Closed
Bug 969728
Opened 10 years ago
Closed 10 years ago
Standard users cannot update Firefox if Mandatory Profile is used
Categories
(Toolkit :: Application Update, defect)
Tracking
()
VERIFIED
FIXED
mozilla30
People
(Reporter: emk, Assigned: emk)
Details
Attachments
(2 files)
13.74 KB,
patch
|
Details | Diff | Splinter Review | |
1.25 KB,
patch
|
bbondy
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
See bug 711475 comment #115 and following comments.
Assignee | ||
Comment 1•10 years ago
|
||
@Markus: 1. What version of Windows are you using? (Vista, 7, 8, or 8.1?) 2. Could you tell me "EnableLUA", "ConsentPromptBehaviorAdmin", and "PromptOnSecureDesktop" values under the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" key using Regitry Editor?
Flags: needinfo?(wehr)
Comment 2•10 years ago
|
||
Thanks. it must be a configuration issue. I found the updater working on a freshly installed pc. (clean user Profile more exactly) The UAC GPOs (machine specific) are not involved in the issue. we use a mandatory Profile. Also Folder redirection. I believe i need to correct an issue with the mandatory Profile to fix this. (perhaps some Folder redirection stuff - "user Shell Folders" values or "Shell Folders") Do you know exactly what check Firefox does to decide wheather or not to use maintenance Service? In my case the update button Triggers UAC Prompt when it shouldnt. many thanks Markus
Flags: needinfo?(wehr) → needinfo?
Assignee | ||
Comment 3•10 years ago
|
||
(In reply to Markus Wehr from comment #2) > I believe i need to correct an issue with the mandatory Profile to fix this. Oh, you are right. Firefox will not use the maintenance service if the update folder is created under the UNC path. https://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/update/common/updatehelper.cpp?rev=73ac7e81f316#644 https://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/update/updater/updater.cpp?rev=c4177c7f6f8b#2648 > In my case the update button Triggers UAC Prompt when it shouldnt. If Firefox decided not to use the maintenance service, it will try to trigger the UAC prompt for standard users. but if the UAC GPO settings are configured to Automatically deny elevation requests, the attempt will fail.
Flags: needinfo?
Comment 4•10 years ago
|
||
Firefox 26 will not use Maintenance Service if Mandatory Profile is used: - Install plain vanilla Win 7 - Copy Default Profile to c:\temp\cp.V2 (permissions=everone) - rename ntuser.dat to ntuser.man - Create testuser with Profile Path= c:\temp\cp Firefox will not use maintenance Service. rename ntuser.man -> ntuser.dat Firefox will use maintenance Service. rename ntuser.dat -> ntuser.man again Firefox will not use maintenance Service.
Assignee | ||
Updated•10 years ago
|
Summary: Standard users cannot update Firefox if GPO configured to Automatically deny elevation requests for Standard users → Standard users cannot update Firefox if Mandatory Profile is used
Comment 5•10 years ago
|
||
Only "Standard users cannot update Firefox if Mandatory Profile is used" Update works for standard users with "HKLM...\Policies\System\ConsentPromptBehaviorUser"=0 (automatically deny elevation request) It seems this value isnt used to calculate "isUnpromptedElevation" anyway. In my case isUnpromptedElevation should return false.
Assignee | ||
Comment 6•10 years ago
|
||
You said update did *not* work with "automatically deny elevation request" in bug 711475. Which is correct?
Comment 7•10 years ago
|
||
It updates with "automatically deny elevation request". Courrent description is accurate. Its only the Profile Type Mandatory what prevents update. (The Info was misleading. After all UAC has nothing to do with the issue. Without the GPO the behavior is exactly the same as reported from Jason.)
Comment 8•10 years ago
|
||
Profile Types that also prevent update: TEMP Profile GUEST User Profile It seems that Firefox checks the Profile Type - wheather changes will persist.
Assignee | ||
Comment 9•10 years ago
|
||
The cause of the failure was that CryptAcquireContext always failed with the temporary profile. http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2003-12/0349.html https://mxr.mozilla.org/mozilla-release/source/toolkit/mozapps/update/common/pathhash.cpp?rev=73ac7e81f316&mark=45-45,51-51#39 (In reply to Markus Wehr from comment #8) > It seems that Firefox checks the Profile Type - wheather changes will > persist. We don't intentionally check the profile type, but it failed on temporary profiles as a result.
Assignee | ||
Comment 10•10 years ago
|
||
So we need to calculate MD5 without relying on Win32 Crypto to support Guest account or roaming profile.
Comment 11•10 years ago
|
||
it is possible to spoof the Profile type: http://www.ivandemes.com/?p=305 i will see if it is possible in my environment without negative side effects.
Assignee | ||
Comment 12•10 years ago
|
||
As the page explains spoofing the profile will leave the to-be-removed profile data. Moreover an app shouldn't tamper the system status.
Assignee | ||
Comment 13•10 years ago
|
||
It was nearly impossible to debug with the current useless log output. Also, end users will just report "update.log is empty" without this change. - Added a message for every exit reason. - Added a message for each reason why the service was disabled. - Don't wipe out the log if the update status is pending on restart.
Assignee | ||
Comment 14•10 years ago
|
||
CRYPT_VERIFYCONTEXT did the trick.
Attachment #8373971 -
Flags: review?(netzen)
Updated•10 years ago
|
Attachment #8373971 -
Flags: review?(netzen) → review+
Comment 15•10 years ago
|
||
Comment on attachment 8373970 [details] [diff] [review] Print more messages to update.log Review of attachment 8373970 [details] [diff] [review]: ----------------------------------------------------------------- Robert could you take a look at this? I'm unsure about the log overwriting stuff.
Attachment #8373970 -
Flags: review?(netzen) → review?(robert.strong.bugs)
Comment 16•10 years ago
|
||
Comment on attachment 8373970 [details] [diff] [review] Print more messages to update.log emk, there are cases where these changes will cause writes to the update.log from both the elevated and unelevated updater. There are also tests that verify the contents of the update.log so has this been through try? I am leaning toward having at least some of these additional log messages written to a separate log so they don't get garbled when the elevated and unelevated updater write to the log. If you are in agreement let's do this in a new bug.
Comment 17•10 years ago
|
||
Comment on attachment 8373970 [details] [diff] [review] Print more messages to update.log Cancelling review until answers are received for comment #16
Attachment #8373970 -
Flags: review?(robert.strong.bugs)
Assignee | ||
Comment 18•10 years ago
|
||
OK, indeed this patch doesn't depend on the log stuff. I'll do it in another bug. https://hg.mozilla.org/integration/mozilla-inbound/rev/9201e3e02330
Assignee | ||
Comment 19•10 years ago
|
||
Filed bug 971224 for the log stuff.
Comment 20•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9201e3e02330
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Assignee | ||
Comment 21•10 years ago
|
||
Verified with the Guest account. Fails: 2014-02-12 https://hg.mozilla.org/mozilla-central/rev/802d87c77e76 Works: 2014-02-13 https://hg.mozilla.org/mozilla-central/rev/a62bde1d6efe
Status: RESOLVED → VERIFIED
Assignee | ||
Comment 22•10 years ago
|
||
Comment on attachment 8373971 [details] [diff] [review] Make users using temporary profile possible to update using the maintenance service [Approval Request Comment] Bug caused by (feature/regressing bug #): N/A User impact if declined: Some users can't update the browser. Testing completed (on m-c, etc.): Verified locally. Risk to taking this patch (and alternatives if risky): Very low. String or IDL/UUID changes made by this patch: None.
Attachment #8373971 -
Flags: approval-mozilla-beta?
Attachment #8373971 -
Flags: approval-mozilla-aurora?
Updated•10 years ago
|
Attachment #8373971 -
Flags: approval-mozilla-beta?
Attachment #8373971 -
Flags: approval-mozilla-beta+
Attachment #8373971 -
Flags: approval-mozilla-aurora?
Attachment #8373971 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 23•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/8b17003640d4 https://hg.mozilla.org/releases/mozilla-beta/rev/b61023119a21
status-firefox27:
--- → wontfix
status-firefox28:
--- → fixed
status-firefox29:
--- → fixed
status-firefox30:
--- → fixed
Updated•10 years ago
|
status-b2g-v1.3:
--- → fixed
Assignee | ||
Comment 25•10 years ago
|
||
Markus, could you verify this using yesterday's Nightly? https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-02-18-03-02-02-mozilla-central/firefox-30.0a1.en-US.win32.installer.exe
Assignee | ||
Updated•10 years ago
|
Flags: needinfo?(wehr)
Comment 26•10 years ago
|
||
yes it updates with standard user account and mandatory Profile. (from 30.0a1 2014-02-18 to 30.0a1 2014-02-19) So Firefox 28 will be the last Version i have push out manually?!
Flags: needinfo?(wehr)
Assignee | ||
Comment 27•10 years ago
|
||
(In reply to Markus Wehr from comment #26) > So Firefox 28 will be the last Version i have push out manually?! Yes. Sorry for the inconvenience.
Comment 28•10 years ago
|
||
Thank you for the fix :)
Comment 29•10 years ago
|
||
I tried to setup my machines here in order to reproduce and verify this issue but with little success. Markus can you please verify that the issue is fixed on Firefox 28 beta 8 and latest Aurora? For Beta 8 you can download an old Beta 7 build (eg: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/27.0b9-candidates/ ) For Aurora you can download an old Aurora build as well (eg: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014/02/2014-02-01-00-40-03-mozilla-aurora/ )
Flags: needinfo?(wehr)
Keywords: verifyme
Assignee | ||
Comment 30•10 years ago
|
||
(In reply to Bogdan Maris, QA [:bogdan_maris] from comment #29) > I tried to setup my machines here in order to reproduce and verify this > issue but with little success. What does it mean? Will Firefox beta 28 not update on the Guest account? If so, it should be reported as a bug itself.
Comment 31•10 years ago
|
||
Bogdan, please read Messages from Masatoshi Kimura above: >> CRYPT_VERIFYCONTEXT did the trick. https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-02-18-03-02-02-mozilla-central/firefox-30.0a1.en-US.win32.installer.exe will update. Oder Versions not using CRYPT_VERIFYCONTEXT flag will not use maintenance Service for Guest, Temp, Mandatory Windows Profiles. regards Markus
Flags: needinfo?(wehr)
Comment 32•10 years ago
|
||
this worked: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014/02/2014-02-28-00-40-00-mozilla-aurora/firefox-29.0a2.en-US.win32.installer.exe
You need to log in
before you can comment on or make changes to this bug.
Description
•