#21940: OSX updater: consider disabling privilege escalation -------------------------------------------------+------------------------- Reporter: mcs | Owner: tbb- | team Type: defect | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: ff52-esr, tbb-7.0-must, | Actual Points: TorBrowserTeam201705 | Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by gk): Replying to [comment:5 mcs]: > Thanks Tim. One more scenario which I just tested: if a non-admin user installs Tor Browser into /Applications they are prompted to authenticate as an administrator. After they do that, TorBrowser.app is owned by the non-admin user (which surprises me a little). But that does mean that the non-admin user can update. > > Reading the first part of https://bugzilla.mozilla.org/show_bug.cgi?id=394984 again, the scenario mentioned there is that of Firefox being installed by an account that no longer exists. So maybe the need for privilege escalation is very limited, even if we fix #21779. So, do we think the risk of privilege escalation support is worth it? If not, how much work would it be to "back" this out? -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21940#comment:7> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs