Freddy Freeloader wrote:
Jonathan Kaye wrote:I beg to differ with you that nothing is written in /usr/lib/mozilla-firefox during the install of extensions. I am pasting the output from ls below.-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 En/La Freddy Freeloader ha escrit, a 14/05/05 16:30: | Is anyone else running across the following problem? || Ever since Firefox changed the install routine for themes and extensions| due to a vulnerability I've been unable to install any themes or | extensions as a regular user. I can install them if I su to root and | start Firefox from the bash shell or if I run Firefox as root, but then | any extensions or themes installed don't apply to my regular user | profile. I've tried playine around with copying the entire | .mozilla/firefox directory from /root and changing owner and group | permissions on it so my user account has access but that only creates a | non-usable browser so I have to uninstall and reinstall again.| What happens is that the install routines for extensions/themes begin as| normal but fail silently. I can find no errors in any logs, and the | extensions directory remains empty. I'm assuming this is because| something has changed in the Firefox is using file permissions since the| extensions are installed in /usr/lib/mozilla-firefox and a regular user | doesn't have write permissions there. | I went to the Firefox support forums and one of the moderators told me | that this problem would be fixed in the 1.0.4 release so when the 1.0.4 | package was placed in unstable I installed it from there by downloading | the package and using dpkg to install it. (I am running Sarge.) | I'm getting no response worth mentioning from the Firefox people so I | thought I'd ask here if anyone else is seeing this too and what your | workaround was. | Hi Freddy, I'm running Sarge (2.6.8) and Firefox 1.0.4. I have the following extensions: Launchy, DictionarySearch, Linky and Adblock.AFAIK they all are installed in ~/.mozilla/firefox/default.mq3/extensions/I always run Firefox as a normal user and never as root. I never touch /usr/lib/mozilla-firefox and so permission issues don't arise. Cheers, Jonathan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD4DBQFChg+d64+f0AXUe+4RAhR/AJ0UgB3MgDOoXdmhpaQrwnjuZifNSwCYjlMc nRFLyZVwKcuchg0Rs3+KKw== =5aX1 -----END PGP SIGNATURE-----
With each directory & file in /usr/lib/mozilla-firefox (including the symlinked ones) chmod'd go-w, how are normal users meant to be able to write to this directory?
Job:/usr/lib/mozilla-firefox# ls chrome icons libsoftokn3.so rescomponents libmozjs.so libssl3.so run-mozilla.sh components.ini libnspr4.so libxpcom_compat.so searchpluginsdefaults libnss3.so libxpcom.so xpcshell defaults.ini libnssckbi.so libxpistub.so xpicleanup extensions libplc4.so mozilla-firefox-xremote-client xpidl firefox libplds4.so plugins xpt_dump firefox-bin libsmime3.so regchrome xpt_link greprefs libsoftokn3.chk regxpcom Job:/usr/lib/mozilla-firefox# cd extensions Job:/usr/lib/mozilla-firefox/extensions# ls {972ce4c6-7e08-4474-a285-3208198ce6fd} installed-extensions-processed.txt Extensions.rdfJob:/usr/lib/mozilla-firefox/extensions# cd {972ce4c6-7e08-4474-a285-3208198ce6fd} Job:/usr/lib/mozilla-firefox/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}# lschrome install.rdf uninstallJob:/usr/lib/mozilla-firefox/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}#As you can plainly see there is data written to /usr/lib/mozilla-firefox/extensions when extensions/themes are installed.
I have these files as well (the exact same directory names!). Doing a dpkg -S on /usr/lib/mozilla-firefox/extensions/\{6c3a4023-ca27-4847-a410-2fe8a2401654\}/install.rdf returns that it belongs to mozilla-firefox-locale-en-gb
I'm guessing that you have had your extensions installed for a long time. I'd lay pretty good odds that you haven't tried installing any new extensions in the past few days either. I'm also guessing, since I have no idea how Firefox is now installing things, that the components for the extensions themselves are now being installed outside the /home directory so that a malicious site won't be able to compromise the computer through a standard user account. Changing the place where the executable files are installed to a directory where a standard user doesn't have write permissions is an easy security fix, but one that has some major consequences.
Sorry. Since /usr/lib/mozilla-firefox is NOT writable by normal users, extensions & themes have always been installed in /home. Where else are they meant to go?
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature