Confirmed users
394
edits
Windows Service Silent Update: Difference between revisions
Jump to navigation
Jump to search
Windows Service Silent Update (view source)
Revision as of 03:01, 1 September 2012
, 1 September 2012no edit summary
(→Signing builds: All builds are signed (bugs 509158).) |
No edit summary |
||
| Line 1: | Line 1: | ||
== Overview == | == Overview == | ||
Before this | Before this feature, when a user installs into the default Program Files directory, updates cannot be applied without us first prompting the user for elevated permissions with a User Account Control (UAC) dialog. | ||
[[Image:UAC.png|screenshot]] | [[Image:UAC.png|screenshot]] | ||
Now that this feature is implemented, Firefox uses a service to execute updates so that UAC prompts are not displayed. The service is run "on demand" and will remain stopped until it is needed. When the service is needed, it will be started again for the period of the update. If there are any problems updating through the service, it will fall back to updating the old way via the UAC prompt. | |||
The task related to creating a service and not prompting the user for UAC is in [https://bugzilla.mozilla.org/show_bug.cgi?id=481815 bug 481815]. | The bugzilla task related to creating a service and not prompting the user for UAC is in [https://bugzilla.mozilla.org/show_bug.cgi?id=481815 bug 481815]. | ||
The feature page is located at: [https://wiki.mozilla.org/Silent_Update_OS_Dialogs this feature page]. | The feature page is located at: [https://wiki.mozilla.org/Silent_Update_OS_Dialogs this feature page]. | ||
The security related bugs needed for 481815 to land | The security related bugs that were needed for 481815 to land include: | ||
[https://bugzilla.mozilla.org/show_bug.cgi?id=708688 bug 708688], [https://bugzilla.mozilla.org/show_bug.cgi?id=708697 bug 708697], [https://bugzilla.mozilla.org/show_bug.cgi?id=708690 bug 708690], [https://bugzilla.mozilla.org/show_bug.cgi?id=708778 bug 708778], [https://bugzilla.mozilla.org/show_bug.cgi?id=708854 bug 708854], [https://bugzilla.mozilla.org/show_bug.cgi?id=699700 bug 699700], [https://bugzilla.mozilla.org/show_bug.cgi?id=704285 bug 704285], [https://bugzilla.mozilla.org/show_bug.cgi?id=709173 bug 709173], [https://bugzilla.mozilla.org/show_bug.cgi?id=709183 bug 709183], and [https://bugzilla.mozilla.org/show_bug.cgi?id=709158 bug 709158]. | [https://bugzilla.mozilla.org/show_bug.cgi?id=708688 bug 708688], [https://bugzilla.mozilla.org/show_bug.cgi?id=708697 bug 708697], [https://bugzilla.mozilla.org/show_bug.cgi?id=708690 bug 708690], [https://bugzilla.mozilla.org/show_bug.cgi?id=708778 bug 708778], [https://bugzilla.mozilla.org/show_bug.cgi?id=708854 bug 708854], [https://bugzilla.mozilla.org/show_bug.cgi?id=699700 bug 699700], [https://bugzilla.mozilla.org/show_bug.cgi?id=704285 bug 704285], [https://bugzilla.mozilla.org/show_bug.cgi?id=709173 bug 709173], [https://bugzilla.mozilla.org/show_bug.cgi?id=709183 bug 709183], and [https://bugzilla.mozilla.org/show_bug.cgi?id=709158 bug 709158]. | ||
| Line 44: | Line 44: | ||
Since the service is only started when needed, we pass the information to the service via command line on service start. | Since the service is only started when needed, we pass the information to the service via command line on service start. | ||
The service security | The service security is modified with a special [http://msdn.microsoft.com/en-us/library/aa379298.aspx ACE] which allows non elevated processes to start and stop it. Setting these permissions on the service is needed because by default services can only be started and stopped by elevated processes. This is possible via the Win32 API [http://msdn.microsoft.com/en-us/library/windows/desktop/aa379589%28v=vs.85%29.aspx SetServiceObjectSecurity]. | ||
The service | The service logs all operations of the last update, as well as taking a backup of the last 10 update operations | ||
before it. The install process and update processes will also be logged separately. The logs live in %programdata%\Mozilla\logs. | |||
Since the service executes an update via updater.exe in session 0, no UI | Since the service executes an update via updater.exe in session 0, no UI is displayed. A UI could be displayed by running updater.exe with a user token instead, but to avoid permission problems on files, and inconsistencies in different OS versions and user types, the update will always be run as session 0. | ||
== A single service and service versioning == | == A single service and service versioning == | ||
The service | The service was firs built for Firefox, but has since been ported to Thunderbird. Only one service exists per computer across all channels. Other Mozilla products use the same service as well. | ||
If a service is already installed, the service will be replaced on updates and installs only if it is newer than what is installed. This means that if a user has Nightly installed, the Nightly service will be used to update all channels. | If a service is already installed, the service will be replaced on updates and installs only if it is newer than what is installed. This means that if a user has Nightly installed, the Nightly service will be used to update all channels. | ||
| Line 69: | Line 70: | ||
* The name of the service command to run. Currently only the "software-update" command is allowed. | * The name of the service command to run. Currently only the "software-update" command is allowed. | ||
* All service-command specific command line arguments. | * All service-command specific command line arguments. | ||
The "software-update" command specific command line arguments are as follows: | The "software-update" command specific command line arguments are as follows: | ||
| Line 103: | Line 102: | ||
* The service verifies the updater.exe file (See section Signing builds below) | * The service verifies the updater.exe file (See section Signing builds below) | ||
* The service will execute the update with updater.exe under the context of its own session (session 0) using CreateProcess. | * The service will execute the update with updater.exe under the context of its own session (session 0) using CreateProcess. | ||
* The path of updater.exe will be a copy of the updater.exe | * The path of updater.exe will be a copy of the updater.exe | ||
* The post update process (helper.exe) currently does i) system level stuff, and ii) user level stuff. This component will be executed twice. The system level stuff will also be executed under session 0 using CreateProcess. The user level stuff will be executed by the unelevated updater.exe with its own session ID. | * The post update process (helper.exe) currently does i) system level stuff, and ii) user level stuff. This component will be executed twice. The system level stuff will also be executed under session 0 using CreateProcess. The user level stuff will be executed by the unelevated updater.exe with its own session ID. | ||
* The service stops itself when it is done the operation. | * The service stops itself when it is done the operation. | ||
| Line 129: | Line 128: | ||
* The service was previously installed and manually uninstalled. (registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MaintenanceService and value Attempted=1 means it will never be attempted on update again). | * The service was previously installed and manually uninstalled. (registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MaintenanceService and value Attempted=1 means it will never be attempted on update again). | ||
If the service is installed, there will be a checkbox in the installer for whether or not to install the service component. | If the service is not installed, there will be a checkbox in the installer for whether or not to install the service component. | ||
The service will be able to be uninstalled separately; it will show up as a new item under add/remove programs. | The service will be able to be uninstalled separately; it will show up as a new item under add/remove programs. | ||
When the last product that uses the service gets uninstalled, so does the service. | |||
== Signing builds == | == Signing builds == | ||
| Line 138: | Line 140: | ||
== Applying updates faster == | == Applying updates faster == | ||
Another bug which is not part of this | Another bug which is not part of this feature moves updates away from on startup, and performs them to an alternate directory in the background. This work was implemented in [https://bugzilla.mozilla.org/show_bug.cgi?id=307181 Bug 307181]. | ||
== Preferences == | == Preferences == | ||
* There | * There is a new about:config option for whether or not to use the service. It is exposed in update preferences. | ||
* The new setting | * The new setting is a boolean setting called app.update.service.enabled. | ||
* This | * This setting is defaulted to False if it does not exist, but we set this to True for Firefox profiles. | ||
* There is a new about:config option for keeping track of the number of service errors called app.update.service.errors. | |||
* There | * There is a new about:config option for keeping track of the max number of service errors to occur before disabling the service called app.update.service.enabled. | ||
* There | |||
* When app.update.service.errors reaches app.update.service.maxerrors, or 10 if maxerrors does not exist, the service will be disabled and app.update.service.errors will be reset to 0. | * When app.update.service.errors reaches app.update.service.maxerrors, or 10 if maxerrors does not exist, the service will be disabled and app.update.service.errors will be reset to 0. | ||
== Test cases == | == Test cases == | ||
Below I describe some important things | Below I describe some important things that we tested. All of the usual update tests and more were also tested. | ||
*Test that using a limited user account does not install the service, nor prompt to install the service. | *Test that using a limited user account does not install the service, nor prompt to install the service. | ||