Fwd: Insecure file permissions in the Firefox browser for Linux >= v0.9

Jakub Bogusz qboosh at pld-linux.org
Wed Sep 15 18:45:54 CEST 2004 

So what do you call "correct permissions" needed to run/initialize
Firefox from non-root account?
/ [pl] jakie to są "poprawne uprawnienia" do uruchomienia/inicjalizacji
Firefoksa z uid>0?
(Cc na pl, bo tu było coś poruszane, że podobno inni mają poprawne
uprawnienia i u nich Firefox działa nie tylko z roota)

----- Forwarded message from Max <spamhole at gmx.at> -----

Mailing-List: contact bugtraq-help at securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq at securityfocus.com>
List-Help: <mailto:bugtraq-help at securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe at securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe at securityfocus.com>
From: Max <spamhole at gmx.at>
Organization: unorganized
To: bugtraq at securityfocus.com
Subject: Insecure file permissions in the Firefox browser for Linux >= v0.9
Date: Mon, 13 Sep 2004 21:12:16 +0200
User-Agent: KMail/1.6.2


after installing firefox many of the permissions are set to 777, allowing 
anyone on the system to change the contents of the (executable) files.

this first occured in the 0.9 release (in the tar.gz release as well as in the 
installer). the problem (or is it called a feature now?) still exists in the 
latest release v0.9.3.

the problem was reported on bugzilla long long time ago by myself and others.

lunanova:/tmp# tar xzf firefox-0.9.3-i686-linux-gtk2+xft-installer.tar.gz
lunanova:/tmp# cd firefox-installer/
lunanova:/tmp/firefox-installer# ./firefox-installer
# ... installing to /tmp/firefox-0.9.3
lunanova:/tmp/firefox-installer# exit
max at lunanova:~$ cd /tmp/firefox-0.9.3
max at lunanova:/tmp/firefox-0.9.3$ echo 'echo "oops"' > run-mozilla.sh
max at lunanova:/tmp/firefox-0.9.3$ ./firefox
oops
max at lunanova:/tmp/firefox-0.9.3$ ls -l
total 12676
drwxr-xr-x  4 root root    4096 Sep 13 21:02 chrome
drwxr-xr-x  3 root root    4096 Sep 13 21:02 components
drwxr-xr-x  5 root root    4096 Sep 13 21:02 defaults
drwxr-xr-x  2 root root    4096 Sep 13 21:02 extensions
-rwxr-xr-x  1 root root    4775 Aug  3 14:14 firefox
-rwxr-xr-x  1 root root 9758932 Aug  3 14:14 firefox-bin
drwxr-xr-x  2 root root    4096 Sep 13 21:02 greprefs
-rw-r--r--  1 root root   29364 Sep 13 21:02 install.log
-rwxrwxrwx  1 root root  441204 Aug  3 14:14 libmozjs.so
-rwxrwxrwx  1 root root  177164 Aug  3 14:14 libnspr4.so
-rwxrwxrwx  1 root root  405372 Aug  3 14:14 libnss3.so
-rwxrwxrwx  1 root root  170068 Aug  3 14:14 libnssckbi.so
-rwxrwxrwx  1 root root   15272 Aug  3 14:14 libplc4.so
-rwxrwxrwx  1 root root    8240 Aug  3 14:14 libplds4.so
-rwxrwxrwx  1 root root  134188 Aug  3 14:14 libsmime3.so
-rw-rw-rw-  1 root root     476 Aug  3 14:14 libsoftokn3.chk
-rwxrwxrwx  1 root root  419824 Aug  3 14:14 libsoftokn3.so
-rwxrwxrwx  1 root root  125376 Aug  3 14:14 libssl3.so
-rwxrwxrwx  1 root root  661232 Aug  3 14:14 libxpcom.so
-rwxrwxrwx  1 root root   94888 Aug  3 14:14 libxpcom_compat.so
-rwxrwxrwx  1 root root    7736 Aug  3 14:14 libxpistub.so
-rwxrwxrwx  1 root root  236615 Aug  3 14:14 mozilla-xremote-client
drwxr-xr-x  2 root root    4096 Sep 13 21:02 plugins
-rw-r--r--  1 root root     335 Sep 13 21:02 registry
drwxr-xr-x  7 root root    4096 Sep 13 21:02 res
-rwxrwxrwx  1 root root      12 Sep 13 21:03 run-mozilla.sh
drwxr-xr-x  2 root root    4096 Sep 13 21:02 searchplugins
-rwxrwxrwx  1 root root  147500 Aug  3 14:14 xpicleanup
.. subdirs dont look much better.

----- End forwarded message -----

-- 
Jakub Bogusz    http://cyber.cs.net.pl/~qboosh/

More information about the pld-devel-en mailing list