[tbb-bugs] #21940 [Applications/Tor Browser]: OSX updater: consider disabling privilege escalation
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue May 2 11:18:42 UTC 2017
#21940: OSX updater: consider disabling privilege escalation
-------------------------------------------------+-------------------------
Reporter: mcs | Owner: tbb-
| team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff52-esr, tbb-7.0-must, | Actual Points:
TorBrowserTeam201705 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by gk):
Replying to [comment:5 mcs]:
> Thanks Tim. One more scenario which I just tested: if a non-admin user
installs Tor Browser into /Applications they are prompted to authenticate
as an administrator. After they do that, TorBrowser.app is owned by the
non-admin user (which surprises me a little). But that does mean that the
non-admin user can update.
>
> Reading the first part of
https://bugzilla.mozilla.org/show_bug.cgi?id=394984 again, the scenario
mentioned there is that of Firefox being installed by an account that no
longer exists. So maybe the need for privilege escalation is very limited,
even if we fix #21779.
So, do we think the risk of privilege escalation support is worth it? If
not, how much work would it be to "back" this out?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21940#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list