Closed Bug 1255590 Opened 8 years ago Closed 8 years ago

Allow unsigned addons in /usr/{lib,share}/mozilla/extensions

Categories

(Toolkit :: Add-ons Manager, defect)

defect
Not set
normal

Tracking

()

VERIFIED FIXED
mozilla48
Tracking Status
firefox48 --- verified

People

(Reporter: glandium, Assigned: glandium)

References

Details

Attachments

(2 files)

On non-OSX unix, the addon manager picks addons from /usr/{lib,share}/mozilla/extensions. Those are behind the XRE_SYS_LOCAL_EXTENSION_PARENT_DIR and XRE_SYS_SHARE_EXTENSION_PARENT_DIR DirectoryService keys.

On typical non-OSX unix systems, these directories are handled by package managers, and on typical linux distros, package maintainers have created packages for popular addons.

This obviously all breaks with addon signature requirements.

But since those directories are only accessible to root, lifting the signature requirement poses no additional threat. If a malware has root, it installing Firefox addons is the least of the user's problems.

The attached patch is what I'm using on Debian to make those package-manager-installed addons not require a signature.

Note that on OSX, XRE_SYS_LOCAL_EXTENSION_PARENT_DIR does return something, and might not be desirable to use it because the permissions model on OSX may be allowing third party apps to copy files in there.

Not sure how to exclude OSX properly to make the last mile.
Flags: needinfo?(dtownsend)
I'm going to defer this to Kev as product manager to make the call here but this seems reasonable to me
Flags: needinfo?(dtownsend) → needinfo?(kev)
Approved. This has been discussed, and it's a reasonable approach for addons that a user/sysadmin wants to install explicitly. 

The expectation is that public distributions that include Firefox will not include addons in this directory by default.
Flags: needinfo?(kev)
Now that things are cleared, any idea about the last sentence in comment 0?
Flags: needinfo?(dtownsend)
(In reply to Mike Hommey [:glandium] from comment #3)
> Now that things are cleared, any idea about the last sentence in comment 0?

Checking nsIXULRuntime.OS I guess
Flags: needinfo?(dtownsend)
OS.Constants.Sys.Name maybe?
(In reply to Mike Hommey [:glandium] from comment #5)
> OS.Constants.Sys.Name maybe?

That's just an indirect way of getting nsIXULRuntime.OS: https://dxr.mozilla.org/mozilla-central/source/dom/system/OSFileConstants.cpp#899
(In reply to Dave Townsend [:mossop] from comment #6)
> (In reply to Mike Hommey [:glandium] from comment #5)
> > OS.Constants.Sys.Name maybe?
> 
> That's just an indirect way of getting nsIXULRuntime.OS:
> https://dxr.mozilla.org/mozilla-central/source/dom/system/OSFileConstants.
> cpp#899

I know, but that's less xpcom-boilerplate-y.
(In reply to Mike Hommey [:glandium] from comment #7)
> (In reply to Dave Townsend [:mossop] from comment #6)
> > (In reply to Mike Hommey [:glandium] from comment #5)
> > > OS.Constants.Sys.Name maybe?
> > 
> > That's just an indirect way of getting nsIXULRuntime.OS:
> > https://dxr.mozilla.org/mozilla-central/source/dom/system/OSFileConstants.
> > cpp#899
> 
> I know, but that's less xpcom-boilerplate-y.

Services.appInfo.OS!
Comment on attachment 8735371 [details]
MozReview Request: Bug 1255590 - Allow unsigned addons in /usr/{lib,share}/mozilla/extensions. r?mossop

https://reviewboard.mozilla.org/r/42753/#review39495

These tests are getting messy :(
Attachment #8735371 - Flags: review?(dtownsend) → review+
https://hg.mozilla.org/mozilla-central/rev/cdb91f4483be
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Depends on: 1294483
Assignee: nobody → mh+mozilla
I was unable to verify this issue on Firefox 51.0a1 (2016-08-18) under Ubuntu 14.04 32-bit. I’ve tried to install several add-ons in /usr/lib/mozilla/extensions running the following steps http://askubuntu.com/questions/73474/how-to-install-firefox-addon-from-command-line-in-scripts  but the add-ons are not displayed in Add-ons Manager.

The only add-on that appears in Firefox is the default ubuntu add-on http://i.imgur.com/mRuvFoZ.png which can be enabled without the META-INF folder.


Dave, could you please provide some reliable steps in order to verify this bug?
Flags: needinfo?(dtownsend)
(In reply to Vasilica Mihasca, QA [:vasilica_mihasca] from comment #13)
> I was unable to verify this issue on Firefox 51.0a1 (2016-08-18) under
> Ubuntu 14.04 32-bit. I’ve tried to install several add-ons in
> /usr/lib/mozilla/extensions running the following steps
> http://askubuntu.com/questions/73474/how-to-install-firefox-addon-from-
> command-line-in-scripts  but the add-ons are not displayed in Add-ons
> Manager.

These steps are extremely outdated, please ignore them. You need to follow the instructions here: https://developer.mozilla.org/en-US/Add-ons/Installing_extensions and put the extension in /usr/lib/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/<extension id>.xpi (substitute lib for lib64 on 64-bit builds).
Flags: needinfo?(dtownsend)
(In reply to Dave Townsend [:mossop] from comment #14)

> These steps are extremely outdated, please ignore them. You need to follow
> the instructions here:
> https://developer.mozilla.org/en-US/Add-ons/Installing_extensions and put
> the extension in
> /usr/lib/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/
> <extension id>.xpi (substitute lib for lib64 on 64-bit builds).

Thanks Dave for the additional information!

I was able to reproduce the initial issue on Firefox 45 (20160303134406) under Ubuntu 14.04 32-bit.

Verified fixed on Firefox 51.0a1 (2016-08-24), Firefox 50.0a2 (2016-08-24), Firefox 49 beta 6 (20160822111414) and Firefox 48.0.1 (20160817112116) under Ubuntu 14.04 32-bit. The unsigned add-ons/webextensions installed via /usr/lib/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/<extension id>.xpi are successfully enabled in Addons Manager.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.