Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stopping ChatZilla Installs on FireFox Systems?

Posted by Cliff on from the limiting-user-abuse dept.

TonalSpeller asks: "I'm in charge of a language learning computer lab in an Asian university. We have Windows XP on all machines, but I convinced my superior that I needed to hide Internet Explorer on all student machines (can't remove it entirely because some proprietary software might need access to it). I'm counting on security through obscurity -- I know that a minority of savvy people can still access IE via the command line. I am running the latest version of Opera and Firefox 1.0 PR on all machines, but now I am faced with a dilemma -- extending Firefox is so easy that sooner or later, someone will try to install Chatzilla. Is there any easy way to block Javascript while keeping Firefox's superb usability? I will be running TrustNoExe, but that won't catch Mozilla extensions. Any ideas or suggestions?" "I have also removed all chat clients, games and Outlook Express so that people can concentrate on language learning (I don't want people using all this expensive hardware to goof off). I work hard to create interesting lessons, but I won't get a chance to teach anything if students are immersed in irrelevant conversations."

20 of 81 comments (clear)

  1. Software Firewall by Itsik · · Score: 3, Interesting

    How about a software firewall like zonealarm that would block chatzilla from accessing the Internet

    1. Re:Software Firewall by Spoing · · Score: 3, Insightful
      1. How about a software firewall like zonealarm that would block chatzilla from accessing the Internet.

      If he has control over the local systems, it's better to lock them down instead of tweaking firewall settings. One reason (of many): By allowing the program to be installed, the users may be motivated to 'get it to work', possibly breaking other security settings in the process.

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    2. Re:Software Firewall by The+Madpostal+Worker · · Score: 3, Informative

      DeepFreeze by Farconics Software

      --

      /*
      *Not a Sermon, Just a Thought
      */
  2. A version without the extension feture menu item by tmacc · · Score: 5, Interesting

    you should try to build / get someone to build you a version without Tools - Extensions menu item.

  3. Firewall the chat services? by Jepler · · Score: 2, Insightful

    Why not firewall the chat services, if that is seen as a problem?

    Second option, make whatever directories firefox installs extensions into non-writable.

    Third option, refresh that directory from a fresh copy each time firefox is installed (don't all extensions require a restart?)

  4. Ask Slashdot? by vasqzr · · Score: 3, Insightful


    Why not ask here, or here??

  5. File Permission? by RealityMogul · · Score: 4, Interesting

    Haven't tried this myself, but couldn't you just setup file permissions so the user accounts don't have permission to write to the config file and change the settings?

  6. Really Necessary? by GeckoX · · Score: 2, Insightful

    Do you really need to stop ChatZilla physically?

    Think of it this way, how do you handle passing of notes in class? By disallowing paper and pens to enter the room? Didn't think so.

    I would think that your life might be easier if you weren't so worried about unnecessarily micromanaging every little detail about these workstations.

    Another reason to consider this option: If you've got hackers in there, they are more likely to try to hack something that's been locked down, than something that is installed as expected.

    --
    No Comment.
  7. Re:File system permissions by OmniVector · · Score: 2, Informative

    Note: I could be talking out my ass if Firefox stores extensions in the user profile directory on Windows.

    and they are

    --
    - tristan
  8. firewall off destination 666x by dan_bethe · · Score: 2, Interesting

    If you can't control the software installations, set your firewall to block destination ports of 6660-6669 so no irc clients can connect from those systems. You should do that anyway. :)

  9. about:config by for(;;); · · Score: 4, Informative

    Won't setting xpinstall.enabled to false do the trick? (Type about:config in the url-box-location-bar-whatever-it's-called.) Then lock down the configuration.

    --

    "Whatever happened to fair use?"
    -- Duff-Man
  10. answering another thing in the article... by rogabean · · Score: 2, Interesting

    "I know that a minority of savvy people can still access IE via the command line"

    Why are you leaving the command line open as an option to them? Why not kill that [cmd, run] from being accessed as well?

    --
    "why don't you just slip into something more comfortable...like a coma!"
  11. Permissions -- learn about them, use them... by Spoing · · Score: 2, Informative
    (From memory...please take this for what it's worth! I'll guess that the user accounts are 'limited' and not admin. If not, try that first!)

    If you know how permissions work, you can lock down any resource.

    Walkthrough:

    1. Use an account with the same privilidges as a normal user.
    2. Grab two sample systems that have Firefox installed but not the extention.
    3. On the first one, backup the user and program directories.
    4. Install the extention.
    5. Take note of every resource (file and directory) that has changed.
    6. On the second system, login as admin and turn off the execute and write permissions on those resources.
    7. Change the ownership on the resources to another account. Note that you may have to make the resource readable by the user account(s).
    8. Logout from the admin account and try to install the extention on the second system. It should not install.
    9. Consider putting these changes in as part of a login script till you roll out a new system image.

    These are general guidelines only. Keep in mind that you will probably have to change some settings to get everything to work properly -- such as making some of the resources readable by normal user accounts.

    When done, clean up; make sure to remove the local test user account files and Firefox after you have something that works. Chances are, the test systems will have some crud left behind that you think isn't important -- but may prompt another support call.

    --
    A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  12. Whitelist by sab39 · · Score: 4, Informative

    Firefox supports a whitelist of sites that you can xpinstall from. This was added in the Preview Release, I believe. If you look in the release notes of that version, there should be more information on the whitelist and how to change its contents. Emptying the whitelist will effectively disable installing extensions.

    1. Re:Whitelist by ChowyChow · · Score: 3, Informative

      actually..you can bypass the whitelist by just downloading the xpi to the hard drive and then drag n'drop to Firefox...

  13. Re:A version without the extension feture menu ite by chocobot · · Score: 2, Informative

    I think that is pretty easy, I worked through the XUL tutorial on the xulplanet site, and they show you how to manipulate the XML files that are used to generate the menus. So no rebuilding/compiling is necessary, just h4x0r some text files to remove the install entry from the tools menu. http://www.xulplanet.com/tutorials/xulapp/ Although that doesn't take care of the click-to-install tool. But I am sure you can disable that in some config file

  14. I think that's useless by wsapplegate · · Score: 2, Insightful

    Why is it useless ? Well, because regardless of whether people can install ChatZilla or not (BTW, I don't think there are that much people that know about Mozilla XPIs), they'll most probably settle for an easier solution : use a Web gateway to IRC or some other messaging system. Faster and easier. Of course, you can block that, too. IIRC, most of those gateways will use Java so you can just remove the Java plug-in (if you don't use it for something else), firewall everything, and just to be sure, use a transparent proxy with some filter like SquidGuard on it...

    As for my opinion, since we're talking about an university setting (hence adult people), I suggest that those guys are mature enough to know not to chat during important lessons. And if they do, well, they'll fail their exams, and that's their problem. They're adults, remember ? No need to go out of your way "protecting" them from themselves. IMHO, of course.

    --
    Xenu brings order!
  15. Don't waste your time by kagaku · · Score: 3, Insightful

    Don't waste your time by going out of your way to block access to IRC. The people who want to chat on IRC during class will find a way, either by Chatzilla, a java client, or a php/perl html client somewhere. These people aren't children, they're adults. If they want to sit on IRC during class, that's their loss. They're paying for the classes.

    This is basically the stance my college takes on computer usage. You can do almost anything you want on the college computers (providing you don't screw 'em up), because if you don't pay attention during class it's your loss.

    --
    everyday is another shooter.
  16. Re:Mandatory configuration by hattmoward · · Score: 4, Informative

    Sorry, that's 'xpinstall.enabled' = false

  17. confused by joe094287523459087 · · Score: 2, Insightful

    i don't mean to troll but your post left me confused.

    you want to hide IE to only the few people too dumb to type iexplore in the start > run dialog...

    but you are worried about blocking a potential install of a specific obscure chat program?

    so you have 2 unexplained goals, with totally different solutions (easy vs. so hard you need /. advice). i am confused