Security/Reviews/CleanUpUserProfile

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Clean Up User Profile
Target https://wiki.mozilla.org/Support/Firefox_Features/Clean_up_user_profile


Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

What solutions/approaches were considered other than the proposed solution?

  • Reset user profile
    • Rather than creating a new profile, clean up or delete data in the existing profile
    • Import/export of data rather than file copies
    • Push data to new profile (implemented as pull using existing browser migrator infra.)
  • Detecting when a reset is helpful - startup crash detection
    • Uses the filesystem timestamp of existing profile locks and prefs to track successful startups
    • Write to or touch a file in the profile to indicate a safe previous startup
    • Write to or touch a file in the profile to indicate startup was attempted, delete on success

Why was this solution chosen?

  • Reset user profile
  • The ability for a user to return to their problem profile before the reset avoids dataloss caused by a cleaning up an existing profile.
  • Only bookmarks already supported import/export and since we don't have data on the specific problems the feature should fix, the benefits of import/export were hard to measure but the development time would have been significantly higher. When specific problems are found with file copies, follow-up bugs can be filed to do import/export on the specific data.
  • Pull model is better to support the use case of initiating the process from the installer. – It doesn't want to know anything about profiles
  • Detecting when a reset is helpful - startup crash detection
    • The solutions above led to slower startup times on some operating systems due to the additional file I/O

Any security threats already considered in the design and why?

  • Reset user profile
    • Privacy - creates a new profile and leaves the existing one on disk without an easy way to use/delete it – can use profile manager if aware
    • Could potentially be used to migrate malicious data into a user's profile – this threat is mitigated by the fact that the code only migrates from an existing profile set as the default in profiles.ini. It doesn't support
  • Detecting when a reset is helpful - startup crash detection
    • Attacker could manipulate a user's prefs and cause them to start in safe mode thus disabling add-ons which may provide some security benefit ie. NoScript.
      • Attacker can do much worse with filesystem access to prefs.js such as delete such extensions from disk
      • The user will see the safe-mode dialog before entering safe mode. They can simply click exit instead and the next launch would be back in normal mode.
    • There may be other core security features that are disabled or don't work properly in safe mode – none known.

Threat Brainstorming

what privelage is needed to access this code path (can this be accessed by content)?

    • uses existing migrators, chrome privs needed
  • What happens to old profile files?
    • by default they are kept
      • can go back using profile manager
    • We need to inform the user that the data still exists on their system in their old profile.
    • Can we just inform them during the process?
      • We will have to carefully write the text. Since its complicated (user doesn't know what profiles are).
    • They might message the user saying, "did this fix your problem?". Yes, delete my old instance. Yes, but don't delete my old instance. No, migrate me back.
  • Could not copying important files result in a security issue

Plugins: System default Extensions: disabled or not migrated Appearance: Switch to default

    • not copying an unauthorised cert isnt an issue
    • maybe there are other important SSL/security settings?
    • What about user profile seurity preferences?
    • DNT prefrences - Is the DNT pref being migrated? We recommend that it is migrated.
    • Use Maste Password pref. Migrating this?
    • Is the allow / don't allow third party cookies check box imported? We can't do that because it causes some websites not to work.
    • Also consider migrating the cookie expiration preferences (keep until they expire, i close firefox, etc.)
    • not migrating permissions.sqlite - which includes site specific permissions (whether to load images, block cookies, etc). This could be the reason the user wants to migrate to a new profile, so copying this file over won't help the user. It would be helpful (from a security standpoint) to keep the users preferences, but it could cause the user pain if its the root of the problem with their profile. So we're okay with not migrating this.
  • Property "SecReview alt solutions" (as page type) with input value "* Reset user profile
      • Rather than creating a new profile, clean up or delete data in the existing profile
      • Import/export of data rather than file copies
      • Push data to new profile (implemented as pull using existing browser migrator infra.)
    • Detecting when a reset is helpful - startup crash detection
      • Uses the filesystem timestamp of existing profile locks and prefs to track successful startups
      • Write to or touch a file in the profile to indicate a safe previous startup
      • Write to or touch a file in the profile to indicate startup was attempted, delete on success" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
      • Property "SecReview solution chosen" (as page type) with input value "* Reset user profile
    • The ability for a user to return to their problem profile before the reset avoids dataloss caused by a cleaning up an existing profile.
    • Only bookmarks already supported import/export and since we don't have data on the specific problems the feature should fix, the benefits of import/export were hard to measure but the development time would have been significantly higher. When specific problems are found with file copies, follow-up bugs can be filed to do import/export on the specific data.
    • Pull model is better to support the use case of initiating the process from the installer. – It doesn't want to know anything about profiles
    • Detecting when a reset is helpful - startup crash detection
      • The solutions above led to slower startup times on some operating systems due to the additional file I/O" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
      • Property "SecReview threats considered" (as page type) with input value "* Reset user profile
      • Privacy - creates a new profile and leaves the existing one on disk without an easy way to use/delete it – can use profile manager if aware
      • Could potentially be used to migrate malicious data into a user's profile – this threat is mitigated by the fact that the code only migrates from an existing profile set as the default in profiles.ini. It doesn't support
    • Detecting when a reset is helpful - startup crash detection
      • Attacker could manipulate a user's prefs and cause them to start in safe mode thus disabling add-ons which may provide some security benefit ie. NoScript.
        • Attacker can do much worse with filesystem access to prefs.js such as delete such extensions from disk
        • The user will see the safe-mode dialog before entering safe mode. They can simply click exit instead and the next launch would be back in normal mode.
      • There may be other core security features that are disabled or don't work properly in safe mode – none known." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
      • Property "SecReview threat brainstorming" (as page type) with input value "what privelage is needed to access this code path (can this be accessed by content)?
      • uses existing migrators, chrome privs needed
    • What happens to old profile files?
      • by default they are kept
        • can go back using profile manager
      • We need to inform the user that the data still exists on their system in their old profile.
      • Can we just inform them during the process?
        • We will have to carefully write the text. Since its complicated (user doesn't know what profiles are).
      • They might message the user saying, "did this fix your problem?". Yes, delete my old instance. Yes, but don't delete my old instance. No, migrate me back.
    • Could not copying important files result in a security issue

    Plugins: System default Extensions: disabled or not migrated Appearance: Switch to default

      • not copying an unauthorised cert isnt an issue
      • maybe there are other important SSL/security settings?
      • What about user profile seurity preferences?
      • DNT prefrences - Is the DNT pref being migrated? We recommend that it is migrated.
      • Use Maste Password pref. Migrating this?
      • Is the allow / don't allow third party cookies check box imported? We can't do that because it causes some websites not to work.
      • Also consider migrating the cookie expiration preferences (keep until they expire, i close firefox, etc.)
      • not migrating permissions.sqlite - which includes site specific permissions (whether to load images, block cookies, etc). This could be the reason the user wants to migrate to a new profile, so copying this file over won't help the user. It would be helpful (from a security standpoint) to keep the users preferences, but it could cause the user pain if its the root of the problem with their profile. So we're okay with not migrating this." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status Complete
Release Target Firefox 13
Action Items
WhoActionBy WhenCompleted date
mnoorenbergheFollowup - what's in the cert8.db? We won't be migrating those. It does include certificate additions and revocation of trust so it's safer IMO to not migrate since that is closest to our fresh installbefore code migrates to aurora[DONE] 2012.03.05
mnoorenberghecheck on migration of DNT pref, master password we're not going to migrate any prefs. Master password is migrated properly: the pref UI is not tied to a pref.before code migrates to aurora[DONE] 2012.03.05

For the other non-action items: Sync is being tracked in bug 725904. Bug 731047 tracks cleaning up the old profile.

Not sure what the plan is for add-ons (plugins, extensions, themes). They would be disabled, but we might not migrate. Also questions on how that would work with sync. Is there anyway to get to the profile manager for someone who has no idea how to use the command line? How do other browsers handle this? Do they delete the old profile?

  • IE does not support profiles, if you reinstall it over-writes - They support irreversible reset in IE 9 though
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/CleanUpUserProfile&oldid=404145"