Closed Bug 42184 Opened 24 years ago Closed 21 years ago

Mozilla-bin must not write to bin dir during installation

Categories

(Core :: XPCOM, defect, P3)

defect

Tracking

()

RESOLVED FIXED

People

(Reporter: BenB, Assigned: dveditz)

References

Details

(Keywords: arch, relnote, Whiteboard: [relnote-user] For tarballs, fixed by bug 90879.)

Split-off from bug 41057. The problem is security. You should not run a beast like Mozilla as root, you can't be sure that it has no security holes. I think, the install process (if needed at all) should run as separate binary.
The workaround is to run Mozilla as user and then change access rights. Not quite a good solution.
So if mozilla can't write to the bin directory during installation, then how does it get installed? Your description of the problem you're trying to solve is a bit muddled. What does running as root have to do with it? Mozilla just needs to be run by someone with permission to write in those directories. Anyway I'm passing this bug off to warren for lack of anyone better. It's not the install that's doing this writing, it's XPCOM autoreg, chrome registration, profile creation and other parts of mozilla.
Assignee: dveditz → warren
Component: Installer: XPInstall Engine → XPCOM
Keywords: arch
> So if mozilla can't write to the bin directory during installation, then how > does it get installed? I was speaking about mozilla-bin, the app suite. Running a small (!) command-line install tool is fine. > What does running as root have to do with it? Mozilla just needs to be run by > someone with permission to write in those directories. Yes, this is what I addressed with my comment at 2000-06-11 15:50. Yes, you can change the access rights of <mozbindir> and all parent folders (at least on Unix, if I'm right), install Mozilla and then change all of them back. I don't think, this is a good solution.
Mozilla should distinguish between the destination location and the installation location. The first is Mozilla's final resting place and the second is an intermediate directory. For the more trusting they would be the same; for the more paranoid they would not. For the really paranoid, a normal user could run Mozilla's installation script, including any configuration executables, and then root could look over what was done and change anything she thought was inappropriate, including permissions and ownership. The really paranoid root never runs an untrusted program. All she has to do is run system utilities. Note that the GNU autoconf system allows exactly that. For the typical source package, one can say: ./configure --prefix=/usr make make install prefix=/tmp/package-foo/usr and the right thing happens. Obviously, a binary package just does the last step. RPM .spec files often make use of this feature so Mozilla could also please binary packagers with no extra effort.
I don't see what the difference is between this and the other bug (bug 41057).
Essentially there are two stages install time run time I think bug 41057 is run time this is install time Admins want both types to not require root. But they are separate stages possibly [likely] to use different applications.
I'm sorry, but why can't you write to bin during install time? When else are you going to write this data?
Target Milestone: --- → M18
They are different in that you must *never* write to bin dir at run time. You can (and propably have to) write to it during installation, but it must not be mozilla-bin, the app suite. Running a small (!) command-line install tool is fine. It should be minimal, so that it is easy to make a security audit (i.e. check, if there are any possible explaits), as it is often run by root. Some (see timeless' comments) prefer to not even run that app as root.
Yes, and isn't that covered by the other bug? I think this bug is invalid.
warren, -- Comments From dveditz@netscape.com 2000-06-11 09:43 in bug 41057 -- > We need to split this into two cases, the install case and a regular run. > Mozilla cannot be just unpacked into a directory, it must be run once as part > of the installation process by a person with installation rights in those > directories. This bug is about creating a small programm, which does all necessary writes to the bin dir in order to allow mozilla-bin to run. The other bug is about removing all writes of mozilla-bin to the bin dir. Yes, there is propably some intersection. But you don't want hyatt (who you assigned the other bug to) to write command line install tools, do you?
Keywords: nsbeta3
Blocks: 41057
No longer blocks: 41057
Whiteboard: [nsbeta3+]
Seems like there is some progress: there are regxpcom, regchrome and regExport. But we need a user-friendly, non-GUI way to run them. And we need to make sure, that's all.
Looking at recent builds, if you unpack and chown mozilla as root without first running it to "install" the application then mail/news and themes do NOT work. This should be a relnote for M17.
If you want a non-gui way of creating all the necessary files you can currently run "mozilla -CreateProfile" which will do all the necessary registrations, create a default profile and exit.
Comment seen on x.themes.org: "re Netscape Install I tried to installed per the instructions, but what they dont tell you: I could not install it as root and run it as a user. I had to install it into my user directory and then it would work." We need to better document this.
Keywords: relnote, relnote2
*** Bug 45229 has been marked as a duplicate of this bug. ***
dveditz: (sorry to reply so late after your comment - I just found this bug) As Ben Bucksh says in the 8th comment on this bug, it is okay to write to the bin directory at install time, but it is *not* okay to require that mozilla itself be run. Even just with the CreateProfile flag. Mozilla is *way* too big to audit for security. From a later comment by Ben, it looks like this issue might be addressed by simply running regxpcom, regchrome and regExport from a shell script as part of the unix installation (does the tarball have an install script? I use the debian packages...) If the tarball doesn't have an install script, having a README.packaging file that documents that it is necessary to run these three programs in the "postinst" part of your packaging script would be good. If these three scripts really do do *all* the processing that ever needs to be done as root, then creating a README.packaging file or modifying the install script would probably be all that was necessary to mark this bug FIXED. Right?
*** Bug 48235 has been marked as a duplicate of this bug. ***
*** Bug 50528 has been marked as a duplicate of this bug. ***
Keywords: mostfreq
*** Bug 43091 has been marked as a duplicate of this bug. ***
I just tried to re-open 43091 but this is just as good. I can't even run moz as a user anymore - segfault. Could someone answer this question - doesn't Moz have to write into the component registry during normal operation? Like, I change the skin or something? If so, then I should have my own, user-owned copy of the registry, right?
Doug -- you should try to reopen that bug or some other child of bug 41057 which deals with Mozilla at run-time. You should NOT need access at run time in general, your private selections are written to files in your profile directory. *this* bug deals with the fact that Mozilla requires write permissions the first time in order to do the initial registrations. 41057 is a simple bug (ok, lots of bugs), this one is a tougher architectural problem since we assumed an "install" step.
Ok, *MY* copy of Mozilla is definitely writing into the install directory. Here's what I did today: -Downloaded the Daily Dump. -Untarred xzpf. -Ran mozilla as user: Segfault. -Against my better judgement, ran mozilla as root: no problem. -Ran as user again: Segfault. -Back to root and "chmod -R a+w ." -Back to user and run mozilla: no problem. To me this is a watertight case that it is writing in the install directory. I'll go and post this again on bug 43091 to try to focus some attention on this SEVERE PROBLEM.
Warren's away this week, can we get someone who is around to fix this? It is indeed a bad thing for a Unix app to try to write to system directories. Dan, can you help? /be
Depends on: 51677
Bug 51677 is a workaround (or alternate implementation, if you want), not dependency.
No longer depends on: 51677
*** Bug 53693 has been marked as a duplicate of this bug. ***
*** Bug 53918 has been marked as a duplicate of this bug. ***
Not holding PR3 for this; marking nsbeta3-.
Whiteboard: [nsbeta3+] → [nsbeta3-]
Keywords: rtm
Keywords: relnote3
*** Bug 53639 has been marked as a duplicate of this bug. ***
Keywords: mozilla1.0
Bug 55419 would regress this bug.
How can you regress a bug that isn't fixed?
Making it worse than it was before. Like ill (a cold) -> more ill (cancer).
At this point, I really don't see the difference between this bug and bug 41057. There is a complaint that you shouldn't run mozilla at install time because it's too big to do a security audit on, but we're not fixing that now. Marking dup. *** This bug has been marked as a duplicate of 41057 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
warren, please! "we're not fixing that now" is really no reason to close a bug. REOPENing.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
warren: yes, that's *exactly* why this bug was split off from bug 41057 -- because we knew that one needed fixing NOW and this one needs some thinking and redesign.
I don't know who nominated it for rtm though -- no way we'll get this rearchitected in that time frame. Giving [rtm-] relnoteRTM text: (something like) On systems where Mozilla (Netscape 6) is installed into a directory protected from writing by users, it must be run the first time by a privileged account to write out necessary system information files. This task is normally performed automatically by the installer.
Keywords: relnoteRTM
Whiteboard: [nsbeta3-] → [nsbeta3-][rtm-]
Then perhaps you should rename this "mozilla shouldn't be run during install". I really don't know why that's interesting though. As I said in bug 41057, there's only one remaining problem, and Hyatt thinks there's an easy fix. But I'll let you be the judge, Dan.
Assignee: warren → dveditz
Status: REOPENED → NEW
The summary warren suggested would be OK with me. warren, apps running as root should undergo a detailed security review. Doing that with mozilla-bin is practically impossible. E.g., IIRC, the GTK developers recommend not to run GTK as root.
I believe it's relatively easy to eliminate the need for running Mozilla at install time. If I run regxpcom and then regchrome the only thing running Mozilla does is to create package/chrome/user-*.rdf files. With a 1012 build, if userA has no ~/.mozilla, unpacks a tarball, and runs Mozilla from there then package/chrome/user* files are created. Any other user can then run mozilla quite happily. If userA switches themes, say, then she acquires a local user-skins.rdf file. Now let's say she want to install a newer tarball so she removes the old one and repeats her steps. Mozilla now notices that she has a local user-skins.rdf file and does *not* create a global one. All other users are now screwed because Mozilla can read neither a global file nor a local file but is trying to write a global file which fails. Mozilla hangs and just sits there looking stupid. Since Mozilla appears to be happy with just local user-* files, and they appear to really be per-user files, then I think Mozilla should write these files to the local location always. If you do that then everything falls into place. A non-privileged user can unpack a tarball and then run regxpcom and regchrome. A privileged user can then come along and change the ownership and permissions as desired and move the directory tree to its final home or even create a functional binary tarball. What's nice is that this could easily be a shell script. Best of all, the privileged user never has to run untrusted applications. There are some minor problems. Regxpcom is currently linked to the GTK and X11 libs. This appears to be unnecessary and is probably just a build bug. A somewhat bigger problem is that behaves poorly when it can't write to a file but that's not this bug.
regchrome should cause the user-*.rdf files to be written as well. If not, then the installed-chrome.txt is probably misordered such that a select command is happening prior to the install command of a package that the select command wants to operate on. Move the select commands to the very bottom of installed-chrome.txt and then run regchrome, and you shouldn't even see any user-*.rdf files generated.
Depends on: 56634
What does a select line look like? All lines in installed-chrome.txt are of the form *,install,* .
*** Bug 56444 has been marked as a duplicate of this bug. ***
*** Bug 56616 has been marked as a duplicate of this bug. ***
Once the user-*.rdf problem is solved, it becomes (almost) trivial to write a command-line install script although something like ./configure; make install would probably be more useful.
Here's something to try. As userA unpack a mozilla nightly. Then run this script: #!/bin/sh HERE=`pwd` THERE=$HERE/package export LD_LIBRARY_PATH=$THERE export MOZILLA_FIVE_HOME=$THERE (cd $THERE; ./regxpcom) (cd $THERE; ./regchrome) touch $THERE/chrome/user-skins.rdf touch $THERE/chrome/user-locales.rdf Do not run mozilla as userA. Instead try it as userB. It works for me with empty user-*.rdf files.
Keywords: patch, review
Is there a commandline xpi package installer in the works?
Ben: please elaborate -- isn't that what the Linux installer already is? It downloads and installs .xpi files. Are you just asking for an admin-friendly "silent" mode?
dveditz, the Linux installer is an X11 app, not?
Depends on: 57089
regxpcom also creates $HOME/.mozilla but does nothing with it. It seems superfluous and is not a confidence builder. Bug 57644 filed.
Keywords: relnote2, relnote3
Whiteboard: [nsbeta3-][rtm-] → [nsbeta3-][rtm-] relnote-user
Unsetting target milestone - M18 is long past. Side note: This bug has a patch posted in the comments. Gerv
Target Milestone: M18 → ---
Uhm, X11 installer is a _bad_ idea on Unix/Linux - some multiuser systems on big sites are running headless as servers and share their dirs with their client machines. An unix installer should have an option to run without X11 during installation (does someone remember these =x)(&//!! Oracle installer which can't run without X11 but does not use it... =:-)
Keywords: mozilla0.9.1
FYI: I tried to use regchrome and regxpcom (as the owning user) only, but Mozilla coredumped (when run as a different user). After I ran mozilla-bin (as the owning user), everything worked fine (also when run as a different user). I didn't track down the reason.
Filed bug 77365 to request a command-line xpinstall binary (as discussed in this bug). I wonder if this bug should be marked fixed? Most people seem to be having success with regxpcom+regchrome+touching those two skin files. Ben, did you try the full script suggested by tenthumbs above? One other question: Could we possibly run regxpcom and regchrome and create the skin files as part of "make install"? That would stop people who just run ./configure && make from running into this and complaining because they didn't read the docs. Thoughts?
if that script works, why don't we include the script also in .tar.gz binary packages, so that after unpacking, you only have to run the script and are able to run the program? I think this is also what an rpm installation (of some distributor) would need and would be able to do, right? Note Ben's comments about having problems running only regchrome and regxpcom - what about that? Does it mean the script will also fail? What can be done against that?
*** Bug 78487 has been marked as a duplicate of this bug. ***
That you need to run mozilla once with write permission to MOZILLA_FIVE_HOME, before Mozilla is installed, is one thing. But it's really annoying, that if you don't know about that (and I couldn't find that in the release notes), you won't easily find out, because neither regxpcom nor regchrome will tell you. They just exit without printing something like "no write permission to MOZILLA_FIVE_HOME".
I 've just installed mozilla0.9 on a LinuxBox for multi-user-access. Postinstall I did a ./mozilla as root but when I did start mozilla as normal user I got a SegFault!!! An "strace $prog ${1+"$@"} " in run-mozilla told me, an "open(... /mozilla/chrome/user-skins.rdf ...) " failed! During running mozilla first time as root this file wasn't created! After cp an old one from mozilla0.8.1 into "/mozilla/chrome/" everything is fine, and I can run mozilla as normal user! I hope this is the right place to post this error! Hajo
> During running mozilla first time as root this file wasn't created! I think I can answer this one. The RDF files such as user-skins will NOT be created in the install tree if they already exist in the user's profile tree. If you're running Mozilla from root with the intention of having it create the RDF files in the install tree, then root must have a clean profile tree.
It seems awfully silly to impose a restriction that the installer process not have a ~/.mozilla tree. In any event, touching $MOZILLA_FIVE_HOME/chrome/user-skins.rdf has always worked for me. The only thing left in this bug is why Mozilla is why mozilla fails so miserably if the global user-*.rdf files don't exist.
You can have a ~/.mozilla tree, you just can't have the RDF files in it. I'm not saying this is desired or even acceptable, I'm just saying that's the I've observed it working.
Depends on: 79520
Why shoudn't regchrome create the user-*.rdf files? They are for chrome. Also filed bug 79520.
*** Bug 78742 has been marked as a duplicate of this bug. ***
*** Bug 80205 has been marked as a duplicate of this bug. ***
*** Bug 79520 has been marked as a duplicate of this bug. ***
This problem resulted in my inability to run Mozilla after upgrading to 0.9.1 from 0.9. An entry in the README or installation instructions along with a descriptive error message when the RDF files are not found or can not be created would be greatly appreciated. Simply crashing when this is the case is highly misleading.
*** Bug 83282 has been marked as a duplicate of this bug. ***
See bug 90879. It describes a way to generate a tarball, which can just be extracted to a dir by root and be used by users. root never has to run any Mozilla binary.
Whiteboard: [nsbeta3-][rtm-] relnote-user → [relnote-user] For tarballs, fixed by bug 90879.
This one should be nominated as a MUSTFIX for Mozilla 1.0 (I see no entry for the target milestone)! Up to now three system administrators of larger institutes (> 100 employees) said to me they will not install Mozilla if it must be installed for every user (will take up too much space and too much worktime). So this one gets to be a major blocker for Mozilla's success on multiuser systems in larger companies. We here (124 employees) are anxious to install even the beta releases, as they are more stable now than Nav 4.x on Solaris, but we probably must wait forever if this is not fixed. By the way, that one is a really ugly design error, such bad things shouldn't happen in the future !
FWIW, I've been able to do a shared installation for several thousand users on both Solaris and Linux. The trick is to install it in the shared system directory, then run it once as the owner (i.e. the user with write access). After that all the other users can run it read-only. Kind of messy, and perhaps there are undiscovered problems with this approach, but so far it seems to work OK for us.
I agree, this is a MUSTFIX for 1.0. I, also, have had no problems with this procedure: as root: untar everything to /usr/local/mozilla as root: chown -R me.users /usr/local/mozilla as me: run-mozilla.sh and exit as root: chown -R root.root /usr/local/mozilla thereafter, it runs fine for everyone. The workaround is so simple, I can't believe it's that hard to just make it work like it should.
Depends on: 92898
*** Bug 94584 has been marked as a duplicate of this bug. ***
*** Bug 94771 has been marked as a duplicate of this bug. ***
*** Bug 99887 has been marked as a duplicate of this bug. ***
This bug requires a release notes entry. Can someone provide a one or two explanation of the problem along with any worksaround?
"Correct Mozilla installation requires initialization of component and chrome registries. If installing on a multi-user system, the initialization must be performed by a user (such as "root" on Unix systems) with sufficient privileges to create and modify files in the Mozilla installation area." Blizzard, can you provide a quick bulleted list of the steps required to initialize the databases? I'll love you forever.
I had written the doc how to add language pack to Mozilla that is installed in shared directory on UNIX platform. Does this help? http://www.mozilla.org/projects/l10n/mlp_distrib.html
Here's the shell script that's run after any component is installed. It contains all the bits that need to be done. [snip] #!/bin/sh umask 022 if [ -f /usr/lib/mozilla/regxpcom ]; then /bin/rm -rf /usr/lib/mozilla/chrome/overlayinfo /bin/rm -f /usr/lib/mozilla/chrome/*.rdf /bin/mkdir -p /usr/lib/mozilla/chrome/overlayinfo /bin/rm -f /usr/lib/mozilla/component.reg MOZILLA_FIVE_HOME=/usr/lib/mozilla \ /usr/lib/mozilla/regxpcom >/dev/null 2>/dev/null MOZILLA_FIVE_HOME=/usr/lib/mozilla \ /usr/lib/mozilla/regchrome >/dev/null 2>/dev/null fi exit 0
*** Bug 79520 has been marked as a duplicate of this bug. ***
Status: NEW → ASSIGNED
how is this any different than bug 57089?
Bug #57089 is installer only, this one applies to tarball only installation as well. Note that #57089 is in the dependence list of this bug, so it fixes parts of this problem.
(In reply to comment #79) > Bug #57089 is installer only, this one applies to tarball only installation as no one is forcing anyone to run Mozilla to write to the installation dir after a tarball installation.
Indeed. But if you don't run the script shown in comment #76 (and mentioned explicitly in the release notes), you run exactly into the same problems as in bug #57089. So you ARE forced to run it if it should work for anyone else than yourself (aka 'root' in a multi-user installation).
you really just need to run regxpcom and regchrome. The stuff deleted in comment 76 does not exist on installation, and the directory is made automagically. Moreover, what is it preventing you from running the script? I don't understand what changes need to be implemented in the Mozilla source to fix this bug. I think the summary here is not helping me. > Mozilla-bin must not write to bin dir during installation 1. No one forces you to run mozilla during tarball installation. 2. If you do run mozilla and you haven't run regxpcom/regchrome, it *must* write to the installation dir, or it will crash and burn.
All what is left in this bug is that the script is not automagically fired up in a tarball installation. Yes, it must write to the bin directory (if calling Mozilla or the script here is irrelevant, one of them must be run to get the desired effect). I think that the alternative (that is, rewriting Mozilla so that it does not need the scripts) is not worth discussing any longer, since the script solution is adequate. From my point of view, this bug is of no practical relevance anymore, so it may should be closed now.
Hmmmm... maybe it should be said another way. The fact that the release notes even has a section named "Multi-User Linux Installations" is a bug. It is a work-around for a broken install. Multi-user is the norm on Unix and Linux. I might find it understandable to see special instruction for single-user installs but even that would be unusual. The install instructions should NOT tell the installer to "Run Mozilla with the ./mozilla run script". The installer is often root and this is a security concern for most system administrators. A posible fix is to elliminate the "Multi-User Linux Installations" work-arround section and the "Run Mozilla with the ./mozilla run script" step. Package the script mentioned in the "Multi-User Linux Installations" that runs regxpcom and regchrome, perhaps in a "smarter" form if necessary, and include it in the installation. Maybe call it "mozsetup" or something. Then add a step to the directions telling the installer to run this setup script.
bug 57089 is now fixed, so I don't know what issues remain here. David: if you think the website docs/README need updating, please file a new bug.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago21 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.