This splits out the elevation piece from bug 516362 to track this work and associated security review separately.

An email has been sent requesting a security review of this feature. Here are the associated documents:

Security Review Request
Security Review Document (includes Feature Summary, Architecture & Detailed Application Diagram (Flow Diagram), Data-flow Enumeration and Threat Analysis)

Now that the patch has been reviewed, the team has discussed the possibility of landing this patch prior to getting formal security review signoff. We wouldn't usually suggest to land code before it has been properly security reviewed, but the reasons for doing so in this instance are compelling:

There is a high degree of confidence that there are no further concerns that a security review will discover since we have removed all the "scary" code from a previously proposed patch and instead rely on previously security reviewed code that landed in bug 394984 over five years ago.

It was also determined that if the security review were to find any issues, it would most likely be in existing code from the elevated updater that landed in bug 394984. The code introduced here merely wraps the existing functionality introduced in bug 394984.

Lastly, landing the patch now would allow us to finally test this functionality end-to-end, since we were prevented from doing so due to an inability to test with officially signed builds. Try does not sign builds and Oak was unavailable for testing.

Having considered these points, we have decided to tentatively land this code on Nightly to unblock testing of this functionality.

Backed out for windows build bustages

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel&revision=d28a7b6edac6cd5407fd24c177d4984b7080de94&selectedTaskRun=fcKnPKZFRBSYK-FN6wWq9Q.0

Failure log: https://treeherder.mozilla.org/logviewer?job_id=350364884&repo=autoland&lineNumber=36563

Backout: https://hg.mozilla.org/integration/autoland/rev/708683349118cc869da8ac0bd3710e107e142df4

Backed out changeset b55cdb5c3841 (Bug 1728167) for causing xpcshell failures in bootstrapSvc.js
Backout link: https://hg.mozilla.org/integration/autoland/rev/86aa829d709a12e9d8fb968ebd70eb2440e93e71
Push with failures, failure log.

https://hg.mozilla.org/mozilla-central/rev/edcb03977b8e

I just tried this by running the latest Nightly on a standard user account. I was prompted for elevation and the installation appeared to complete successfully. The .app bundle was properly moved to /Applications, permissions were set correctly and the app icon was pinned to the Dock. I have also confirmed that clicking the pinned Dock icon will properly launch Nightly from the /Applications directory.

This change breaks building with ac_add_options --disable-updater.

Error message:
/release/toolkit/xre/nsUpdateDriver.h:11:10: fatal error: 'nsIUpdateService.h' file not found

(In reply to matthias koplenig [:metasieben] from comment #11)

This change breaks building with ac_add_options --disable-updater.

Error message:
/release/toolkit/xre/nsUpdateDriver.h:11:10: fatal error: 'nsIUpdateService.h' file not found

Thanks for reporting! A fix for this just got queued for landing in bug 1733864.