Changes

Windows Service Silent Update

444 bytes removed, 03:01, 1 September 2012

no edit summary

== Overview ==

Before this ~~task~~feature, when a user installs into the default Program Files directory, updates cannot be applied without us first prompting the user for elevated permissions with a User Account Control (UAC) dialog.

[[Image:UAC.png|screenshot]]

~~After~~ Now that this ~~task~~feature is implemented, Firefox ~~will use~~ uses a service to execute updates so that UAC prompts are not displayed. The service is run "on demand " and will remain stopped until it is needed~~, when it~~ . When the service is needed , it will be started again for the period of the update. If there are any problems updating through the service, it will fall back to updating the old way via the UAC prompt.

The bugzilla task related to creating a service and not prompting the user for UAC is in [https://bugzilla.mozilla.org/show_bug.cgi?id=481815 bug 481815].

The feature page is located at: [https://wiki.mozilla.org/Silent_Update_OS_Dialogs this feature page].

The security related bugs that were needed for 481815 to land ~~were~~include:

[https://bugzilla.mozilla.org/show_bug.cgi?id=708688 bug 708688], [https://bugzilla.mozilla.org/show_bug.cgi?id=708697 bug 708697], [https://bugzilla.mozilla.org/show_bug.cgi?id=708690 bug 708690], [https://bugzilla.mozilla.org/show_bug.cgi?id=708778 bug 708778], [https://bugzilla.mozilla.org/show_bug.cgi?id=708854 bug 708854], [https://bugzilla.mozilla.org/show_bug.cgi?id=699700 bug 699700], [https://bugzilla.mozilla.org/show_bug.cgi?id=704285 bug 704285], [https://bugzilla.mozilla.org/show_bug.cgi?id=709173 bug 709173], [https://bugzilla.mozilla.org/show_bug.cgi?id=709183 bug 709183], and [https://bugzilla.mozilla.org/show_bug.cgi?id=709158 bug 709158].

Since the service is only started when needed, we pass the information to the service via command line on service start.

The service security ~~will be~~ is modified with a special [http://msdn.microsoft.com/en-us/library/aa379298.aspx ACE] which allows non elevated processes to start and stop it. Setting these permissions on the service is needed because by default services can only be started and stopped by elevated processes. This is possible via the Win32 API [http://msdn.microsoft.com/en-us/library/windows/desktop/aa379589%28v=vs.85%29.aspx SetServiceObjectSecurity].

The service ~~will log~~ logs all operations of the last update, as well as taking a backup of the 5 last 10 update ~~operation logs~~ operationsbefore it. The install process and update processes will also be logged separately. The logs ~~will~~ live in ~~the all users application data~~%programdata%\Mozilla\logs.

Since the service executes an update via updater.exe in session 0, no UI ~~will be~~ is displayed. A UI could be displayed by running updater.exe with a user token instead, but to avoid permission problems on files, and inconsistencies in different OS versions and user types, the update will always be run as session 0.

== A single service and service versioning ==

The service ~~is currently only used on~~ was firs built for Firefox, but ~~we do plan~~ has since been ported to ~~allow other products to use the service~~Thunderbird. Only one service ~~will exist~~ exists per computer across all channels~~, and once other~~ . Other Mozilla products ~~are allowed to~~ use the same service ~~they will likely also share the service~~as well.

If a service is already installed, the service will be replaced on updates and installs only if it is newer than what is installed. This means that if a user has Nightly installed, the Nightly service will be used to update all channels.

* The name of the service command to run. Currently only the "software-update" command is allowed.

* All service-command specific command line arguments.

~~Other commands being considered include clearing prefetch for faster startup, defraging user profile data, and other actions not yet discussed.~~

The "software-update" command specific command line arguments are as follows:

* The service verifies the updater.exe file (See section Signing builds below)

* The service will execute the update with updater.exe under the context of its own session (session 0) using CreateProcess.

* The path of updater.exe will be a copy of the updater.exe ~~which exists inside the service directory. (A copy in case the original gets overwritten during the update).~~

* The post update process (helper.exe) currently does i) system level stuff, and ii) user level stuff. This component will be executed twice. The system level stuff will also be executed under session 0 using CreateProcess. The user level stuff will be executed by the unelevated updater.exe with its own session ID.

* The service stops itself when it is done the operation.

* The service was previously installed and manually uninstalled. (registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MaintenanceService and value Attempted=1 means it will never be attempted on update again).

If the service is not installed, there will be a checkbox in the installer for whether or not to install the service component.

The service will be able to be uninstalled separately; it will show up as a new item under add/remove programs.

When the last product that uses the service gets uninstalled, so does the service.

== Signing builds ==

== Applying updates faster ==

Another bug which is not part of this ~~task plans to move~~ feature moves updates away from on startup, and ~~to perform~~ performs them to an alternate directory in the background. This work ~~is being tracked~~ was implemented in [https://bugzilla.mozilla.org/show_bug.cgi?id=307181 Bug 307181].

== Preferences ==

* There ~~will be~~ is a new about:config option for whether or not to use the service. It ~~will also be~~ is exposed in update preferences.* The new setting ~~will be~~ is a boolean setting called app.update.service.enabled.* This ~~will be~~ setting is defaulted to False if it does not exist, but we ~~will~~ set this to True for Firefox ~~in new~~ profiles~~. So for other products it will be defaulted to false, but for Firefox it will be defaulted to True.~~* Other products who want to use the service in the future should mark the setting as True.* There ~~will be~~ is a new about:config option for keeping track of the number of service errors called app.update.service.errors.* There ~~will be~~ is a new about:config option for keeping track of the max number of service errors to occur before disabling the service ~~via~~ called app.update.service.enabled.

* When app.update.service.errors reaches app.update.service.maxerrors, or 10 if maxerrors does not exist, the service will be disabled and app.update.service.errors will be reset to 0.

== Test cases ==

Below I describe some important things ~~that come to mind~~ that we ~~should be testing~~tested. All of the usual update tests and more ~~should~~ were also be tested.

*Test that using a limited user account does not install the service, nor prompt to install the service.

Bbondy

Confirm

394

edits

Changes

Windows Service Silent Update

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools