• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] Confirmed: non-admin user updating Firefox
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] Confirmed: non-admin user updating Firefox

  • Subject: Re: [Fed-Talk] Confirmed: non-admin user updating Firefox
  • From: "O'Donnell, Dan" <email@hidden>
  • Date: Thu, 30 Aug 2012 15:24:10 +0000
  • Thread-topic: [Fed-Talk] Confirmed: non-admin user updating Firefox
This then brings up the subject of code signing by developers, which is
apparently part of Apple's requirements for 10.8.
However, I don't know enough about the requirement to understand if there
truly are positive (or negative) implications with regards to applications
that act like this. (Or like Chrome.)

What might be the pros and cons, or other related implications?


From: Todd Heberlein <email@hidden>
Date: Wednesday, August 29, 2012 6:04 PM

>I just re-ran experiments and found at least one condition where a
>non-admin user can update Firefox, and this has some (IMHO) potential
>security implications.
>
>Take away: If a normal user tries to install Firefox (by dragging app to
>folder), the system prompts for an admin password. Once the admin
>password is given, the application is installed but is owned by the
>*standard user* and *not the admin*.
>
>Implication 1: This means Firefox can update itself when running as a
>non-admin user (even without notification or password prompt).
>
>Implication 2: non-admin user can maliciously modify/replace Firefox, and
>any vulnerable program running with non-admin user's privileges can
>maliciously modify Firefox (bad news if you authenticate to a web site
>via Firefox).
>
>
>For example, /Applications/Firefox.app/Contents/MacOS/firefox has the
>following ownership & permissions (walker is a non-admin user):
>
>$ ls -l firefox
>-rwxr-xr-x@ 1 walker  admin  56672 Aug 29 17:39 firefox
>
>
>I suspect any application installed this way (normal user dragging app to
>/Applications, then admin password is given) will have these "features".
>I don't like it.
>
>
>Todd


__________________________________________________________________________

This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: [Fed-Talk] Confirmed: non-admin user updating Firefox
      • From: Todd Heberlein <email@hidden>
References: 
 >[Fed-Talk] Confirmed: non-admin user updating Firefox (From: Todd Heberlein <email@hidden>)

  • Prev by Date: Re: [Fed-Talk] FIPS question
  • Next by Date: [Fed-Talk] iCloud / me.com SMTP
  • Previous by thread: [Fed-Talk] Confirmed: non-admin user updating Firefox
  • Next by thread: Re: [Fed-Talk] Confirmed: non-admin user updating Firefox
  • Index(es):
    • Date
    • Thread