packages, Firefox is not touching zypper or YaST. The updater is writing files directly to the directory. Firefox is only able to update itself because you installed it into a directory where *your user* has full permissions. Firefox is downloading the updated files to that directory using your account. You do NOT need root to do this, it is not using elevated permissions at all. If you want to completely prevent this, even without modifying random settings within Firefox, you could change the permissions and/or ownership of that directory so that you, and thus Firefox, are unable to write to it.
Suppose someone in mozilla goes "funny" and inserts malware, which resets the root's password, into Firefox and someone like me comes along, downloads that copy and "installs" (for want of a better word) it and then when FF updates itself, as it did in my case, the root's password file is wiped et al.
This would only happen if you were running Firefox as root, which is a bad idea anyway. It could only affect things that your user account has access to. As it stands, it is "acceptable"; there is more or less nothing for the distribution to do to prevent you and applications you run under your user from reading and writing to your home directory (or one you have granted permissions to). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 28/08/18 07:24, Steve Susbauer wrote:
On Sat, Aug 25, 2018 at 11:23 PM Basil Chupin <blchupin@iinet.net.au> wrote:
However, it seems that everyone has missed or simply ignored the main issue I was trying to raise and get an answer for and that is, as I asked, "Is this ability [of updating iteself] in Firefox, and Thunderbird, acceptable behaviour or am I being paranoid?". A little paranoid...
Now, to update anything in openSUSE/Linux one needs *root* access to be able to use either YaST2 or zypper and in doing so some 'executable' file in openSUSE then executes the installation/update of a file. This is incorrect and only applies when using the package manager to install packages, Firefox is not touching zypper or YaST. The updater is writing files directly to the directory.
Firefox is only able to update itself because you installed it into a directory where *your user* has full permissions. Firefox is downloading the updated files to that directory using your account. You do NOT need root to do this, it is not using elevated permissions at all. If you want to completely prevent this, even without modifying random settings within Firefox, you could change the permissions and/or ownership of that directory so that you, and thus Firefox, are unable to write to it.
Suppose someone in mozilla goes "funny" and inserts malware, which resets the root's password, into Firefox and someone like me comes along, downloads that copy and "installs" (for want of a better word) it and then when FF updates itself, as it did in my case, the root's password file is wiped et al. This would only happen if you were running Firefox as root, which is a bad idea anyway. It could only affect things that your user account has access to.
As it stands, it is "acceptable"; there is more or less nothing for the distribution to do to prevent you and applications you run under your user from reading and writing to your home directory (or one you have granted permissions to).
Ooops, sorry, Steve, for not responding earlier than this -- other matters intervened and I forgot about your post :-(. Sorry. Thank you for your response -- explained to me "how it is" and now I feel less paranoid :-). I may re-install the latest Firefox from Mozilla but this time switch off the auto-update. Thanks again. BC -- "Truth isn't truth." Rudy Guiliani, Donald Trump's lawyer, 20 August 2018 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Basil Chupin -
Carlos E. R. -
David C. Rankin -
Felix Miata -
Hagen Buliwyf -
L A Walsh -
Patrick Shanahan -
Steve Susbauer