Firefox Automatic Update - How does it bypass normal permissions?

How is Firefox able to update itself at will, without needing root access to do so?

Hmmmm … Is it able to update itself?

Lord_Emsworth stated it nicely.

You exhort a statement without even the tinyest bit of information, let alone prove.

Yes it is. I received this unpleasant surprise recently when I started Firefox and it informed me that it had been updated to Version 9. At no time did it ask for the password. I found the appropriate setting in about:config to disable it, but that is not a satisfactory answer. I would like to know how it can bypass the usual system protections,

Chances are that this update came in through the regular update process, i.e. from the Updates repository. If you check, you’ll find Firefox 9.0 is in there. For example the Updates repo for 11.4 x86_64:
Index of /update/11.4/rpm/x86_64

henk@boven:/usr/lib/firefox> ls -l $(which firefox)
lrwxrwxrwx 1 root root 25 24 dec 21:51 /usr/bin/firefox -> ../lib/firefox/firefox.sh
henk@boven:/usr/lib/firefox> ls -ld /usr/lib/firefox
drwxr-xr-x 11 root root 4096 21 dec 19:37 /usr/lib/firefox
henk@boven:/usr/lib/firefox> ls -l /usr/lib/firefox/firefox*
-rwxr-xr-x 1 root root 51096 21 dec 19:37 /usr/lib/firefox/firefox-bin
-rwxr-xr-x 1 root root  4270 21 dec 19:32 /usr/lib/firefox/firefox.sh
henk@boven:/usr/lib/firefox>

This is from my openSUSE 11.4 system.
It shows clearly that root:root is the owner:group of the directory the firefox binary is in. Same for the binery itself. Also there is no write persmission for others then the owner for those two.

My conclusion: those files can only be changed by root. That is a Unix/Linux law that Firefox can not circumvent.

You can also check the date/time of those files to see if they have been changed/replaced on the time you think that update took place.

BTW when your system manager (same person as you, but with a different hat on?) updated Firefox some time ago and you now (as user, same person, other hat on) start it for the first time after that update, FF will tell you that. Even when tthe update was allready done a year ago.

I don’t run auto updates. I only do manual online update through YAST. This happened without my doing that.

That hen is a yes - no situation.

I won’t add any comment on that.

Unfortunately I reverted to the older version before checking the files, so the file dates reflect when I did that, and the ownership and permissions will also result from that change. At this time they are as they should be.
I have never intentionally updated Firefox past version 6, because I need an add-on that doesn’t work for higher versions.

On 2012-01-23 11:36, oakhillj wrote:
>
> Lord_Emsworth;2433196 Wrote:
>> Hmmmm … -Is- it able to update itself?

> Yes it is. I received this unpleasant surprise recently when I started
> Firefox and it informed me that it had been updated to Version 9. At no
> time did it ask for the password. I found the appropriate setting in
> about:config to disable it, but that is not a satisfactory answer. I
> would like to know how it can bypass the usual system protections,

Find the files. You will find that you did a local home install.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

I’m sorry, but I don’t understand what you mean by a yes-no situation.

You say you did not (as root) update FF.

I say only root can update FF.

There is no need to create an eternal loop by botth keeping to that. Thus without any real proof from you, I stop arguing.

(All this of course when we still speak about a normal FF installation from the openSUSE repos by root in the normal places. And not, as Carlos seems to suggest, some FF executable put in your home directory).

Get into Yast software manager. Check what version of firefox it thinks you have.

If Yast thinks you have version 9, then you updated. If Yast thinks you have an earlier version, then the change was done outside the normal update procedures.

I don’t think firefox even gives me a choice on automatic update. It can’t be done with the openSUSE installed version. I would have to separately install firefox (perhaps from mozilla repos) for that to be possible.

On 2012-01-23 15:26, hcvv wrote:
> (All this of course when we still speak about a normal FF installation
> from the openSUSE repos by -root- in the normal places. And not, as
> Carlos seems to suggest, some FF executable put in your home directory).

Not exactly. I mean that you can upgrade an existing system install by a
local install. It is not a replacement, of course, but in the run order the
local install is found first and it runs instead of the system install.

It is the only way FF can update itself.

I have never done that, but it is what happens with addons and similar.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 01/23/2012 02:36 PM, oakhillj wrote:
> I only do manual online update through YAST.
> This happened without my doing that.

here is what happened:

  1. firefox 9 was placed in the update repo for 12.1, 11.4 (and maybe
    other, i have not checked) in the third week of december

  2. sometime after that you (or someone using your machine and having the
    root password) ran “a manual online update through YAST” and didn’t
    notice that firefox 9 would be installed

  3. and, therefore someone (as root, using YaST) installed firefox 9

  4. sometime after that you started firefox and it informed you that it
    had been updated to Version 9.

alternatively, someone using your machine and not having the root
password manually installed firefox 9 to your home directory

if you look in the log /var/log/zypp/history
you will see something similar to


2011-12-23
05:47:20|install|MozillaFirefox|9.0-0.2.1|i586||Updates-for-openSUSE-11.4-11.4-0|25f48e6ddbb357ae0b8ff2f1f67f22b9f4c826c5

(yours will be different maybe for date of occurrance, architecture,
openSUSE level and checksum…but you can search on firefox and find
where 9.0 was installed)

then, you can run this command


grep -i 'Dec 23' /var/log/messages | grep root

note: you must change the “Dec 23” to match the date learned in the
history file (see, mine was 2011-12-23) and the output will look
something like (probably with other info lines with root in it on that day):


linux-os114:/var/log # grep -i 'Dec 23' messages | grep root
<lines deleted>
Dec 23 05:31:11 linux-os114 su: (to root) denverd on /dev/pts/4
<lines deleted>

and you will then see who was logged in at that time, and gave the root
password…


DD http://tinyurl.com/DD-Caveat
openSUSE®, the “German Engineered Automobiles” of operating systems!

Firefox installed through YaST gives you the option to apply the update or not. To enable YaST, you need to enter your root password. At least I do.

Firefox installed manually with a tarball, can update automatically without root permission, because the user is the owner.

There are settings in Firefox that can alter this behavior.

http://img11.imageshack.us/img11/5026/updatesettings.th.png](http://imageshack.us/photo/my-images/11/updatesettings.png/)

Uploaded with ImageShack.us

Add-ons can also be updated automatically. There are 2 places to check if you have that enabled. In the Advanced Update tab shown above, and from the add-ons tab itself as shown below.

http://img708.imageshack.us/img708/8290/addonsupdate.th.png](http://imageshack.us/photo/my-images/708/addonsupdate.png/)

Uploaded with ImageShack.us

In case anyone is interested, the theme is LavaFoxV1 - Purple with Firefox Beta installed manually…

The OP states that his system installation of FF is overwritten (updated) by a non-root process.
He does not have any evidence of it. And what he had, he destroyed before he started this thread. As long as he does not give more technical valid information, I at least will not start guessing in the wild.

BTW. The addons you mean are end-users features. This of course to avoid that other users on the systems are getting them when they do not want them. They are not FF itself and do not upgrade the version number in FF.

When the OP realy has, as end-user, copied FF in his ~/bin (or likewise), then would he complain about a non-root user overwriting his non-root “install”? That would be rather silly IMHO.

On 2012-01-23 16:46, hcvv wrote:
>
> The OP states that his system installation of FF is overwritten
> (updated) by a non-root process.
> He does not have any evidence of it. And what he had, he destroyed
> before he started this thread.

True.

> As long as he does not give more
> technical valid information, I at least will not start guessing in the
> wild.

:slight_smile:

> BTW. The addons you mean are end-users features. This of course to
> avoid that other users on the systems are getting them when they do not
> want them. They are not FF itself and do not upgrade the version number
> in FF.

But I think that FF can do that. Just a guess.

> When the OP realy has, as end-user, copied FF in his ~/bin (or
> likewise), then would he complain about a non-root user overwriting his
> non-root “install”? That would be rather silly IMHO.

But possible.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

I made the mistake of assuming that what I experienced was usual for Firefox. It seems that it isn’t, so I will look for an explanation elsewhere.

As long as a prcocess does not run “as root” it can not write to files owned by root and having no write permission for others.
There is no exception when that process has the name firefox.
Thus, running firefox (or any other program) as normal user, can not update firefox files inside /bin and the like.

Thus your question:

How is Firefox able to update itself at will, without needing root access to do so?

is like “Why is there no salt in the ocean?” It is simply not true. And without you telling more then half a line about what you experience, saw, did or did not, we can not help you because we simply do not understand what you are talking about.

Even the version of openSUSE you use is not in your post.