Last Comment Bug 318855 - App update should provide method to update when the user doesn't have privileges
: App update should provide method to update when the user doesn't have privileges
Status: RESOLVED WORKSFORME
[sg:want P2][parity-opera][parity-saf...
: sec-want
Product: Toolkit
Classification: Components
Component: Application Update (show other bugs)
: unspecified
: All All
: P3 major with 81 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Robert Strong [:rstrong] (use needinfo to contact me)
Mentors:
: 325646 332161 335541 336494 342500 343329 384619 405003 416644 445360 453188 479741 496728 558727 573495 575085 784502 (view as bug list)
Depends on: 394984 407875 437349
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-02 17:57 PST by crawdad
Modified: 2016-05-26 13:04 PDT (History)
107 users (show)
mbeltzner: blocking1.9.2-
mconnor: blocking1.9.1-
mconnor: blocking1.9-
mconnor: wanted1.9+
mconnor: blocking‑firefox2-
dveditz: wanted1.8.1.x+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
wanted


Attachments
screenshot (40.38 KB, image/png)
2008-12-31 12:57 PST, Robert Strong [:rstrong] (use needinfo to contact me)
mbeltzner: ui‑review-
Details
Updated screenshot to comments (24.69 KB, image/png)
2008-12-31 14:11 PST, Robert Strong [:rstrong] (use needinfo to contact me)
mbeltzner: ui‑review+
Details
Updated screenshot to comments (30.28 KB, image/png)
2008-12-31 14:14 PST, Robert Strong [:rstrong] (use needinfo to contact me)
no flags Details
strings (1.81 KB, patch)
2008-12-31 14:48 PST, Robert Strong [:rstrong] (use needinfo to contact me)
no flags Details | Diff | Splinter Review
strings rev2 (checked in) (1.82 KB, patch)
2008-12-31 15:21 PST, Robert Strong [:rstrong] (use needinfo to contact me)
mbeltzner: review+
mbeltzner: approval1.9.1+
dveditz: approval1.9.0.9-
Details | Diff | Splinter Review
its good (789 bytes, text/plain)
2011-08-19 21:33 PDT, nanoamirarsalan
no flags Details

Description crawdad 2005-12-02 17:57:09 PST
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

Menu item "Help/Check for Updates" is greyed out, not clickable.


Reproducible: Always

Steps to Reproduce:
1.Click Tools
2.Note that "Check for Updates" is greyed out.


Actual Results:  
Unable to check for updates.

Expected Results:  
Able to check for updates.
Comment 1 Frederic Bezies 2005-12-02 23:12:09 PST
Are you using any 3rd party theme ?
Comment 2 crawdad 2005-12-03 00:35:05 PST
No 3rd-party themes installed.
Only 3rd-party stuff are a few extensions.
Extension list reads: Talkback, DOM inspector, Tidy HTML Validator, Adblock, BugMeNot, and WebDeveloper.
Comment 3 Nick Thomas [:nthomas] 2005-12-03 02:28:16 PST
Do you have write access to the Firefox install directory ? Software Update is disabled if that is not true.
Comment 4 crawdad 2005-12-03 04:37:17 PST
No, I don't. And - doesn't that seem a dangerous requirement?
I would strongly recommend that:
1 - the check be performed, then 
2 - prompt for the root passwd and use su / sudo to perform the actual update itself.
Comment 5 Nick Thomas [:nthomas] 2005-12-06 07:25:15 PST
Still performing the check could be a good idea, but only in limited cases. 

For Linux, Software Update (SU) is only appropriate for Firefox (or Thunderbird) downloaded from mozilla.com and installed manually by the user. Any distribution compiled version won't work with mozilla.com's binary/incremental patches, and will fall back to the full update. The file locations may differ so that the full update may also fail. I suspect most distro's would prefer to disable the update check and keep updates in-house by providing their own patches or packages. 

Similarly for corporate situations on Windows, the System Admins probably don't want the users being nagged about updates. 

In both cases, SU is currently disabled for a user without write access to the Firefox install dir. The preference app.update.enabled can be set to false to disable SU, but that requires an active change by anyone in those situations now that 1.5 has been released.

The only case I can think of where you'd want to prompt for a password, is where a mozilla.com binary has been installed systemwide, and the user has root/Administrator access but usually runs with limited rights. The former is going to be uncommon on Linux, and the latter is (sadly) uncommon on Windows.

Where abouts do you fit into this scheme ? Comments ?
Comment 6 crawdad 2005-12-06 17:07:49 PST
>The only case I can think of where you'd want to prompt for a 
>password, is where a mozilla.com binary has been installed systemwide, 
>and the user has root/Administrator access but usually runs with 
>limited rights. The former is going to be uncommon on Linux, 
>and the latter is (sadly) uncommon on Windows.

>Where abouts do you fit into this scheme ? Comments ?

You have described my situation exactly!
I run Suse Linux.
I have a single install of a mozilla.com binary to serve my various accounts and multiple users.
I do NOT RUN AS ROOT!! but when prompted for the root PW by Moz updater, would be able to supply it.
I think that this is NOT an uncommon situation among Linux users.

Practically speaking, if using "su" or "sudo" is awkward, simply checking for the update would let me know that I should log into the root account long enough to perform the update...
Comment 7 Daniel Dorau 2006-01-06 03:12:26 PST
Yes, please allow checking for updates at least.
It is not necessary to do the actual install, as the required action may be dependant on whether the FF package was installed from mozilla.com or delivered by the Linux distribution.
But please allow for activating the check for a new version so that one at least know that there may be a critical update and that one has to take some action, whatever this may be.
Comment 8 Nick Thomas [:nthomas] 2006-02-03 02:03:56 PST
*** Bug 325646 has been marked as a duplicate of this bug. ***
Comment 9 Darin Fisher 2006-02-03 07:37:10 PST
You guys might find this document helpful for administrating Linux systems with shared copies of FF:

http://wiki.mozilla.org/Software_Update:Manually_Installing_a_MAR_file

I agree that it would be nice to still provide a means for users to check for available updates.  That could probably be written as an extension to FF 1.5 fairly easily FWIW.
Comment 10 Mike Beltzner [:beltzner, not reading bugmail] 2006-03-09 16:15:41 PST
Two notes:

1. We should also prompt for root on OSX
2. We should show users on w32 a dialog that says

   "An update for Firefox is available. Please contact your system administrator
   to have this update installed."

(I seem to recall that there already was a bug for 2? am I misremembering? nominating this one for blocking just in case, as I don't want to lose track of it)
Comment 11 Mike Connor [:mconnor] 2006-03-13 08:50:04 PST
This is really more of a nice-to-have than a blocker.
Comment 12 Jesse Ruderman 2006-03-16 01:06:59 PST
I'm marking this bug as [sg:want P2] because

* on many multi-user systems, and on some single-user systems where the user has chosen not to use a root account, this often means Firefox just won't get updated.

* making users choose between two security measures (automatic browser updates and using a non-root account) isn't too hot.
Comment 13 Darin Fisher 2006-03-16 07:04:48 PST
The big challenge in trying to enable "update via root" is figuring out how to fail gracefully when FF is being used by another user.
Comment 14 Daniel Dorau 2006-03-16 09:29:31 PST
(In reply to comment #11)
> This is really more of a nice-to-have than a blocker.
> 

For me, the "and, on Linux, prompt for root password" part would not be a blocker as well. I'm not sure if I would even ask for that. 

But the ""Help/Check for Updates" should not be disabled, but should perform check anyway" part is far more than just a nice-to-have thing.

I'm running FF as normal user, and by that don't even get notified of any updates!

I would very much apreciate if at least that notifying part for non-root users would be a blocker for 2.0.
In my eyes it would be ridiculous if FF 2.0 still would not be able to at least _notify_ non-root users of (critical) updates but ask them to follow the press to get aware of new FF versions.

Once I know of a new update it would be ok for me to change to root user for the upgrade itself.
Comment 15 Darin Fisher 2006-03-16 10:08:13 PST
Yes, that sounds like a good first step to me as well.  As for Mac OSX, I doubt many users run a readonly copy of FF.  Of course, I'm just guessing there.
Comment 16 Jesse Ruderman 2006-04-01 01:45:42 PST
*** Bug 332161 has been marked as a duplicate of this bug. ***
Comment 17 Jesse Ruderman 2006-04-26 13:38:38 PDT
*** Bug 335541 has been marked as a duplicate of this bug. ***
Comment 18 Sebastian Lisken 2006-04-26 13:59:16 PDT
Just an addition from my bug 335541, which was rightly marked as a duplicate:

I confirm that Help > Check for Updates is disabled, and it should be noted that paradoxically, Tools > Options > Advanced > Update > "Automatically check for updates to" > Firefox is disabled but checked. Unchecked would be closer to the actual behaviour.

In bug 317703 there are comments saying that guest users should not be bothered
with anything even remotely connected to administration. While I want to stay
out of the argument whether update management should be a system-wide setting
rather than account-wide or even profile-wide, I think that a dialog with just a
confirmation button and a suggestion to let an administrator run Firefox should
be OK. And users should be able to use Help > Check for updates if they want to.
Comment 19 Jesse Ruderman 2006-05-03 13:38:44 PDT
*** Bug 336494 has been marked as a duplicate of this bug. ***
Comment 20 Doug L 2006-05-14 14:59:11 PDT
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.3)
Gecko/20060426 Firefox/1.5.0.3

I would argue that the severity of this bug should be elivated back to normal.
Security minded users do run in non-admin accounts for their normal daily and
web surfing activity.  If you follow the approach other OSX applications
employ, then the user would be prompted for the administrator UID/PW when
installation is required.  Users should be able to control this by their
preferences.

A related symptom, if a non-admin user unchecks check for updates for "Firefox"
the check box becomes grayed out and cannot be rechecked.  This inconsistent
behavior leads to confusion for the user.
Comment 21 Philip Withnall (unavailable) 2006-06-23 09:32:26 PDT
*** Bug 342500 has been marked as a duplicate of this bug. ***
Comment 22 Daniel Veditz [:dveditz] 2006-09-15 11:23:40 PDT
There really is no reason to prevent people from checking for updates, even if we can't do the install. If they want to click that menu item then they are in effect asking "Am I Safe?" -- we owe them a yes or no answer to the best of our knowledge, even if we can't offer to do the install.

Some users might even interpret the disabled item as meaning they are fully up to date and assume themselves into a dangerously vulnerable state.

(I also think we should continue to do the auto-update check and actively inform people they need an update, but I guess that's a different bug)
Comment 23 Tracy Walker [:tracy] 2006-09-19 05:52:15 PDT
*** Bug 343329 has been marked as a duplicate of this bug. ***
Comment 24 Ian Macfarlane 2006-12-15 02:02:14 PST
I think you'll be able to prompt for a more privileged account on Windows Vista, where UAC will be the default.
Comment 25 Chris Ruvolo 2006-12-30 09:35:57 PST
Is there a way to force an unattended update (and then exit) from the command line?  Ideally a scheduled task (cron, etc.) could be run with Admin/root privs that runs "firefox -update" or something.  This would allow admins to schedule updates as needed without having the unpriviledged users be attentive to it.
Comment 26 comperr 2007-01-15 09:06:24 PST
(In reply to comment #24)
> I think you'll be able to prompt for a more privileged account on Windows
> Vista, where UAC will be the default.
> 

You can do this in winXP as well.
I just say....let them do the check - but not the update (maybe the "update" button can be grayed)
Comment 27 Tomer Cohen :tomer 2007-01-15 12:04:02 PST
If Firefox will get that feature, it would be able to trigger "runas /user:administrator "firefox.exe --installupdates". I guess there is better way by using Windows API rather than runas.exe which will be able to prompt to administrative local user or domain administrative user, but runas.exe is a good start.

As for Linux, I would like that the update will trigger "sudo firefox --installupdates". 
Comment 28 Bob Vickers 2007-03-26 03:10:04 PDT
As I see it there are 4 different cases to consider when you run Firefox:
(1) You are the administrator and you are running with administrative privilege
(2) You are the administrator but you are running under an unprivileged account
(3) You are using a distro version of Firefox, so Redhat or SuSE or
someone is responsible for providing updates
(4) You are an unprivileged user, do not know the root password and
rely on someone else to install updates (perhaps someone you know or
perhaps someone in a far-off computer department).

Case 1 ought to be rare, but sadly is very common. The current
auto-update scheme works fine for it. 

In case 3 you probably don't want any messages, so you want the distributor to
be able to disable the auto-update scheme. 

Prompting for the root password would be a reasonable option for case
2, but would be a bad idea for case 4. We should focus on case 4,
because these guys are exactly the people we don't want to confuse
with unhelpful messages. 

The simplest solution would be to generate a message saying something
like "A newer version of Firefox is available but you do not have
write access to the installation directory. Contact your system
administrator." 

A more sophisticated solution could include a button marked "I am the
system administrator".

The current situation is definitely bad because it allows critical
security updates to pass unnoticed.
Comment 29 Richard Trout 2007-04-26 17:12:12 PDT
The change to checking for updates, even if the user does not have administrative privileges, is a BACKWARDS STEP FOR WINDOWS USERS IN AN ENTERPRISE ENVIRONMENT.

Please either return this to previous (no notification, users can't check for updates), or make the dialog that the check returns aware that it can't perform an update (and that download and update is not the prompted option as it is currently) and provides information like in comment #10. Perhaps the prefs UI needs to include an option to 'notify only' in addition to ask and download+update.

I recognise that Linux/MacOSX/Vista may all have the ability to sudo/UAC for privileges, but this is unlikely in an Enterprise Windows environment - maybe there could be a pref app.update.escalatePrivileges to be true to allow a sudo-type option.

Note: this applies to Thunderbird 2 as well.
Comment 30 Neil Harris 2007-04-27 02:16:42 PDT
Perhaps the pref should have three settings:

* notify, and prompt the user to escalate their privileges
* notify, and prompt the user to contact their sysadmin
* do nothing

The first should be the default for users who control their own systems (which is presumably most individual Firefox users), and enterprise users, who will probably want one of the two other options, depending on their level of in-house control-freakery.

Perhaps a compromise option might be to allow a fourth option:

* notify, and prompt the user to contact their sysadmin, but don't do this until X days have elapsed after the initial warning

to allow company IT departments a grace period for testing, while still providing end-users a safety net if their IT department drops the ball.

Comment 31 Meik Kuhlmann 2007-07-21 04:32:14 PDT
I think there is a major annoyance connected with this bug. I was able to observe this behavior in Windows (XP Pro SP2).

Scenario:
You are logged in as a normal user with restricted rights and Firefox detects an update and downloads it. The user clicks on install but the installation fails because of missing rights. The user calls for the admin or logs in as admin (if he has the rights). The admin installs the updates successfully. The user logs in again, starts Firefox but Firefox does not recognize that updates have been installed already and tries to download / install again. Error dialogbox appears (some files could not be updated because of missing rights ...) every time the user starts Firefox. Only option in the menu is to install the updates (previous versions still also offered check for updates and this solved the problem, but this option is no more available). This is the point where the users become annoyed and change their browser to something else ...

I think the problem is, that the update mechanism is profile dependent but the installation is system wide. Probably Firefox should check the installed version before it tries to update anything.
Comment 32 Christian Hernmarck 2007-07-21 04:57:10 PDT
I can confim this behaviour (#31). 
But if firefox first checks if the rights are sufficient to make an update and otherwise only shows an information about an available update - then this problem should be solved too.
Comment 33 benc 2007-07-31 22:19:22 PDT
Before this goes too long, it sounds like there should several breakout bugs.

The menu disabled issue is completely different than the prompt for password discussion. 

My concern about the greyed menu item is that it doesn't telll you why it is greyed. I assumed i had some kind of connectivity failure, because the disabled action was checking for updates.

On a related note, if an when this bug is broken up, I suggest that you the login-for-upgrade bugs per-platform. Mac OS X is similar to Linux, but the rules for application permissions are different. 
Comment 34 Bob Vickers 2007-08-01 02:41:11 PDT
I agree. But even the menu disabled issue is missing the fundamental point which is that users are not informed when updates are available...a user should not be expected to check for updates nor subscribe to Bugtraq, they should be *told* that updates are available. This is a security bug and should be regarded as serious. 

Fortunately it should be much easier to fix than making the update mechanism easier for them. Probably the hardest thing is drafting the help text to cater for the various situations without alarming unsophisticated users.

Comment 35 Stephen Lee 2007-08-01 09:49:20 PDT
Switched first 2 clauses of Summary so that the thing people are likely to search for is in the first 64 characters - after much searching I only found this bug to explain why the "check for updates" option was disabled via its duplicate.

Now I just need to figure out exactly which part of my installation is no longer writeable and why, as all previous updates worked just fine...

To add to the debate, I would agree that ordinary users need to be informed that an update is available, even if they are incapable of installing it themselves. The alert could possibly include a "Don't tell me again for this version" option or similar, and users that REALLY don't want to know about new versions could turn the option to check for them off.

I'm also a little confused, as this "feature" should have prevented a problem I saw on another machine... but that's a different bug - I'll see if I can find that already now!
Comment 36 John Comeau 2007-08-02 08:04:21 PDT
(In reply to comment #31)
> I think there is a major annoyance connected with this bug. I was able to
> observe this behavior in Windows (XP Pro SP2).
> 
> Scenario:
> You are logged in as a normal user with restricted rights and Firefox detects
> an update and downloads it. The user clicks on install but the installation
> fails because of missing rights. The user calls for the admin or logs in as
> admin (if he has the rights). The admin installs the updates successfully. The
> user logs in again, starts Firefox but Firefox does not recognize that updates
> have been installed already and tries to download / install again. Error
> dialogbox appears (some files could not be updated because of missing rights
> ...) every time the user starts Firefox. Only option in the menu is to install
> the updates (previous versions still also offered check for updates and this
> solved the problem, but this option is no more available). This is the point
> where the users become annoyed and change their browser to something else ...
> 
> I think the problem is, that the update mechanism is profile dependent but the
> installation is system wide. Probably Firefox should check the installed
> version before it tries to update anything.
> 

This is precisely the problem which I just logged in to report. This isn't a bug, just an "annoyance"? I don't have write access to "\Program Files\Mozilla Firefox", so why does it download and attempt to install updates, by default? This is the first time that installing the updates as Administrator didn't solve the problem for me though.

I don't mind an alertbox or something letting me know an update is available, but it shouldn't be downloading it, let alone attempting to install, without first checking if I have write access.

I guess this isn't the correct venue to ask for a workaround, but if someone wants to save me the effort of searching by posting one here, it would be much appreciated.

I know I could just use cacls to give myself write access, but every time I do something like that I'm defeating the purpose of running as a limited user.
Comment 37 Meik Kuhlmann 2007-08-02 10:25:55 PDT
(In reply to comment #36)
> (In reply to comment #31)
> > I think there is a major annoyance connected with this bug. I was able to
> > observe this behavior in Windows (XP Pro SP2).
> > 
> > Scenario:

[...]

> This is precisely the problem which I just logged in to report. This isn't a
> bug, just an "annoyance"? I don't have write access to "\Program Files\Mozilla
> Firefox", so why does it download and attempt to install updates, by default?
> This is the first time that installing the updates as Administrator didn't
> solve the problem for me though.

[...]

Probably I was not precise enough. I meant this is a bug which implies a major annoyance. The update was installed successfully by admin. Now there is only this nasty box which needs to be clicked away always.

With previous versions, I was able to select check for update. This check corrected the problem -> Update installed, nasty box away. Now this check option is no more available and firefox does not recognize, that the new version is installed already.
Comment 38 Erik Remmelzwaal 2007-08-09 04:29:26 PDT
This is not only true for Firefox, but also for Thunderbird (maybe the hole mozilla suite).

One way to solve this on Windows XP for normal users is to empty the directory:
%HOMEPATH%\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox or the counter part for Thunderbird and than disable the check for updates.
Comment 39 Sylvain Pasche 2007-11-23 13:15:58 PST
*** Bug 405003 has been marked as a duplicate of this bug. ***
Comment 40 Joachim Kluge 2007-12-10 03:50:20 PST
Please make it happen that a non privilidged user gets notifications. Otherwise there will be very old Firefox installations which can be exploited. This won't lead to bug #1 fixed (ok Firefox is not Ubuntu: Bug #1 does not exist.)
Comment 41 Lynn Deman 2007-12-10 04:35:15 PST
I was originally watching this bug as I had FF installed on my OSX systems in a shared applications folder and only the administrator who installed was able to check or get update notifications.

Even other admins on the same computer could not check for updates or receive update notifications.

WORK-AROUND:  My work around for this problem was to uninstall FF from the shared application folder.....and install it in EACH users own home folder....yes this means duplicate files/applications...but at least EACH ADMIN gets update notifications and can update FF...:)

Comment 42 Daniel Dorau 2007-12-10 10:19:48 PST
(In reply to comment #40)
> Please make it happen that a non privilidged user gets notifications. Otherwise
> there will be very old Firefox installations which can be exploited. This won't
> lead to bug #1 fixed (ok Firefox is not Ubuntu: Bug #1 does not exist.)

Yes, _please_.
I'm using it on a single user Linux box and find it _very_ annoying that I cannot configure FF to notify me of updates - and honestly I do not understand the reasoning here, if any.
I have no problems to login as root to do the actual update, but please allow me to get those bloody notifications.

Thanks


Comment 43 Kevin Brosnan 2007-12-11 02:29:06 PST
*** Bug 407875 has been marked as a duplicate of this bug. ***
Comment 44 Bob Vickers 2007-12-11 04:20:04 PST
I disagree about bug 407875 being a duplicate. This bug is an enhancement request, whereas bug 407875 is a major security bug.

Anyway I don't want to get into an argument, I just thought submitting the new bug might help solve the problem.  
Comment 45 Thomas L Jones 2007-12-22 11:21:43 PST
(In reply to comment #25)
> Is there a way to force an unattended update (and then exit) from the command
> line?  Ideally a scheduled task (cron, etc.) could be run with Admin/root privs
> that runs "firefox -update" or something.  This would allow admins to schedule
> updates as needed without having the unpriviledged users be attentive to it.
> 

No, I do not think that this is a good idea. Just ALERT the unprivileged user. Then there will be two cases:
Case I is when the unprivileged user is allowed to turn on the Administrator privilege (in Windows XP), and I include myself. I can then install the update in the usual way.
Case II occurs in certain enterprise installations (and others). For security reasons, the ordinary user is not allowed to turn on the Administrator privilege. It is then appropriate to alert the user and say, "A new version of Firefox is available and needs to be installed by an administrator." and repeat this every two or three days. What is the alternative? Keeping the update SECRET?

And no, the new version cannot be installed in Windows XP with the Administrator privilege turned off. (The terminology is different in Linux.)

Thomas L. Jones, PhD, Computer Science
DrJones at alum dot MIT dot edu

Comment 46 cwsulliv 2007-12-23 16:16:25 PST
> Case II occurs in certain enterprise installations (and others). For security
> reasons, the ordinary user is not allowed to turn on the Administrator
> privilege. It is then appropriate to alert the user and say, "A new version of
> Firefox is available and needs to be installed by an administrator." and repeat
> this every two or three days. What is the alternative? Keeping the update
> SECRET?

Administrators at a large organization would probably not appreciate receiving tens or hundreds of support tickets requesting the Firefox update, within only a few minutes of the time they themselves are alerted to the update.

Comment 47 Daniel Veditz [:dveditz] 2007-12-24 11:00:32 PST
If that's a problem they can get roughly a week's notice by watching the mozilla.announce.prerelease newsgroup or signing up for release-candidate updates.
Comment 48 cwsulliv 2007-12-24 13:41:05 PST
(In reply to comment #47)
> If that's a problem they can get roughly a week's notice by watching the
> mozilla.announce.prerelease newsgroup or signing up for release-candidate
> updates.

Do you then sit there 24/7 around the projected release date watching for the actual release, or do you risk globally installing a release-candidate which may in fact require revision prior to release due to last minute bugs or security issues which come to light?

A solution I think would be satisfactory is for there to be two configuration options.  The first, if enabled, would in effect indicate "Although running as an ordinary user I am able to gain administrator privileges".  Then only users with this option set (or users actually running with administrator privileges) have the update notice automatically displayed.  The second option would come into play only if the first option were not enabled.  It would either disable (gray out) the "Check for updates" menu item, or enable it and provide a message like "An update is available which your administrator will install shortly".

The individual who administers his/her own workstation would set the first option.  The administrator of a small number of workstations could disable the first and enable the second option.  The administrators of a large number of workstations would probably choose to disable both options.

Comment 49 Thomas L Jones 2007-12-27 05:12:55 PST
Much of the problem is due to defective default settings. If a Firefox user wants to click Help > Check for updates, that is a good starting point. If the organization's policy is that prudent users [1] are not to check for updates, let the IT department handle it. Circulate a memo. Criticize users who violate the policy. The IT department will install the updates when it gets time. Here is the BAD idea: Electronically block the process of checking for updates by prudent users, perhaps by graying out the relevant check boxes.

[1] The phrase "prudent users" is here defined as users who run with limited privileges for day-to-day surfing.

Tom Jones
Comment 50 Thomas L Jones 2007-12-27 15:06:02 PST
There is a workaround, although it is a clunky one. The users should get into the habit of launching the following hyperlink:

http://www.mozilla.com/en-US/ (for English-speaking residents of the U.S.)

The hyperlink may be launched with the aid of a bookmark.

This will display the latest version of Firefox. As of today, December 27, 2007, it is version 2.0.0.11 

Thomas Jones
Comment 51 cwsulliv 2007-12-27 17:58:08 PST
(In reply to comment #49)
> Much of the problem is due to defective default settings. If a Firefox user
> wants to click Help > Check for updates, that is a good starting point. If the
> organization's policy is that prudent users [1] are not to check for updates,
> let the IT department handle it. Circulate a memo. Criticize users who violate
> the policy. The IT department will install the updates when it gets time. Here
> is the BAD idea: Electronically block the process of checking for updates by
> prudent users, perhaps by graying out the relevant check boxes.
> 
> [1] The phrase "prudent users" is here defined as users who run with limited
> privileges for day-to-day surfing.
> 
> Tom Jones
> 

I don't disagree with you.  However I suspect input from others who do disagree is what led to the grayed-out menu item in the first place, and that including   the grayed-out menu item as one option could persuade these others to not oppose the other options I suggested in Comment #48.
Comment 52 Thomas L Jones 2007-12-29 23:17:13 PST
(Bug number 318855)

I think we should focus on meeting the needs of users who usually run unprivileged for security reasons, but have access to privileges as needed to fetch Firefox updates, etc. Assume that these users do their own updates, as distinguished from installations where there is an IT department which makes the updates. Especially, it is important that these users be able to check for the appearance of updates.

The issues with 2.0.0.11 can be stated like this: The privilege switched-on vs. switched-off distinction is being used as a rough and ready way of predicting whether or not a user makes his or her own updates.

Also see replies number 48 and 51.

Tom Jones
 
Comment 53 Thomas L Jones 2007-12-30 00:00:11 PST
(In reply to comment #12)
> I'm marking this bug as [sg:want P2] because
> 
> * on many multi-user systems, and on some single-user systems where the user
> has chosen not to use a root account, this often means Firefox just won't get
> updated.
> 
> * making users choose between two security measures (automatic browser updates
> and using a non-root account) isn't too hot.
> 
Suppose a Windows user is running unprivileged for security reasons. Then automatic browser updates are not doable. Instead, what are doable are automatic alerts about the release of updates. Sometimes the better is the enemy of the good. However, you are of course right about not making users choose between two security measure.
Comment 54 Mike Connor [:mconnor] 2008-01-03 10:31:45 PST
Not going to block on this, but it is wanted.  We'll look at getting this early in the next release cycle.
Comment 55 Nick Thomas [:nthomas] 2008-02-10 03:49:01 PST
*** Bug 416644 has been marked as a duplicate of this bug. ***
Comment 56 Thomas L Jones 2008-02-10 16:38:36 PST
This highly damaging bug seems hardly worth commenting on. It was first reported more than two years ago (December 2, 2005). It is still considered an enhancement and is assigned to nobody. It has a simple fix, but the Firefox people aren't interested.

Tom
Thomas L. Jones, PhD, Computer Science
Comment 57 Thomas L Jones 2008-02-10 16:42:43 PST
This highly damaging bug seems hardly worth commenting on. It was first reported more than two years ago (December 2, 2005). It is still considered an enhancement and is assigned to nobody. It has a simple fix, but the Firefox people aren't interested.

Tom
Thomas L. Jones, PhD, Computer Science
Comment 58 Mike Connor [:mconnor] 2008-02-16 17:34:07 PST
And yet, you commented twice!

If you have a simple fix, feel free to attach a patch.  Otherwise you are just making stuff up.
Comment 59 Thomas L Jones 2008-02-16 21:53:07 PST
If you feel that this is not the proper venue for submitting this comment, please preface your remarks by describing what you feel is the proper venue. I am definitely not making stuff up. I have already submitted an English-language description of the fix. As far as creating a patch is concerned, it is unclear that I would have the necessary skills to do this. I might well need a collabarator. Anyway, I will meet you halfway.

To start the ball rolling, you spoke of a "patch." Question: Would this patch be coded in a computer language like C or C++? Question 2: Would I need to learn CVS? I did look at a writeup about creating a patch.

Thomas Jones
Comment 60 Thomas L Jones 2008-02-24 00:38:38 PST
(In reply to comment #31)
> You are logged in as a normal user with restricted rights and Firefox detects
> an update and downloads it. The user clicks on install but the installation
> fails because of missing rights.

From Tom Jones:

There is a defective default setting involved. Upon visiting the update page [1], one sees a radio button with two settings. (1) Ask me what to do; and (2) Automatically download and  install the program. (2) is the default setting. If the user is running in a LUA, it creates problems, since the user has not been given a chance to first switch to an administrative account.

Instead, "Ask me what to do" should be the default.
Comment 61 [:Cww] 2008-03-02 09:55:38 PST
(In reply to comment #59)> 
> To start the ball rolling, you spoke of a "patch." Question: Would this patch
> be coded in a computer language like C or C++? Question 2: Would I need to
> learn CVS? I did look at a writeup about creating a patch.
> 
> Thomas Jones
> 

Well I can at least answer these questions: 1) Yes. 2) Yes (but it's relatively easy compared to learning a "computer language").

Comment 62 Glen A. 2008-06-20 10:04:37 PDT
Suggested solution:

- Re-enable 'Check for Updates...' (see Bug 407875)

- Set 'When updates to Firefox are found' to 'Ask me what I want to do' by default (see Comment #60; separate bug should be opened)
  (There are other reasons why this default should change, but I won't go into that now.)

- Administrators of networks can disable automatic update checks to prevent large numbers of users emailing them about available updates.

- It should be possible distinguish between critical and non-critical updates, with preferences. By default, non-privileged users should only be notified of critical/security-related updates.

- If the user is able to write to the appropriate files in the install directory(s), the options in the notification window should be as follows:

[1] Download Update | [2] Download and Install Update | [3] Ignore this Update

1. User is prompted for download directory, defaults to somewhere under his/her profile directory. Should be one file, not multiple (for easy backup).

2. Same as [1], after which the file is executed, and setup occurs.

3. User is able to ignore certain updates, but ignoring critical updates is strongly discouraged.

- If the user is *unable* to write to the appropriate files in the install directory(s), the prompt should inform the user that in order to install the updates, he/she requires administrative privileges, and if the 'Download and Install Update' option is selected, he/she will be prompted for the appropriate credentials at the time of installation. The same three options will be available.

- Option 2 for unprivileged users could be handled with an OS-specific privilege elevation or user-switching mechanism (runas on XP, su/sudo on Linux, etc.)

- Some users (myself included), use software such as MakeMeAdmin or RunAsAdmin to temporarily elevate their privileges (i.e. they obtain administrative permissions temporarily and switching to an administrator account is unnecessary). In these cases, the option to download the update could be selected, and they could run the update file manually with these elevated privileges. Alternatively, the 'Download and Install Update' option could use similar techniques, and the update process could be automatic.

Thoughts?
Comment 63 James Nord 2008-07-06 09:09:52 PDT
The menu was not disabled in Vista x64 SP1 (32bit FF2) - hence this is a regression in FF3 over FF2 behaviour.

Prehaps there needs to be a serparate bug for the regression as the original bug is pre FF3 yet the check for updates was checking for updates in FF2 on vista in a non privelidged account.
Comment 64 Robert Strong [:rstrong] (use needinfo to contact me) 2008-07-06 16:44:14 PDT
James, if it wasn't disabled in FF2 then it should have been and that would be a different bug... this bug is not a regression as it was designed to behave this way.
Comment 65 Robert Strong [:rstrong] (use needinfo to contact me) 2008-07-15 12:00:33 PDT
*** Bug 445360 has been marked as a duplicate of this bug. ***
Comment 66 julien.t43+mozilla 2008-08-06 10:40:39 PDT
any advance for this ?

i have not read the whole thread but i have the same problem on macosx 10.5 with firefox 3 as non-admin user.
i don't have the option to check (not present in menu or preferences) and the automatic check never say anything to me, no message or something else.

i think at leas this point (not the elevation of privilege) is really important for anyone who cares about security ...

i agree with Glenn proposal.

thanks
Comment 67 comperr 2008-08-06 12:33:22 PDT
agreed with glen with one change:

perhaps it would be possible for an unprivileged user to download some kind of wrapper/alternate executable to their ~ directory which will be run instead.  That way the unprivileged user can work with an updated firefox even when the admins don't want to update.

<< 
this would also be very useful when the admins used to allow installation of programs but changed over to a lock-down system. 
Comment 68 Robert Strong [:rstrong] (use needinfo to contact me) 2008-08-24 14:01:20 PDT
For Windows this depends on bug 437349
Comment 69 Thomas L Jones 2008-12-17 12:42:03 PST
From Tom:

I don't pretend to know when Firefox has access to itself or the consequences of having such access or not having it. In my own computer, Help/Check for updates will work in my administrative account, but not in the hardened Limited User Account, which has the administrator privilege switched off for security reasons.

Here is what I would like to see done: If a new version of FF appears:

Case I: The user is running under an administrative account: The user would be alerted in the usual way.

Case IIa: The user is running under a Limited User Account. He or she would be alerted as usual.

Case IIb: This applies to a public library or an enterprise installation. The IT department would be able to broadcast a message inhibiting the alerts to the users. That way we would not have a zillion public library patrons complaining to the IT department.

Tom
Comment 70 Hemant Mohan 2008-12-18 03:03:39 PST
As a non-root Linux desktop user with a mozilla.com build for Firefox installed system wide,  it makes no sense for me to run Firefox as root simply to check if any updates are available.  Firefox should be able to atleast check and inform the user if any updates are available. 

Also it makes more sense to even download the update as a non-root user instead of accessing the internet with root privileges.

It makes more sense from security perspective too for Firefox to:
1) Let the non-root user check if any updates are available.
2) Prompt the non-root user if he/she wants to download the update.
3) If the non-root user confirms, download the update as non-root user.
4) Prompt for root password after the download is complete to install the update.
5) If the root password is correct, install the update as root user and then
   prompt to restart Firefox.
6) Restart Firefox as non-root user.

- Hemant
Comment 71 Hemant Mohan 2008-12-18 03:05:14 PST
As a non-root Linux desktop user with a mozilla.com build for Firefox installed system wide,  it makes no sense for me to run Firefox as root simply to check if any updates are available.  Firefox should be able to atleast check and inform the user if any updates are available. 

Also it makes more sense to even download the update as a non-root user instead of accessing the internet with root privileges.

It makes more sense from security perspective too for Firefox to:
1) Let the non-root user check if any updates are available.
2) Prompt the non-root user if he/she wants to download the update.
3) If the non-root user confirms, download the update as non-root user.
4) Prompt for root password after the download is complete to install the update.
5) If the root password is correct, install the update as root user and then
   prompt to restart Firefox.
6) Restart Firefox as non-root user.

- Hemant
Comment 72 Eddy Nigg (StartCom) 2008-12-18 04:21:07 PST
(In reply to comment #71)

Yes, this is the correct approach for Linux.
Comment 73 Tony Mechelynck [:tonymec] 2008-12-20 19:24:05 PST
In reply to comment #69, case IIb: I suppose "broadcast a message" should be "set a preference" (maybe a hidden one) at install time, to inhibit update-available messages to non-admins. Since new (library etc.) users can be signed in at any time, IIUC the non-Mozilla-default preference should be in some system-wise "default profile" or similar.
Comment 74 Tony Mechelynck [:tonymec] 2008-12-20 19:45:56 PST
On second thought, I guess the preference already exists: Don't auto-check for updates.

If a non-admin user checks manually for updates, he might even get a "true" answer, but of course, unless (on Linux or Vista?) he can escalate his preferences, he wouldn't be able to apply the upgrade.
Comment 75 Tony Mechelynck [:tonymec] 2008-12-20 19:46:54 PST
s/preferences/privileges/
Comment 76 Robert Strong [:rstrong] (use needinfo to contact me) 2008-12-31 12:57:42 PST
Created attachment 354978 [details]
screenshot

I almost forgot about the strings needed for this bug...
Comment 77 Mike Beltzner [:beltzner, not reading bugmail] 2008-12-31 13:51:07 PST
Comment on attachment 354978 [details]
screenshot

Since this dialog will be used for a variety of potential permissions problems, I think we need to go pretty general with the message. We also need to put the actual URL out there, as they're going to have to download and install it from another account. Finally, if this is something a user with a sysadmin sees, it needs to be easy enough for them to communicate the relevant information.

I think the following works - it does assume that if someone logs in using another account and runs Firefox, they will also be able to check for updates again and have the update try a second time - hopefully that's right.

title = Unable to Update

message = A recommended security and stability update is available, but you do not have the system permissions required to install it. Please contact your system administrator, or try again from an account that has permission to install software on this computer.

You can always get the latest version of Firefox at http://www.getfirefox.com
Comment 78 Robert Strong [:rstrong] (use needinfo to contact me) 2008-12-31 14:11:05 PST
Created attachment 354985 [details]
Updated screenshot to comments

It would be slightly simpler to do the following where http://www.getfirefox.com is on the next line... would you be ok with it?

You can always get the latest version of Firefox at:
http://www.getfirefox.com
Comment 79 Robert Strong [:rstrong] (use needinfo to contact me) 2008-12-31 14:14:16 PST
Created attachment 354986 [details]
Updated screenshot to comments 

This has the exact changes asked for... leaving both up for review in case the previous one is acceptable
Comment 80 Reed Loden [:reed] (use needinfo?) 2008-12-31 14:16:38 PST
Why are we using getfirefox.com in the product? We use http://www.mozilla.com/firefox/ everywhere else...
Comment 81 Robert Strong [:rstrong] (use needinfo to contact me) 2008-12-31 14:18:41 PST
Not in reference to comment #80 but I am planning on using a pref to store the url since it needs to be app specific.
Comment 82 Mike Beltzner [:beltzner, not reading bugmail] 2008-12-31 14:23:39 PST
(In reply to comment #80)
> Why are we using getfirefox.com in the product? We use
> http://www.mozilla.com/firefox/ everywhere else...

Because it's easier to remember, IMO, after logging out, logging in somewhere else, etc. Do you have a significant objection to using it?
Comment 83 Mike Beltzner [:beltzner, not reading bugmail] 2008-12-31 14:25:37 PST
Comment on attachment 354985 [details]
Updated screenshot to comments

it's fine on a separate line, yeah
Comment 84 Robert Strong [:rstrong] (use needinfo to contact me) 2008-12-31 14:48:24 PST
Created attachment 354989 [details] [diff] [review]
strings

Mike, can I get your approvals on the strings to land on 1.9.1? Thanks
Comment 85 Robert Strong [:rstrong] (use needinfo to contact me) 2008-12-31 15:21:30 PST
Created attachment 354990 [details] [diff] [review]
strings rev2 (checked in)

Forgot to switch out Firefox for &brandShortName;
Comment 86 Robert Strong [:rstrong] (use needinfo to contact me) 2008-12-31 15:37:03 PST
We'll use the app.update.url.manual pref (I'll change it when this is further along) since it is already used for manual updating when all else has failed.
Comment 87 Mike Beltzner [:beltzner, not reading bugmail] 2009-01-01 10:48:37 PST
Comment on attachment 354990 [details] [diff] [review]
strings rev2 (checked in)

r+a191=beltzner
Comment 88 Robert Strong [:rstrong] (use needinfo to contact me) 2009-01-01 14:31:59 PST
Comment on attachment 354990 [details] [diff] [review]
strings rev2 (checked in)

Strings pushed to mozilla-central
http://hg.mozilla.org/mozilla-central/rev/dce664edeace818dbf47c8a9b69a1fcd43217bc0

strings pushed to mozilla-1.9.1
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/10fbbb50ce31
Comment 89 Vlado Valastiak [:wladow] @ Mozilla.sk 2009-01-02 01:47:06 PST
(In reply to comment #88)
> (From update of attachment 354990 [details] [diff] [review])
> Strings pushed to mozilla-central
> http://hg.mozilla.org/mozilla-central/rev/dce664edeace818dbf47c8a9b69a1fcd43217bc0
...with 'Firefox' hardcoded
Comment 90 Robert Strong [:rstrong] (use needinfo to contact me) 2009-01-02 01:56:52 PST
(In reply to comment #89)
> (In reply to comment #88)
> > (From update of attachment 354990 [details] [diff] [review] [details])
> > Strings pushed to mozilla-central
> > http://hg.mozilla.org/mozilla-central/rev/dce664edeace818dbf47c8a9b69a1fcd43217bc0
> ...with 'Firefox' hardcoded
Thanks for catching my screwup on the mozilla-central patch / push. I pushed the fix to mozilla-central and if we want to change the name on mozilla-central I'll do so when I implement the rest to fix this bug.
Comment 91 Francesco Lodolo [:flod] (mostly out of office until Dec 19) 2009-01-17 03:40:42 PST
I still think that's a bad idea to change the content of a string without changing its name, even after really few hours: I translated this string in the lapse of time between the two commits, and I've caught this change by chance. 

BTW, I took a look at mxr.mozilla.org and it seems I'm the only one with this problem.
Comment 92 Robert Strong [:rstrong] (use needinfo to contact me) 2009-01-18 12:06:05 PST
I agree and it will change on trunk when the bug is fixed on trunk
Comment 93 Robert Strong [:rstrong] (use needinfo to contact me) 2009-03-16 16:02:56 PDT
*** Bug 479741 has been marked as a duplicate of this bug. ***
Comment 94 Mike Beltzner [:beltzner, not reading bugmail] 2009-03-19 07:44:45 PDT
Are the strings actually in and translated here? Are we actually going to get this for 1.9.1?
Comment 95 Dão Gottwald [:dao] 2009-03-19 07:53:20 PDT
(In reply to comment #94)
> Are the strings actually in and translated here?

Per comment 88, yes.

I guess this bug isn't late-l10n anymore after two months passed and beta 3 shipped.
Comment 96 timeless 2009-03-29 02:04:49 PDT
Comment on attachment 354990 [details] [diff] [review]
strings rev2 (checked in)

If we've gotten localizers to localize this for 1.9.1, then we should be able to pull that string along and push this (localized!) into 1.9.

I'm running:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.7) Gecko/2009021906 Firefox/3.0.7

And wasn't told about the update because of one these bugs, and I think this was among the bugs I'd have hit.
Comment 97 Axel Hecht [:Pike] 2009-03-29 03:56:09 PDT
We should have a much stronger argument chain than that to take an l10n change on 1.9.0.x. This does break langpack compat, at least, which the install.rdf's of that won't indicate.

On top of backporting strings just being a huge hassle.
Comment 98 Daniel Veditz [:dveditz] 2009-03-30 14:20:29 PDT
Comment on attachment 354990 [details] [diff] [review]
strings rev2 (checked in)

The 1.9.0 branch isn't going to take just a string change -- that's all the pain with none of the gain. If we get an actual _fix_ for the bug on the trunk _then_ we can evaluate whether it's appropriate or not, and at that time more of the strings will have been translated.
Comment 99 Randy Hall 2009-05-26 08:33:38 PDT
I run Firefox on Windows as an unprivileged user.  If I have Firefox configured
to automatically check for updates, it should check and offer to download the
update when one is available (even though it cannot be automatically applied).

I cannot even manually check for updates from the Help menu.

In the VERY least, the Help menu option should link to the web page
with the latest version so I don't have to go hunting for it myself.
Comment 100 Chris Rankin 2009-05-31 05:44:26 PDT
I would like to request this feature for the Windows build. Several months ago, I installed Firefox 3.0.1 onto a WinXP machine as "Administrator" so that all users could share the common installation. The users are all unprivileged, of course. However, I have recently checked this machine and found that it was *still* running Firefox 3.0.1 because no-one had known that Firefox needed updating!

It would have been a *big help* if Firefox had alerted one of the users that there was a newer version of Firefox available.
Comment 101 Robert Strong [:rstrong] (use needinfo to contact me) 2009-06-09 11:32:13 PDT
*** Bug 496728 has been marked as a duplicate of this bug. ***
Comment 102 Gert-Jan Vons 2009-06-11 05:05:42 PDT
I don't know what the exact status is of the proposed fix, but certainly hope this does not get postponed only for a translation issue since this really is a very annoying problem.
I don't mind running firefox or thunderbird as an admin in order to download/deploy an update.
However, being obliged to regularly run firefox/thunderbird as an admin only to check for updates is a major annoyance, and causes security-related problems as illustrated by comment #100 for example (I would expect this to have a higher priority than P3 because of that).
Comment 103 Henrik Skupin (:whimboo) 2009-06-22 04:17:32 PDT
*** Bug 453188 has been marked as a duplicate of this bug. ***
Comment 104 Roger Hågensen 2009-06-30 06:31:16 PDT
Isn't it time this was handled? It's been years now. And now 3.5 is rolling out.

Is it really so hard to do the following?

1. Automatic check for update, if new version is available notify the user.
2. If the user is a limited user then inform them to either restart the browser as administrator or to notify their administrator.

As it is now when I've missed several security updates since the automatic update check fail to notify me.
It isn't until I read it on a news site (or check the mozilla site) that I'll know.

If Firefox is smart enough to disable/grey out the button it should be smart enough to simply state: "A update is available, please notify your administrator or restart Firefox under an administrator account!"

Even the dimmest user should understand what is going on, after all they probably installed it in th first place, if not, well they'll notify the person that did right? (dad/mom/network admin)

I use Vista, and with Windows 7 around the corner XP and older will quickly fade away. UAC stuff like this will become even more prominent and expected behavior.

The way it works now (3.5 RC3/Final?) is not a good design choice.
Even if the user can't do the update, they should still be informed there is one. It's the task of whomever is admin to actually do the update. And most good admins usually have a limited privileges user that is their "normal" user.

Heck, I don't even use the Admin/Normal combo user on Vista, I actually have a fully separate Normal user I use, so any system changes always require password controlled elevation.

Would be nice if this could be changed and implemented in the next 3.5.x maintenance update.
Comment 105 Dirk Schoettler 2009-07-13 10:39:32 PDT
See Thunderbird, too:
https://bugzilla.mozilla.org/show_bug.cgi?id=384619
Comment 106 john 2009-08-14 01:07:31 PDT
I'm running firefox without admin privileges (windows not linux) and I'm not notified when (security) updates for firefox are available.
This is an annoying! 
This bug is reported years ago for ff 1.5!!!
Comment 107 bugzilla 2009-09-04 03:43:16 PDT
There is a uglily workaround, at least for Linux:

touch /path/to/firefox/update.test
mkdir -p /path/to/firefox/updates/0
touch /path/to/firefox/updates/0/update.test

I think this has to be redone, after every update.

Now, the update check works also under an unprivileged account.
Comment 108 Wayne Mery (:wsmwk, NI for questions) 2009-09-11 08:23:16 PDT
*** Bug 384619 has been marked as a duplicate of this bug. ***
Comment 109 Axel 2009-10-13 10:31:17 PDT
Is there an add-on available, which checks for Firefox updates? Perhaps this would be a possible workaround until Mozilla provides a fix for this bug!
Comment 110 Mike Beltzner [:beltzner, not reading bugmail] 2009-10-19 08:58:09 PDT
Can't in good conscience block on this for Firefox 3.6 without Rob being the one to nominate it, but definitely want to see a fix.
Comment 111 Glen A. 2009-10-20 07:20:12 PDT
I just updated Opera using a limited user account on Windows XP, and it worked perfectly. I was notified of the update, I clicked "Download and Install" (you can click "Remind Me Later" as well), it downloaded, asked me to restart to complete the installation, and when restarting, prompted for administrator credentials in order to perform the update, after which it started the new version of Opera (with limited privileges).

That's how it should be done.
Comment 112 WulfTheSaxon [:Wulf] 2009-11-12 07:58:48 PST
When the Apple Software Updater finds a Safari update in a standard user account in Windows 7, it simply presents an install button with a UAC shield (indicating elevation will be required if you click it).

I really don't see the need for a window explaining that updating isn't possible, when in most cases it would be with an over-the-shoulder elevation prompt. If an enterprise admin doesn't want users to see update dialogs, there's app.update.enabled...
Comment 113 Philip Pawley 2009-11-12 08:12:11 PST
This bug constitutes a serious security risk. You guys have been making laughing stocks of yourselves by not making sure it was resolved ASAP. This bug was reported nearly four crazy years ago. What's up with you? Does security mean nothing to you? Are you asleep?
Comment 114 Thomas Ludwig 2009-11-12 08:36:10 PST
Fully ACK with comment #113. Not fixing such a serious bug over such a long time is ridiculous and embarrassing and renders the claim implausible that security has priority for Mozilla. There seem to be too many people with Mozilla who are permanently logged on as admin on their Windows systems and hence regard this bug as a minor issue. Shame on you!
Comment 115 u88484 2009-11-12 09:45:45 PST
Comment 111, comment 112, comment 113 and comment 114...read comment 110.  Mike Beltzner clearly states that a fix is wanted for this.  Someone needs to attach a patch that fixes this.  Until then this bug will still be open.  No further useless comments are needed and they will NOT help speed things along here.  Take it to the forums or the newsgroups if you want to try an advocate for a fix here.  You can even put up a bounty and someone not tied to Mozilla might be more willing to spend thier time to fix this.
Comment 116 Philip Pawley 2009-11-12 10:03:16 PST
So I read comment #110. 

Why can't Mike Beltzner "in good conscience block on this for Firefox 3.6 without Rob being the one to nominate it"? 

It's no good telling users to go here, do this. We've got our own lives to lead. I'm already giving up my time commenting here, more I cannot, in good conscience. I accept the Mozilla head honchos also have their lives to lead. However, if they can't fulfil their roles in Mozilla, then, sooner or later, Mozilla will fail. I think that's a simple enough statement of fact.
Comment 117 u88484 2009-11-12 10:10:57 PST
(In reply to comment #116)
> So I read comment #110. 
> Why can't Mike Beltzner "in good conscience block on this for Firefox 3.6
> without Rob being the one to nominate it"?
I can't answer for Mike but I can bet it is because Rob Strong is the toolkit sub-module owner of the application update code.
http://www.mozilla.org/projects/toolkit/review.html

In other words, Rob is in charge of that code.  Now don't take that as he is supposed to be the sole person that works on this code and is responsible for fixing every application update bug.
Comment 118 WulfTheSaxon [:Wulf] 2009-11-12 10:15:22 PST
Forgive me, but I don't think comment 111 and mine were "useless". Isn't the fix wanted in comment 110 the one shown in attachment 354985 [details]? Or is the window in the screenshot only to be shown when a pref is toggled, and otherwise it will ask for elevation?

Comments 111 and 112 were supporting Firefox just elevating rather than displaying a failure message unnecessarily. They should also help in tagging this bug parity-opera and parity-safari.
Comment 119 Thomas 2009-11-12 10:27:34 PST
Why was my comment deleted?!It says nearly the same as #113 but was written days BEFORE ... so why?!
Comment 120 u88484 2009-11-12 10:32:08 PST
(In reply to comment #118)
> Forgive me, but I don't think comment 111 and mine were "useless". 
Useless as in everybody that is CC'ed here know what the bug is about, what not fixing this bug means, and that a fix is still needed.

> Isn't the fix wanted in comment 110 the one shown in attachment 354985 [details]
> [details]? Or is the window in the screenshot only to be shown when a 
> pref is toggled, and otherwise it will ask for elevation?
Yes, it is (for now at least).  Just the strings were checked in because those are needed for localization.  Someone still needs to create a patch that detects this setup and then adds that screen with those strings used.

Added the parity-opera and safari to the whiteboard.  Just do that then, don't spam the bug with comments.  79 people are on the CC list and today alone have received eight emails from this bug alone.  People don't have to see dozens of emails of "me toos" and "fix this asap".  Plus, like I just had to do...devs have to read every single message and this takes time out of their day to read this whole bug and figure out exactly what is wanted and what needs to be done here.
Comment 121 Puhbacke 2009-11-12 13:05:46 PST
> 79 people are on the CC list and today alone have
> received eight emails from this bug alone.  People don't have to see dozens of
> emails of "me toos" and "fix this asap".  Plus, like I just had to do...devs
> have to read every single message and this takes time out of their day to read
> this whole bug and figure out exactly what is wanted and what needs to be done
> here.

Don't forget: This Bug has its 5. bithday in a few days, it is essential for peoble who want work responsible and careful with Firefox and Windows. Nothing happend because it seems like nobody is interestet on this bug (because the responsible people work with linux?) i don't know.

But maybe the people simply think they have to do something and awake them now? What else can the users do after 5 jears of waiting?
Comment 122 Robert Strong [:rstrong] (use needinfo to contact me) 2009-11-12 13:18:34 PST
I am very interested in fixing this. I am also very busy and fixing this bug is not as easy as you seem to think it is. I am also very annoyed by useless comments that take me away from the other work I am trying to accomplish.

btw: I am not the only person that can fix this so by all means please take this bug on with the caveat that I will not respond to questions regarding how to fix this bug that don't show the person has at least made an effort to understand the different scenarios this needs to cover as well as the code since the people that ask questions without doing so have always in my experience not tried to actually fix the bug and it takes time away from the other work I am doing so it ends up being a total loss of time / effort.
Comment 123 Justin Dolske [:Dolske] 2009-11-12 13:21:58 PST
I'd like to remind people to read https://bugzilla.mozilla.org/page.cgi?id=etiquette.html before commenting further.

The best way to ensure a bug is ignored is to to be uncivil and add useless comments.
Comment 124 Robert Strong [:rstrong] (use needinfo to contact me) 2009-11-18 22:31:20 PST
Bug 407875 made it so Help -> Check for Updates is not disabled and we will notify of available updates and provide an url to get the update.

Changing summary to be about the remaining issue. Each platform has its own convention for accomplishing this and I will file bugs for Linux, Mac, and Windows that block this bug for the remaining work in this bug.
Comment 125 Henrik Skupin (:whimboo) 2009-11-25 08:08:49 PST
Looks like it has been regressed at least bug 530286 for the French locale.
Comment 126 Henrik Skupin (:whimboo) 2009-11-25 08:09:33 PST
Sorry, wrong bug.
Comment 127 Sierk Bornemann 2010-01-06 10:07:32 PST
Concerning Firefox on MacOSX:

Why not simply use the popular Sparkle framework from http://sparkle.andymatuschak.org/ for updating Firefox on the MacOSX platform even from a non-privileged user account (elevating permissions via system's prompt for an admin password when writing into /Applications), like many other applications on MacOSX incl. Camino Browser already do?

Or, alternatively to the Sparkle framework, using Google's Update engine framework from http://code.google.com/p/update-engine/ ?
Comment 128 Nathan Tuggy (:tuggyne) 2010-04-11 23:11:07 PDT
*** Bug 558727 has been marked as a duplicate of this bug. ***
Comment 129 Thomas L Jones 2010-04-13 20:11:36 PDT
This one has already been fixed, hasn't it? The other night, I was surfing away in my unprivileged account, following the familiar advice that one shouldn't do day-to-day surfing in administrative account. A little window came up and said that there was an update available for Firefox. I had no difficulty switching to the administrative account, then downloading and installing the update. Win XP.

A good job. Thanks to all who worked on it.

Tom Jones
Comment 130 Robert Strong [:rstrong] (use needinfo to contact me) 2010-04-13 20:17:06 PDT
No, what you are referring to is notification of an available update which is fixed and is bug 407875. This bug is tracking platform specific bugs for providing the ability to update when the user doesn't have privileges. Your welcome and thanks!
Comment 131 Thomas L Jones 2010-06-16 17:18:32 PDT
If a user does not have privileges and cannot get privileges, he or she will need to alert someone who does. An example is patrons in a public library, assuming that the IT department hasn't already been alerted. In any case, the update will be installed into an Administrative account or not at all. For a library patron or other similar person to download and install the update: Nope. Won't work. Forget it.

Tom

Windows XP
Comment 132 Robert Strong [:rstrong] (use needinfo to contact me) 2010-06-16 18:55:25 PDT
For Windows either a Windows service or MSI patches can provide the ability to update for a user without privileges so no, we won't forget it. ;) The library scenario you outlined would of course be able to prevent updates but that doesn't mean we shouldn't provide the ability to update for a user without privileges.
Comment 133 Sierk Bornemann 2010-06-17 02:37:32 PDT
(In reply to comment #131)
> If a user does not have privileges and cannot get privileges, he or she will
> need to alert someone who does. An example is patrons in a public library,
> assuming that the IT department hasn't already been alerted. In any case, the
> update will be installed into an Administrative account or not at all. For a
> library patron or other similar person to download and install the update:
> Nope. Won't work. Forget it.

In many many cases (maybe in most cases), your patron and the user with lower privileges are one and the same person. One person with two roles at the same time: he is standard user with reduced privileges for day-to-day use, and at the same time he is admin of his own computer with full admin privileges for system maintenance. And for this scenario, it would be a huge win, if this person would be able to update Firefox from his standard account environment (based on reduced privileges) WITHOUT changing his whole environment and logging himself into the Admins account and desktop to be able to update Firefox. For this scenario, it would be very helpful, if Firefox would be able to use the system's mechanism to elevate his rights at the right moment. Meaning: download the new Firefox into a local Temp-Directory and install it with privileged rights (Admin rights) into the correct and systemwide location after being asked from the system for the Admin's password and so granted the correct rights to do so.

That does function.
On MacOSX it is very common.
See also comment 127. Please integrate the Sparkle Framework into Firefox. Look at Camino (Camino uses the Sparkle Framework to solve this), look at other Applications (at least on the Mac) how they deal with this. It saves you a lot of work and helps to solve this issue (at least on the Mac).
Comment 134 Gerd 2010-06-17 07:37:13 PDT
Elevation of user rights is a good point. Just see http://kay-bruns.de/wp/software/surun/ for a reference.

Kind regards.
Comment 135 [:Aureliano Buendía] 2010-06-21 12:09:58 PDT
*** Bug 573495 has been marked as a duplicate of this bug. ***
Comment 136 Jo Hermans 2010-06-27 10:30:38 PDT
*** Bug 575085 has been marked as a duplicate of this bug. ***
Comment 137 Sierk Bornemann 2010-10-20 02:32:44 PDT
Access privileged functionality (for instance: application update) from a non-privileged application on Mac OS X:

Apple Developer Mac OS X Reference Library: BetterAuthorizationSample from http://developer.apple.com/library/mac/#samplecode/BetterAuthorizationSample/Introduction/Intro.html

Or use Sparkle from http://sparkle.andymatuschak.org/ (also used by Camino and many, many other third party applications on the Mac to allow a privileged application update from the role of a non-privileged user).
Comment 138 dan pritts 2010-12-01 14:19:39 PST
I'm really shocked that this is still sitting since 2006 with no fix or workaround.

IMNSHO the *very next release* of firefox should allow everyone to check for updates.  If the user does not have privileges, they should be told that the update is available but they do not have privileges to install it.  The auto-update check should work in the same fashion.

In lieu of a fix for this issue I'm looking to create my own notifier for updates, if anyone can help me decode the variables in the updateURL please contact danpritts at yahoo.
Comment 139 Robert Strong [:rstrong] (use needinfo to contact me) 2010-12-01 14:25:29 PST
The current system as of 3.6 already allows users to check and be notified about an update when using an account that isn't able to apply updates. What we need to do in this bug's dependent bugs (each platform has significantly different methods for elevation) is provide a sane way to ask the user to elevate and if they are unable to (e.g. they don't have credentials or know of credentials that can apply an update) don't repeatedly ask the user to elevate and fallback to the current method of only letting them know there is an update available.
Comment 140 nanoamirarsalan 2011-08-19 21:33:57 PDT
Created attachment 554611 [details]
its good
Comment 141 Charles 2012-03-20 04:32:58 PDT
(In reply to Bob Vickers from comment #28)
> As I see it there are 4 different cases to consider when you run Firefox:
> (1) You are the admin running with admin privs
> (2) You are the admin running under an unprivileged account
> (3) You are using a distro version of Firefox, so Redhat or SuSE or
>     someone is responsible for providing updates
> (4) You are an unprivileged user, do not know the root password and
>     rely on someone else to install updates (perhaps someone you know
>     or perhaps someone in a far-off computer department).

Actually there are twice as many cases, because each of those cases should also be a different case based on whether the automatic check for updates pref was enabled or not.

I'll only address the Windows 7 scenario (with UADC enabled), since that is my main focus.

The way I have historically handled updates in my office when we were all on XP where all users run as 'Power User', which does allow them to be able to apply updates to Firefox and thunderbird (I'm a lone IT guy, anywhere from 40-60 users) is simple... I disable auto-updates on all computers but mine, when a new update becomes available, I wait until all of the extensions we use are updated (or I might just version bump them myself), then I update mine and test for a day or two... if all is well, I start walking around the office, ask the user for a minute, click Help > About Firefox (or Thunderbird), click 'Check for Updates', then apply the update. I can get everyone updated in a day or two with little hassle (just my time - and yes I'd love it if the boss would spring for some of the commercial auto-update tools).

I can no longer do this in Windows 7. Now I have to log the user off, perform the update, then let them log back in. This increases the amount of time and inconvenience for both of us *dramatically*.

For Windows 7 (and Vista I guess, although I'll never use it), this is what makes the most sense to me:

1. Auto-update enabled, logged on user has required privileges to successfully apply the update - do what you do now - notify the user that an update is available and prompt them to download and install it, when it comes time to perform the install, initiate the UAC prompt (just OK or Cancel and doesn't require a password since the user is already logged on with an admin account).

2. Auto-update enabled, logged on user does *not* have required privileges to successfully apply the update, have 2 prefs to define what happens:

   a) notify the user that an update is available, but they do not
      have the required privileges to install it and that they
      should contact their Administrator

   b) notify the user that an update is available, but they will need
      to provide Admin Credentials with the required privileges to
      apply it, and show an 'Apply Update' button that when clicked,
      prompts for Admin Credentials (if Admin Credentials are not
      provided, there is no attempt to apply the update)

3. Auto-update is *disabled*, logged on user has required privileges to successfully apply the update - do what you do now - do not notify the user that an update is available unless/until they manually check for it, and if/when they do, if one is available, prompt them to download and install it, again inserting the UAC prompt prior to the actual installation.

4. Auto-update is *disabled*, logged on user does *not* have required privileges to successfully apply the update - do not notify the user that an update is available unless/until they manually check for it, and if/when they do (and an update is available), the same 2 prefs would apply:

   a) inform the user that they do not have the required privileges
      to install it and that they should contact their Administrator

   b) inform the user that they will need to provide Admin Credentials
      with the required privileges to apply it, and show an 'Apply Update'
      button that when clicked, prompts for Admin Credentials (if Admin
      Credentials are not provided, there is no attempt to apply the update)

I think OSX could work the same/similar way as Windows, but for Linux, it should depend on how the current app was installed - if it was installed by the distro package manager, then updates should be managed/provided by the package manager, if it was downloaded/installed manually by the user, then I imagine things could work as I described above.

Regardless, this really needs to be fixed so that Firefox and Thunderbird can be updated manually on Windows 7 under a Standard user account with UAC enabled through proper privilege escalation with UAC.

I've also just learned about how to create your own private update service using .mar files, so it would be a huge bonus to also have a pref that allowed you to somehow provide an encrypted form of Admin Credentials to the update service, so that it could silently install updates, but only from your approved source.
Comment 142 Robert Strong [:rstrong] (use needinfo to contact me) 2014-11-13 23:02:44 PST
*** Bug 784502 has been marked as a duplicate of this bug. ***
Comment 143 Stephen A Pohl [:spohl] 2016-05-26 10:33:59 PDT Comment hidden (obsolete, wrong-bug)
Comment 144 Stephen A Pohl [:spohl] 2016-05-26 11:42:50 PDT Comment hidden (obsolete, wrong-bug)
Comment 145 Robert Strong [:rstrong] (use needinfo to contact me) 2016-05-26 13:02:18 PDT Comment hidden (obsolete)
Comment 146 Robert Strong [:rstrong] (use needinfo to contact me) 2016-05-26 13:04:15 PDT
(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #145)
> With only bug 529746 (Linux elevation) and bug 529748 (Windows UAC elevation
> for non admin users) I'm closing this bug which became a tracking bug. Since
> it was originally filed for Linux anyone wanting to track the Linux
> implementation should follow bug 529746.
Bah, I got the bug numbers reversed.
bug 529746 (Windows UAC elevation for non admin users) and bug 529748 (Linux elevation).
Since it was originally filed for Linux anyone wanting to track the Linux implementation should follow bug 529748.

Note You need to log in before you can comment on or make changes to this bug.