[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #21940 [Applications/Tor Browser]: OSX updater: consider disabling privilege escalation

Subject: Re: [tor-bugs] #21940 [Applications/Tor Browser]: OSX updater: consider disabling privilege escalation
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 02 May 2017 11:18:42 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 02 May 2017 07:18:56 -0400
In-reply-to: <043.fc70bf70fa28f4a53c9c2fc1cc8cf284@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.fc70bf70fa28f4a53c9c2fc1cc8cf284@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#21940: OSX updater: consider disabling privilege escalation
-------------------------------------------------+-------------------------
 Reporter:  mcs                                  |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,              |  Actual Points:
  TorBrowserTeam201705                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:5 mcs]:
 > Thanks Tim. One more scenario which I just tested: if a non-admin user
 installs Tor Browser into /Applications they are prompted to authenticate
 as an administrator. After they do that, TorBrowser.app is owned by the
 non-admin user (which surprises me a little). But that does mean that the
 non-admin user can update.
 >
 > Reading the first part of
 https://bugzilla.mozilla.org/show_bug.cgi?id=394984 again, the scenario
 mentioned there is that of Firefox being installed by an account that no
 longer exists. So maybe the need for privilege escalation is very limited,
 even if we fix #21779.

 So, do we think the risk of privilege escalation support is worth it? If
 not, how much work would it be to "back" this out?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21940#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #22320 [Applications/Tor Browser]: Referrer not hidden when comming from a .onion address
Next by Author: Re: [tor-bugs] #22310 [Core Tor/Tor]: Tor 0.3.x clients won't use Guard-flagged relays as Guards if they don't have V2Dir, throwing off consensus position weights
Previous by thread: Re: [tor-bugs] #21973 [Applications/Tor Browser]: Fonts settings changed badly in 7.0a3 on Win 7
Next by thread: Re: [tor-bugs] #21940 [Applications/Tor Browser]: OSX updater: consider disabling privilege escalation
Index(es):
- Author
- Thread