Ticking "Launch Firefox now" in the installer when installing from a limited user account shouldn't launch Firefox using admin privileges

RESOLVED FIXED

Status

()

Toolkit
NSIS Installer
RESOLVED FIXED
11 months ago
11 months ago

People

(Reporter: mydeardiary, Unassigned)

Tracking

52 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

11 months ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170323105023

Steps to reproduce:

1. Set up a Windows PC or VM with at least one limited user account, with UAC enabled.
2. Log into Windows with the limited user account.
3. Install Firefox standalone from Firefox all download page on a limited user account.
4. Firefox installer will prompt for administrator user account credential. Fill the credential to allow the installer to continue.
5. Follow necessary steps until installer finish dialog appeared. Leave the checkbox for "Launch Firefox now" checked.
6. Notice that Firefox process will be launched with administrator privilege, inherited from administrator user account used during installation.

Please note that this problem also occurs on Thunderbird and SeaMonkey, since they use the same installer component.



Actual results:

Firefox will be launched with administrator user account, which has very high privilege inherited from administrator privilege during installation process.


Expected results:

Firefox doesn't have "Launch Firefox now" checkbox, so that users can safely launch Firefox after installation without Administrator privilege.

Comment 1

11 months ago
I would have sworn this was on file already but I can't find the duplicate. Robert?
Component: Untriaged → Application Update
Flags: needinfo?(robert.strong.bugs)
Product: Firefox → Toolkit
Summary: Remove "Launch Firefox now" checkbox on installer finish dialog → Ticking "Launch Firefox now" in the installer when installing from a limited user account shouldn't launch Firefox using admin privileges

Comment 2

11 months ago
Thanks for the report. Could you please try this with a nightly build [https://www.mozilla.org/en-US/firefox/channel/desktop/#nightly] and let us know if you can reproduce it then; I don't seem to be able to, possibly thanks to fixing bug 1350974.
Component: Application Update → NSIS Installer
Flags: needinfo?(robert.strong.bugs) → needinfo?(mydeardiary)
(Reporter)

Comment 3

11 months ago
The problem doesn't occur on developer edition (54.0a2 20170412004024). Good job.
Flags: needinfo?(mydeardiary)

Comment 4

11 months ago
Great, thanks for checking.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → FIXED

Comment 5

11 months ago
Does this need to stay hidden? (I don't think so, but...)
Flags: needinfo?(mhowell)

Comment 6

11 months ago
I don't think so either; don't have the permissions to unhide things myself though.
Flags: needinfo?(mhowell)

Updated

11 months ago
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.