[tor-bugs] #5900 [Tor bundles/installation]: TorBrowser on Mac OS requires write permission to application

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Wed May 16 13:32:23 UTC 2012


#5900: TorBrowser on Mac OS requires write permission to application
--------------------------------------+-------------------------------------
 Reporter:  rptb1                     |          Owner:  erinn        
     Type:  defect                    |         Status:  new          
 Priority:  normal                    |      Milestone:               
Component:  Tor bundles/installation  |        Version:  Tor: 0.2.2.35
 Keywords:                            |         Parent:               
   Points:                            |   Actualpoints:               
--------------------------------------+-------------------------------------
 The TorBrowser bundle will fail to launch if the current user does not
 have write permission to directories and files within the TorBrowser
 application bundle.

 This means that:
   - it is not possible to install TorBrowser securely in the system-wide
 Applications directory for use by multiple users.
   - TorBrowser is leaving traces of use in an unconventional location.

 In general, Mac OS X applications can't assume that they can write to
 their own bundles without first becoming root.

 TorBrowser appears to write to
   Contents/Resources/Data/Tor
   Library/Application Support/Firefox/Profiles/profile
   Library/Vidalia

 There may be others -- this is where I found modified files after a simple
 session.

 Reproduce:
   1. Unzip TorBrowser-2.2.35-11-osx-x86_64-en-US.zip
   2. Drag the bundle to /Applications
   3. Launch and test.
   4. Switch to another user account.
   5. Attempt to launch.  Observe permissions errors.
   6. find /Applications/TorBrowser_en-US.app -mtime -1d -ls

 Suggestions:

 Normally these kinds of things would be in the user's home directory.  Is
 there a good reason why they aren't?  Note that the permissions problem
 more or less forces the user to place the whole bundle in their home
 anyway, so traces are still left there, though trashing the bundle is
 quite reliable.

 Does TorBrowser want anything to persist between sessions?  I would have
 guessed not.  In which case, consider /tmp (with erase on exit) or a
 temporary RAM disk image using a method like
 <http://osxdaily.com/2007/03/23/create-a-ram-disk-in-mac-os-x/>.
 ("hdiutil attach -nobrowse" will prevent the image popping up in the
 Finder)

 I was not able to find a ticket on this issue. I hope this is a useful
 report.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5900>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list