[tbb-bugs] #21940 [Applications/Tor Browser]: OSX updater: consider disable privilege escalation

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 13 20:54:14 UTC 2017

#21940: OSX updater: consider disable privilege escalation
 Reporter:  mcs                                  |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,              |  Actual Points:
  TorBrowserTeam201704                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by cypherpunks):

 Replying to [ticket:21940 mcs]:
 > In Firefox 52 (since 49), the Firefox updater will attempt to gain
 elevated privileges on OSX if necessary to apply an update.
 If necessary. That's great.
 > On Windows, we disabled similar code
 Not good. (You even disabled updater's helper for staged updates.)
 > because (1) most Windows users probably do not install Tor Browser in a
 directory that requires admin privileges
 Most users do not install Tor Browser, because it is portable. But if they
 want to install it locally like on macOS, you've disabled that...
 > and (2) we did not want to audit the code (e.g., we did not want there
 to be a chance that someone could be tricked into granting more
 privileges, perhaps due to malware that took advantage of another security
 in updater or where?
 > On OSX the situation is a little different because we do encourage
 people to drop TorBrowser.app into /Applications, which does require admin
 Installed instead Portable. It is bad.
 > I personally use an account on OSX that has Admin privileges at all
 times, so updates work fine for me with TB 6.x and earlier... but that is
 not considered best security practice on OSX
 No comments.
 > (actually, I usually do not install TB in /Applications at all because I
 keep several versions around to make it easier to triage bugs).
 Portable. That's good. (Hint: TB is Thunderbird.)
 > Cc: Tim and Linda who may also have some thoughts on this. To be sure,
 there is a security vs. usability tradeoff here.
 Yawning's sandbox for security. Usability aspect here is that many users
 want to make TBB the default web browser, also to make it more secure to
 open web content from any app, and as a part of that, there is the need to
 install TBB as usual app, usually to the default location which usually
 needs admin privileges on any OS.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21940#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list