Linux_Firefox vs Tor Browser installed in root directories

Discuss various technical topics not related to Mozilla.
Posts: 837
Joined: January 25th, 2007, 2:49 pm
Location: So. U.S.A.

Post Posted September 14th, 2018, 3:00 pm

What determines whether any Linux app - installed to a root owned directory (e.g., /opt) actually runs under a standard user account, when it's launched?

Every app I've had to (or did) install to /opt - including Mozilla version of Firefox, or some packages install themselves to /usr/local, all show the main process is running under my user account when launched (as expected). But if you look at permissions of the executable files in /opt, they all show as root owned. But they don't RUN in root mode.

Except Tor Browser. It warns, "Don't extract or run TBB in root mode." Fine - but no explanation for the different behavior vs. every other app installed / extracted to a root directory. No reason given - even for questions directly to Tor Project.

It's obvious from the "start Tor Browser" file, they've coded it to give a warning about don't run it as root, then exiting.
You can get around that if you really want, by modifying the "start-tor-browser" script, but that's not my question.

Why do Tor Project devs choose not to make it behave like every other app, where even though apps are installed in root owned directories & every file shows root owned, but after they're launched, the running process runs under a standard user account?

Tor Browser is the only one I've seen that doesn't behave like every other app.
I'm assuming that Linux thinks it's a good idea to install most apps in root owned directories, where they're protected by password & other safeguards, or else they'd have changed that practice long ago.

Other than when Linux TBB isn't installed from a deb file (Debian based distros), there's a problem automatically updating it, what security is gained by installing it to much less secure user home directory? Surely, they could host their own repository & keep it as safe as their download server is now.

The flip side would be, if Tor Project figured out a much safer way to run browsers, why haven't any others followed?
I'm guessing it's because there is no increased security by installing to the Linux user's home directory.

Return to MozillaZine Tech

Who is online

Users browsing this forum: No registered users and 0 guests