Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Mozilla The Internet Communications

Stopping ChatZilla Installs on FireFox Systems? 81

Posted by Cliff from the limiting-user-abuse dept.
TonalSpeller asks: "I'm in charge of a language learning computer lab in an Asian university. We have Windows XP on all machines, but I convinced my superior that I needed to hide Internet Explorer on all student machines (can't remove it entirely because some proprietary software might need access to it). I'm counting on security through obscurity -- I know that a minority of savvy people can still access IE via the command line. I am running the latest version of Opera and Firefox 1.0 PR on all machines, but now I am faced with a dilemma -- extending Firefox is so easy that sooner or later, someone will try to install Chatzilla. Is there any easy way to block Javascript while keeping Firefox's superb usability? I will be running TrustNoExe, but that won't catch Mozilla extensions. Any ideas or suggestions?"
"I have also removed all chat clients, games and Outlook Express so that people can concentrate on language learning (I don't want people using all this expensive hardware to goof off). I work hard to create interesting lessons, but I won't get a chance to teach anything if students are immersed in irrelevant conversations."
This discussion has been archived. No new comments can be posted.

Stopping ChatZilla Installs on FireFox Systems? More

Stopping ChatZilla Installs on FireFox Systems?

Comments Filter:

  • Software Firewall (Score:4, Interesting)

    by Itsik ( 191227 ) <demiguru-at-me.com> on Friday October 01, 2004 @04:22PM (#10408278) Homepage
    How about a software firewall like zonealarm that would block chatzilla from accessing the Internet

  • A version without the extension feture menu item (Score:5, Interesting)

    by tmacc ( 817603 ) * <trismac1@umbc.edu> on Friday October 01, 2004 @04:23PM (#10408290)
    you should try to build / get someone to build you a version without Tools - Extensions menu item.
  • Why not firewall the chat services, if that is seen as a problem?

    Second option, make whatever directories firefox installs extensions into non-writable.

    Third option, refresh that directory from a fresh copy each time firefox is installed (don't all extensions require a restart?)

  • Ask Slashdot? (Score:3, Insightful)

    by vasqzr ( 619165 ) <vasqzr@noSpaM.netscape.net> on Friday October 01, 2004 @04:25PM (#10408299)

    Why not ask here [gunnars.net], or here [mozillazine.org]??

  • why give them firefox.. (Score:2, Insightful)

    by gl4ss ( 559668 )
    ...if you don't want them to use it?

    why not just firewall the classroom to hell and back, do they _need_ to get on the internet?

    and why not set it up so that they can only run the apps they need and nothing else?
      1. why not just firewall the classroom to hell and back, do they _need_ to get on the internet?

      If they don't need to get to the internet, the router only needs to be configured to not route packets outside the local lan. A firewall is the wrong tool. (I doubt that internet access is something that they want to block, though.)

  • File Permission? (Score:5, Interesting)

    by RealityMogul ( 663835 ) on Friday October 01, 2004 @04:25PM (#10408305)
    Haven't tried this myself, but couldn't you just setup file permissions so the user accounts don't have permission to write to the config file and change the settings?
  • A regular user account will not have write permissions to the "Program Files" directory by default. Assuming extensions are written to "Program Files\Mozilla FireFox\blah" I don't see how anyone other than a power user or administrator could install an extension.

    Note: I could be talking out my ass if Firefox stores extensions in the user profile directory on Windows.
    • Note: I could be talking out my ass if Firefox stores extensions in the user profile directory on Windows.

      and they are
    • which I suspect as well.. can't check right now. But Firefox has issues with checking security permissions on windows clients anyway.

      Here in this network, users are not allowed to install apps and most things are blocked. The installers that are not blocked properly can't get write access onto the drive based on user permissions. Mozilla/Firefox however appears to ignore all of this and write to the local drive and install just fine. Now I am not 100% sure if this is Mozilla or Windows causing this behavio

      • Mozilla/Firefox however appears to ignore all of this and write to the local drive and install just fine. Now I am not 100% sure if this is Mozilla or Windows causing this behavior to occur as I have not tested it enough, but it happens.

        It's Windows. If any program could just go ahead and write to areas of the hard disk it is not allowed to by NTFS permissions, Windows would be so shockingly insecure it isn't even funny.

        What you might be finding is that Firefox can be installed a bit differently; if y

    • A regular user account will not have write permissions to the "Program Files" directory by default. Assuming extensions are written to "Program Files\Mozilla FireFox\blah" I don't see how anyone other than a power user or administrator could install an extension.

      Note: I could be talking out my ass if Firefox stores extensions in the user profile directory on Windows.

      It does. However, your idea is still interesting. After the installation of Firefox and proper configuration for the unprivileged user, t

  • Really Necessary? (Score:2, Insightful)

    by GeckoX ( 259575 )
    Do you really need to stop ChatZilla physically?

    Think of it this way, how do you handle passing of notes in class? By disallowing paper and pens to enter the room? Didn't think so.

    I would think that your life might be easier if you weren't so worried about unnecessarily micromanaging every little detail about these workstations.

    Another reason to consider this option: If you've got hackers in there, they are more likely to try to hack something that's been locked down, than something that is installed as
  • How about turning off the ability to install XPIs? Or some of the many other ways to lockdown your browser. You searched first, right? Did you try the forums? Or IRC? Or Google?
  • You could try adding the address of the plugin download to your hosts file so they literally can't download it. Of course they could still bring it in on cd or something, but most people won't think of that, and you're counting on security through obscurity anyways. By the way, why are you blocking chatzilla?
  • This goes beyond what you're asking for, but certainly will do the trick. Every time the computer is rebooted, it's set to a known configuration with everything that was done previously erased. This option is more powerfull that stopping installation of ChatZilla as it prevents installation of any non-approved software after a reboot. Note that I have never used it personally, just have read a lot of good reviews about it.

    Deep Freeze home page [faronics.com]
    • Deep Freeze is nice and all, but it is limited in that it can't stop any app from being installed and used for that boot session. Windows system policies (locking down the desktop) should be the thing to use to stop anyone from installing any apps. Personally I think this guy is trying way too hard on locking down the systems. The whole idea of the procedure is to make it as difficult as possible to do anything. It's IMPOSSIBLE to stop a determined person.

  • firewall off destination 666x (Score:3, Interesting)

    by dan_bethe ( 134253 ) <slashdot@@@smuckola...org> on Friday October 01, 2004 @04:50PM (#10408589)
    If you can't control the software installations, set your firewall to block destination ports of 6660-6669 so no irc clients can connect from those systems. You should do that anyway. :)
    • Agreed. I've previously gotten round restrictions on downloading or installing software by using Java clients for IRC or FTP. Additionally, make sure you block the ports for common IM protocols, as *at least* ICQ and AIM have Java clients on their websites.

      Then you'll just have to make sure (rare) websites like http://www2ftp.de are blocked. (I use that site regularly from school, partly because it's a Jewish school and people begin to think I know German).
    • 6667 isn't enough. Freenode, for instance, lets stuff through on port 7000. On the other hand, the 6660 series will certainly discourage casual chatters.

  • about:config (Score:5, Informative)

    by for(;;); ( 21766 ) on Friday October 01, 2004 @04:56PM (#10408648)
    Won't setting xpinstall.enabled to false do the trick? (Type about:config in the url-box-location-bar-whatever-it's-called.) Then lock down the configuration.
  • "I know that a minority of savvy people can still access IE via the command line"

    Why are you leaving the command line open as an option to them? Why not kill that [cmd, run] from being accessed as well?

  • Permissions -- learn about them, use them... (Score:3, Informative)

    by Spoing ( 152917 ) on Friday October 01, 2004 @05:02PM (#10408716) Homepage
    (From memory...please take this for what it's worth! I'll guess that the user accounts are 'limited' and not admin. If not, try that first!)

    If you know how permissions work, you can lock down any resource.

    Walkthrough:

    1. Use an account with the same privilidges as a normal user.
    2. Grab two sample systems that have Firefox installed but not the extention.
    3. On the first one, backup the user and program directories.
    4. Install the extention.
    5. Take note of every resource (file and directory) that has changed.
    6. On the second system, login as admin and turn off the execute and write permissions on those resources.
    7. Change the ownership on the resources to another account. Note that you may have to make the resource readable by the user account(s).
    8. Logout from the admin account and try to install the extention on the second system. It should not install.
    9. Consider putting these changes in as part of a login script till you roll out a new system image.

    These are general guidelines only. Keep in mind that you will probably have to change some settings to get everything to work properly -- such as making some of the resources readable by normal user accounts.

    When done, clean up; make sure to remove the local test user account files and Firefox after you have something that works. Chances are, the test systems will have some crud left behind that you think isn't important -- but may prompt another support call.

    • It is amazing to me, that someone with enough general knowledge to give such a walkthrough, can misspell privileges.

      Privilege: private law.
    • Er, in number 6, you mention 'execute' permissions, which Windows does not have. In 7, you suggest changing ownership to another account, but in Windows ownership can only be taken, not given. Even the Administrator account can't just force a file to have a specific owner (other than Administrator).

      SysInternals FileMon (http://www.sysinternals.com/ntw2k/source/filemon . shtml) will let one see which files get modified, although it's probably overkill.

      Okay, nitpicking done.
      • Er, in number 6, you mention 'execute' permissions, which Windows does not have.

        NTFS does have an "execute" permission.

        In 7, you suggest changing ownership to another account, but in Windows ownership can only be taken, not given. Even the Administrator account can't just force a file to have a specific owner (other than Administrator).

        I don't have a machine handy running anything other than Windows 2003, but certainly in that the administrator can assign object ownership to an arbitrary user.

  • Whitelist (Score:5, Informative)

    by sab39 ( 10510 ) on Friday October 01, 2004 @05:11PM (#10408787) Homepage
    Firefox supports a whitelist of sites that you can xpinstall from. This was added in the Preview Release, I believe. If you look in the release notes of that version, there should be more information on the whitelist and how to change its contents. Emptying the whitelist will effectively disable installing extensions.
  • Block outgoing connections to ports 6667-7000. This will stop all but the most net-savvy IRC'ers who have BNCs or something.

  • I think that's useless (Score:3, Insightful)

    by wsapplegate ( 210233 ) <wsapplegate@est.un.goret.info> on Friday October 01, 2004 @05:31PM (#10408962) Homepage

    Why is it useless ? Well, because regardless of whether people can install ChatZilla or not (BTW, I don't think there are that much people that know about Mozilla XPIs), they'll most probably settle for an easier solution : use a Web gateway to IRC or some other messaging system. Faster and easier. Of course, you can block that, too. IIRC, most of those gateways will use Java so you can just remove the Java plug-in (if you don't use it for something else), firewall everything, and just to be sure, use a transparent proxy with some filter like SquidGuard on it...

    As for my opinion, since we're talking about an university setting (hence adult people), I suggest that those guys are mature enough to know not to chat during important lessons. And if they do, well, they'll fail their exams, and that's their problem. They're adults, remember ? No need to go out of your way "protecting" them from themselves. IMHO, of course.

    • True, but chat networks (mostly IRC) are known for their virus/spyware sending hordes similar to P2P networks.

      I can think of many ways viruses could affect more than the student who violated the no-chat rule.

  • Don't waste your time (Score:3, Insightful)

    by kagaku ( 774787 ) on Friday October 01, 2004 @05:41PM (#10409057)
    Don't waste your time by going out of your way to block access to IRC. The people who want to chat on IRC during class will find a way, either by Chatzilla, a java client, or a php/perl html client somewhere. These people aren't children, they're adults. If they want to sit on IRC during class, that's their loss. They're paying for the classes.

    This is basically the stance my college takes on computer usage. You can do almost anything you want on the college computers (providing you don't screw 'em up), because if you don't pay attention during class it's your loss.
    • Amen. There's nothing worse than going to uni and having a teacher treating you like a little kid. It's best to be open with people. As long as they're not disrupting your class what they do with time they paid for is their own business if you ask me.
  • What's to stop people from just going to web based chat interfaces? AIM Express etc.

    Maybe your best bet is to block site access to chat servers.
  • Opera's got a kiosk mode that effectively locks-down access to various components. The design for this is built right into the software: it's not some kludge. I think if you were to do a little bit of RTFM, you'd probably find it has what you need moreso than FireFox.
  • Use it to set 'xpi.install' = false and force that on everyone.

    More info here [slashdot.org] In fact, that whole thread may be useful to you.
  • Would making the Mozilla program folder read-only work?
  • You want to people to concentrate on your language lessons instead of using language to communicate with each other?

    How ironic.

    How about you install chatzilla for them and required they only use whatever language they are supposed to be learning.

    Of course, I'm assuming by language you mean a spoken language - you didn't say.

  • confused (Score:3, Insightful)

    by joe094287523459087 ( 564414 ) <joe@jo e . to> on Friday October 01, 2004 @09:26PM (#10410519) Homepage
    i don't mean to troll but your post left me confused.

    you want to hide IE to only the few people too dumb to type iexplore in the start > run dialog...

    but you are worried about blocking a potential install of a specific obscure chat program?

    so you have 2 unexplained goals, with totally different solutions (easy vs. so hard you need /. advice). i am confused
    • Well I think this is because those users who are intelligent enough to know how to use Start>Run iexplore.exe to launch IE are also intelligent enough not to use IE period. And those who are too dumb to figure this out are forced to use Firfox. If it's really an issue why not install Chatzilla on all the computers and then change the XUL so that it doesn't work? LOL Or your best bet would be just to block the ports at firewall level. Of course I don't care what you do to try to block me from getting o
  • There is (almost) always a way around something and if you have a very skilled user then you are in for some trouble, so why not take a different approach entirely. Observe the users. Set up some kind of real time remote access/observe utility and use that to watch what the students are doing and when someone is off task you simply put them on task (I trust you can find a proper way to do this). If real time monitoring is not an option then you could also save screen shots at regular intervals and review
  • Does anyone know of any tools that allow administration of Firefox via the Active Directory (ideally, using GPOs) ? Having to configure each user profile manually for things like proxy server settings is a PITA. Even getting the damn thing to use the registry (so a given configuration followed the user around) would be tolerable.
  • Under Windows by default the profiles are stored in C:\Documents and Settings\<Windows Profile>\Application Data\Mozilla\Firefox\Profiles\<FF Profile>.FOO\extensions\ (where FOO is 3 random characters). Just set the entire FireFox profile directory to be archived/read-only, and extensions, cache, bookmarks, history, etc will all be unmodifiable.

    Preferential [mozdev.org] contains documentation of most of the Mozilla and FF preferences, but it's almost a year out of date. And you'd of course want to block
  • I work hard to create interesting lessons, but I won't get a chance to teach anything if students are immersed in irrelevant conversation

    Uh, irrelevant conversation? Isn't that one of the main ways of learning a foreign language?

    Perhaps you should institute a ban (as our teachers did, way back when I was learning French) on English in the class room, rather than a ban on chat apps. That way, some smart kid will work out they can chat in whatever language you're learning, and actually be practicing their
  • I would do what I'm doing now at work, SSH'ing home, and proxying VNC/mozilla/irc/games through the SSH tunnel. Unless you lock down any external device reading, and downloading so I can't get to any ssh client or vnc client. Or I could just take the easy route and boot to knoppix if your network uses an open dhcp server.

    If all else fails I could use my laptop to connect via ppp to the internet via my Treo600 phone, thus flipping your lab the bird because it's likely so useless after all that locking d
  • Superglue [subvertise.org] + Ethernet port [erau.edu] = No shit happens [deskflags.com]

    But to be completely honest, I am a student myself, and I get completely pissed off by all the security measures at my school. Sure, it stopped/made it harder to do things such as what your trying to stop, but ultimately if you try hard enough, anythings possible. Ever heard of Mandrake Move [mandrakesoft.com]?

    At my school they disabled right clicking. It seriously impares one of my classes (digital design), which slows down the class because the teacher has to explain how to c
  • probabyl by write protecting chrome/installed-chrome.txt and chrome/chrrome.rdf nobody will be able to install extensions. altough the files are downloaded and probably installed the etxensions will not get registered and therefore are not accessable from within moz/FF.

    there is one problem, the user might choose to install an extension into his/her personal (home) chrome directory which will not be protected.

Slashdot Top Deals

Intel CPUs are not defective, they just act that way. -- Henry Spencer

Close