On 04/11/2017 03:47 AM, Jonathan Marquardt wrote:
Thanks. I may be missing something here. Anyone feel free to correct me where I'm wrong. I'm not "doing" anything with /home permissions - it's Linux defaults. AFAIK, once a user logs into their 'nix acct, anything that writes to (most) files in /home can do so - w/o any prompting.On Mon, Apr 10, 2017 at 07:11:48PM -0500, Joe Btfsplk wrote:What is the reason(s) the TBB instructions say do not install (extract) TBB to root? Is it so the TBB files will be in a location where the user has write permissions, so that TBB updates can automatically D/L and install?Yes, that's the biggest advantage, I think. We don’t want superold versions of TBB to be used, do we?Other than that, does installing TBB to a location where anyone / anything has full r/w/x permissions (like in /home), weaken the security of Linux, compared to packages installed via a distro's software manager?If "anyone / anything has full r/w/x permissions" in /home on your system, you're doing something very wrong. Only the individual users should have write permissions in their own home directories. On a multi-user system it is also a good idea to give "world" zero permissions in your user home directory so no other users can read your files.
For browsers - Firefox - that's full access to most things under .mozilla, but not Firefox program files - installed elsewhere. In /home, the user is the owner & has full r/w/x permissions for most files there - no PW required to change files there (once logged in). There're some exceptions to that, like .local/keyrings.
For TBB extracted to a folder in /home, on files I checked (tor, cached-certs, torrc, etc.) - the user is owner & has r/w/(x) permissions by default. No PW required - like any document in /home. So anything that makes it past basic defenses of the browser, NoScript, etc. - would generally have r/w/x permissions on most TBB files in /home - yes?
Conversely, Firefox installed to /usr & other protected directories that most installed apps use, by default the user or anything making it onto the computer don't have w/x permissions for those "program files." Yes? That's part of Linux overall security.
Maybe I'm missing something. Tor Project goes to great lengths to provide uncompromised TBB copies & ways to verify them, but at least in Linux - advises putting it in the least secure area, so it can update automatically with one click? (because TBB wasn't installed via a Linux software manager & therefore automatic updates wouldn't be allowed). Seems like that's in opposition to all the other TBB security efforts.
When Linux users choose to D/L the latest release from mozilla & install to /opt or /usr/local, it won't update automatically or w/ a click, AFAIK. Unless you change ownership / permissions of those directories - which I've read is a bad idea, security wise. (I'm not sure the D/L Linux Fx ver has "update now" available in about:firefox, anyway).
But, for Fx or Tbird in /opt you can install update files from Mozilla easily enough using sudo. It takes typing a few characters vs. one click.
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk