[tbb-bugs] #21940 [Applications/Tor Browser]: OSX updater: consider disabling privilege escalation

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Apr 26 15:00:53 UTC 2017

#21940: OSX updater: consider disabling privilege escalation
 Reporter:  mcs                                  |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,              |  Actual Points:
  TorBrowserTeam201704                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by mcs):

 Thanks Tim. One more scenario which I just tested: if a non-admin user
 installs Tor Browser into /Applications they are prompted to authenticate
 as an administrator. After they do that, TorBrowser.app is owned by the
 non-admin user (which surprises me a little). But that does mean that the
 non-admin user can update.

 Reading the first part of
 https://bugzilla.mozilla.org/show_bug.cgi?id=394984 again, the scenario
 mentioned there is that of Firefox being installed by an account that no
 longer exists. So maybe the need for privilege escalation is very limited,
 even if we fix #21779.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21940#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list