[tbb-bugs] #21940 [Applications/Tor Browser]: OSX updater: consider disabling privilege escalation

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Apr 26 02:05:13 UTC 2017

#21940: OSX updater: consider disabling privilege escalation
 Reporter:  mcs                                  |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,              |  Actual Points:
  TorBrowserTeam201704                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by teor):

 Replying to [comment:2 gk]:
 > I wonder why nobody has reported problems about failing updates on macOS
 so far. I mean the issue is not new with the switch to ESR52.

 Not many people use multiple user accounts, and even if they do, Tor
 Browser can only be used from one account on the same machine, due to
 SOCKSPort conflicts. And in previous TBB releases, everything was stored
 in the app bundle, so multiple users meant sharing your bookmarks and
 everything else as well.

 And there are permissions issues:

 When an admin installs Tor Browser by dropping it in the Applications
 folder, they become the owner, with the group "admin" and mask 750.

 So a non-admin user can't use Tor Browser, because they can't even read
 the directory. See #21779.

 But another admin user can use Tor Browser, but can't update it.

 And if an admin changes the permissions on the Tor Browser folder, they
 probably know what to do when an update fails.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21940#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list