Use MozillaMaintenance service for limited user accounts to allow anybody initializing an upgrade




Application Update
6 years ago
6 years ago


(Reporter: Rainer Meier, Unassigned)


11 Branch

Firefox Tracking Flags

(Not tracked)




6 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Build ID: 20120312181643

Steps to reproduce:

I have installed Firefox 12/13 as an administrator on Windows 7 and Windows XP. I am used to run normal users with "limited account" permissions. After installation as administrator I switch to a limited user account and check for updates.

Actual results:

Firefox then only displays a link where updates can be found instead of providing possibility to apply updates using the service (service was installed and configured properly).

Expected results:

Maybe this was removed on purposed. But in home environments it provides good level of added security to work with limited accounts. I have also tested to provide write access to the Firefox installation folder for limited users. Then the updates can be applied by users but the service seems not to be used (also the uninstall entry is added to the local limited account uninstall entry list). Moreover opening write access to the Firefox install folder is a security hole which allows viruses to infect Firefox and therefore allows spreading to other accounts (if Firefox is run by multiple users on the same system).

If Firefox would use the update service even when initiated as limited user then this would not allow malware to modify Firefox (including file modification or dropping malicious add-ons) but only allow updating from trusted Mozilla-source.

Maybe this is related to <> but I thought it's not exactly the same.

Of course people might argue that limited users shall not be able to update Firefox installed by administrators. But in such environments the administrator will anyway disable the update service entirely which easily prevents limited accounts from preforming system-wide updates then.

I have read <> and also the test plan. But all of them seem to refer to the possibility for limited user accounts to perform upgrades. Which currently seems not to be possible as limited accounts are not using the service to perform upgrades.
And no, I don't want my limited users to install Firefox in their user context instead because then any user on the system would use its own personal Firefox installation effectively ending up in multiple different Firefox versions installed on each account. I would rather prefer that there is one global Firefox (stable) installed and any user is allowed to trigger a global update so all users always profit from getting the latest version automatically.
Component: General → Application Update
QA Contact: general → application.update
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 711475
You need to log in before you can comment on or make changes to this bug.