[Fed-Talk] Confirmed: non-admin user updating Firefox
[Fed-Talk] Confirmed: non-admin user updating Firefox
- Subject: [Fed-Talk] Confirmed: non-admin user updating Firefox
- From: Todd Heberlein <email@hidden>
- Date: Wed, 29 Aug 2012 18:04:31 -0700
I just re-ran experiments and found at least one condition where a non-admin user can update Firefox, and this has some (IMHO) potential security implications.
Take away: If a normal user tries to install Firefox (by dragging app to folder), the system prompts for an admin password. Once the admin password is given, the application is installed but is owned by the *standard user* and *not the admin*.
Implication 1: This means Firefox can update itself when running as a non-admin user (even without notification or password prompt).
Implication 2: non-admin user can maliciously modify/replace Firefox, and any vulnerable program running with non-admin user's privileges can maliciously modify Firefox (bad news if you authenticate to a web site via Firefox).
For example, /Applications/Firefox.app/Contents/MacOS/firefox has the following ownership & permissions (walker is a non-admin user):
$ ls -l firefox
-rwxr-xr-x@ 1 walker admin 56672 Aug 29 17:39 firefox
I suspect any application installed this way (normal user dragging app to /Applications, then admin password is given) will have these "features". I don't like it.
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden