Closed Bug 1514451 Opened 5 years ago Closed 4 years ago

Re-remove prefs for sandbox AutoConfig from release builds

Categories

(Core :: AutoConfig (Mission Control Desktop), enhancement)

Product:
Core
Component:
AutoConfig (Mission Control Desktop)
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: emk, Assigned: mkaply)

References

Details

Attachments

(1 obsolete file) 

Since Talos dropped dependency on AutoConfig, we can now force sandboxing in release.
This won't be done until Firefox 68.

Forcing the AutoConfig sandbox on release builds prevents us from disabling extension signing on our own devices, and forces us to abandon the release version of Firefox, when the installation of private extensions is needed.

If I understand well, AutoConfig is used by editing files in the Firefox installation folder, and that effectively requires root access on the device.

It would be extremely important to allow us to continue customizing Firefox this way, as it does not present a security issue if the creation of config files is guarded by administrative access rights.

https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig

We allow the installation of unsigned extensions in the ESR, nightly and dev edition, so those are the places to use private extensions.

The fact that you can disable signing in a release version of Firefox using autoconfig is one of the primary reasons we are forcing autoconfig to be sandboxed.

And it is a security issue. Users grant administrative rights all the time to adware/malware which does this. Requiring admin access to change files is not enough protection.

The threat model behind this decision is not clear. Can't malware just replace the Firefox executable? What is the security benefit of disallowing unsigned extensions without offering an option to disable it as an admin user?

We are too using Firefox and require unsandboxed AutoConfig. Our machines are running Fedora, who do not package ESR. (meaning, moving to ESR would require us to package Firefox ourselves or stop using the package manager -- both aren't feasable for us)

Since the threat model appears to be adware/malware: can this change please be limited to Windows only (or put another way: exclude Linux from this change)? MSWin is the main (if not only OS) that seems to have these problems.

Thanks!

(In reply to Mike Kaply [:mkaply] from comment #5)

And it is a security issue. Users grant administrative rights all the time to adware/malware which does this. Requiring admin access to change files is not enough protection.

You know, malware with administrative rights can just replace Firefox binary with your "protections" disabled.

Just noticed that I forgot to mention our use case: Fixing CSP-merging using this autoconfig script. See also Bug 1421725 and Bug 1267027.

Thunderbird will need this as well so LDAP works.

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:mkaply, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(mozilla)

dessant: what platform are you on?

We do not want to make it easy for people to disable signing. I understand you have this requirement. We have provided two ways to officially disable signing - use the ESR or use unbranded builds (https://wiki.mozilla.org/Add-ons/Extension_Signing#Unbranded_Builds)

The fact that you can disable signing via autoconfig is one of the primary reasons we are doing this.

tobias: this won't apply for most Linux distros since they use a release channel of default.

Flags: needinfo?(mozilla)

I'm on Linux. It seems that leaving this possibility for customization open on Linux would have minimal risk, because the kind of adware this targets hasn't really been an issue on this platform. At the same time businesses that rely on patching Firefox would be able to continue using the release version of Firefox for testing on their servers.

(In reply to Mike Kaply [:mkaply] from comment #12)

most Linux distros since they use a release channel of default.

I'm not sure if that's true (please correct me if I'm wrong):

  • Fedora's mozconfig specifies --enable-release and --update-channel=release
  • Ubuntu uses the release channel too, here.
  • Arch Linux' Pkgbuild specifies --enable-release and --enable-update-channel=release

Interesting. Historically we've seen most Linux distros using "default" as their channel which has caused us problems in the past.

Status: NEW → ASSIGNED
Attachment #9103386 - Attachment is obsolete: true

WONTFIXing for now until we have more evidence this is an issue.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: