[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firefox extension and themes install

Jonathan Kaye wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

En/La Freddy Freeloader ha escrit, a 14/05/05 16:30:
| Is anyone else running across the following problem?
|
| Ever since Firefox changed the install routine for themes and extensions 
| due to a vulnerability I've been unable to install any themes or
| extensions as a regular user.   I can install them if I su to root and
| start Firefox from the bash shell or if I run Firefox as root, but then
| any extensions or themes installed don't apply to my regular user
| profile.  I've tried playine around with copying the entire
| .mozilla/firefox directory from /root and changing owner and group
| permissions on it so my user account has access but that only creates a
| non-usable browser so I have to uninstall and reinstall again.
| What happens is that the install routines for extensions/themes begin as 
| normal but fail silently.  I can find no errors in any logs, and the
| extensions directory remains empty.  I'm assuming this is because
| something has changed in the Firefox is using file permissions since the 
| extensions are installed in /usr/lib/mozilla-firefox and a regular user
| doesn't have write permissions there.
| I went to the Firefox support forums and one of the moderators told me
| that this problem would be fixed in the 1.0.4 release so when the 1.0.4
| package was placed in unstable I installed it from there by downloading
| the package and using dpkg to install it.  (I am running Sarge.)
| I'm getting no response worth mentioning from the Firefox people so I
| thought I'd ask here if anyone else is seeing this too and what your
| workaround was.
|
Hi Freddy,
I'm running Sarge (2.6.8) and Firefox 1.0.4. I have the following
extensions: Launchy, DictionarySearch, Linky and Adblock.
AFAIK they all are installed in ~/.mozilla/firefox/default.mq3/extensions/ 
I always run Firefox as a normal user and never as root. I never touch
/usr/lib/mozilla-firefox and so permission issues don't arise.
Cheers,
Jonathan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD4DBQFChg+d64+f0AXUe+4RAhR/AJ0UgB3MgDOoXdmhpaQrwnjuZifNSwCYjlMc
nRFLyZVwKcuchg0Rs3+KKw==
=5aX1
-----END PGP SIGNATURE-----
I beg to differ with you that nothing is written in /usr/lib/mozilla-firefox during the install of extensions. I am pasting the output from ls below. 

Job:/usr/lib/mozilla-firefox# ls
chrome          icons            libsoftokn3.so                  res
components libmozjs.so libssl3.so run-mozilla.sh components.ini libnspr4.so libxpcom_compat.so searchplugins 
defaults        libnss3.so       libxpcom.so                     xpcshell
defaults.ini    libnssckbi.so    libxpistub.so                   xpicleanup
extensions      libplc4.so       mozilla-firefox-xremote-client  xpidl
firefox         libplds4.so      plugins                         xpt_dump
firefox-bin     libsmime3.so     regchrome                       xpt_link
greprefs        libsoftokn3.chk  regxpcom
Job:/usr/lib/mozilla-firefox# cd extensions
Job:/usr/lib/mozilla-firefox/extensions# ls
{972ce4c6-7e08-4474-a285-3208198ce6fd}  installed-extensions-processed.txt
Extensions.rdf
Job:/usr/lib/mozilla-firefox/extensions# cd {972ce4c6-7e08-4474-a285-3208198ce6fd} Job:/usr/lib/mozilla-firefox/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}# ls 
chrome  install.rdf  uninstall
Job:/usr/lib/mozilla-firefox/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}#
As you can plainly see there is data written to /usr/lib/mozilla-firefox/extensions when extensions/themes are installed. I'm guessing that you have had your extensions installed for a long time. I'd lay pretty good odds that you haven't tried installing any new extensions in the past few days either. I'm also guessing, since I have no idea how Firefox is now installing things, that the components for the extensions themselves are now being installed outside the /home directory so that a malicious site won't be able to compromise the computer through a standard user account. Changing the place where the executable files are installed to a directory where a standard user doesn't have write permissions is an easy security fix, but one that has some major consequences.
Reply to: