Closed Bug 229621 Opened 22 years ago Closed 22 years ago

Mozilla is able to overwrite bookmarks.html / prefs.js / etc. of different owner

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: relf, Assigned: security-bugs)

Details

(Keywords: dataloss)

Linux build 2003122707 To reproduce: 1. Change permissions of bookmarks.html in user's profile directory to -rw------- 1 root root 2. Run Mozilla with a normal user permissions 3. Exit Mozilla 4. Observe that Mozilla has overwritten bookmarks.html with default one disregarding file permissions. This bug seems quite artificial but potentially may lead to some malicious Mozilla use, e.g. for removing some other user's bookmarks.html etc. Mozilla definitely must obey file permissions!
Moz is not disregarding file perms (in fact, there is no way to bypass file system perms.) The filesystem allows you to delete the file, since the directory is still owned by the original user (you can't read it, however.) You can do this on the command line also. The user's profile directory stuff is meant to be overwritten, so this is working as designed. This bug should be closed, unless the OR wants to change this to an enhancement request to not remove bookmarks that are owned by other users...
Oh, you're right. Marking as INVALID. Request to not remove bookmarks that are owned by other users looks quite artificial. I mostly care about bug 229619 that causes change of bookmarks.html owner.
No longer blocks: 229619
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.