[tor-bugs] #21940 [Applications/Tor Browser]: OSX updater: consider disable privilege escalation

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 13 19:44:24 UTC 2017 

#21940: OSX updater: consider disable privilege escalation
-------------------------------------+-------------------------------------
     Reporter:  mcs                  |      Owner:  tbb-team
         Type:  defect               |     Status:  new
     Priority:  Medium               |  Milestone:
    Component:  Applications/Tor     |    Version:
  Browser                            |   Keywords:  ff52-esr, tbb-7.0-must,
     Severity:  Normal               |  TorBrowserTeam201704
Actual Points:                       |  Parent ID:
       Points:                       |   Reviewer:
      Sponsor:                       |
-------------------------------------+-------------------------------------
 In Firefox 52 (since 49), the Firefox updater will attempt to gain
 elevated privileges on OSX if necessary to apply an update. See:
 https://bugzilla.mozilla.org/show_bug.cgi?id=394984

 So far I have not tested this with an ESR52-based Tor Browser, but we
 should decide whether we want to leave this feature enabled or remove it
 before the first stable release of Tor Browser 7.0.

 On Windows, we disabled similar code because (1) most Windows users
 probably do not install Tor Browser in a directory that requires admin
 privileges and (2) we did not want to audit the code (e.g., we did not
 want there to be a chance that someone could be tricked into granting more
 privileges, perhaps due to malware that took advantage of another security
 bug).

 On OSX the situation is a little different because we do encourage people
 to drop TorBrowser.app into /Applications, which does require admin
 privileges. I personally use an account on OSX that has Admin privileges
 at all times, so updates work fine for me with TB 6.x and earlier... but
 that is not considered best security practice on OSX (actually, I usually
 do not install TB in /Applications at all because I keep several versions
 around to make it easier to triage bugs).

 Cc: Tim and Linda who may also have some thoughts on this. To be sure,
 there is a security vs. usability tradeoff here.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21940>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list