[shmerl]

Is there any way to update Firefox on Linux without resorting to ugly methods like running it as root and using update UI, or downloading the mar file manually and running the updater CLI tool with that file (as sudo / root)?

The issue is that I use stock Mozilla build (I prefer it to Iceweasel on Debian), so I just placed it in /opt, but I don't want to give write permissions to the firefox directory to my primary user (it's kind of bad security wise). Because of no write permissions, updating UI can't update the browser naturally, unless I run it as root. And manual mar + updater method isn't nice either.

Potentially there can be some better ways for updating:

1. Firefox can work with policykit and request authorization for updating (if user has it - it can ask for password). That's much better than running as root.

2. updater CLI tool can detect all the settings, channels sources and etc. from Firefox local DBs, and instead of forcing the user to manually grab some mar file, it can go and perform all that automatically. updater can be run with sudo still, but avoid all the manual steps.

Both these methods would be much neater than what I usually do now.

[thristian]

Honestly, when I've used official Firefox builds, I've just downloaded the tarball and extracted it to my home directory. Any malicious code that could corrupt your Firefox install can trash your entire home directory anyway, so there's not much gained by making it non-writable.

Also, running a browser (or anything as complex as a GUI app, but especially anything as wildly complex as a browser) as root is probably a bad idea security-wise anyway.

[shmerl]

> Also, running a browser (or anything as complex as a GUI app, but especially anything as wildly complex as a browser) as root is probably a bad idea security-wise anyway.

Yes, that's why using mar + updater is probably the only "right" option, but it's way too manual. I even thought about writing some script which would extract http sources for mar file based on the current update channel but didn't figure out yet where it's configured.

[SkyMarshal]

Since you're on Debian and are already putting it in /opt, try the Debian Alternatives tool [1], it's great for managing multiple versions of software you don't install from Deb repos.

It lets you put multiple versions of the same program in /opt or anywhere else (say, /opt/firefox/25, /opt/firefox/26, etc) and config one of them to be the system version (soft links all the bins and man into /usr/bin, /usr/local/bin, /usr/share/man, etc), then swap between versions, rollback if there's a problem, etc as necessary with a single command: `update-alternatives --config firefox`.

It works very similarly to those Ruby version managers, RVM and RBENV, by holding multiple versions somewhere out of the way and soft-linking the chosen one into the system folders. So similar in fact, that the Debian repo RBENV package has been rewritten to use Debian Alternatives instead of its home-brewed linker code.

Takes some upfront setup but that's scriptable and reusable for all subsequent versions [2], and is well worth it, especially for programs where you don't want to use the Debian repo version, don't want to install a 3rd party .deb, and don't want to compile directly to your system folders.

[1]: https://wiki.debian.org/DebianAlternatives

[2]: https://github.com/byrongibson/scripts/tree/master/install/h..., https://github.com/byrongibson/scripts/tree/master/install/j..., https://github.com/byrongibson/scripts/tree/master/install/s...

[shmerl]

That can be useful but it doesn't solve my problem of more automatic updating really. What I need is something close to native pacakge updating - i.e. replace old files with new ones when update is available with minimal hassle.

[vacri]

http://mozilla.debian.net/ is probably what you're after.

Debian uses the 'ESR' versions (long-term support, for enterprises etc) of firefox as it's stock browser, as it's impractical to review the latest and greatest every few weeks for security. The above link gives you the appropriate lines to add to your apt sources.list to get whichever version you like for whichever flavour you're running.

This gives you Iceweasel though, not Firefox, however the only difference is the branding.

[shmerl]

Yes, I know about that. I'm using Debian testing, so for me that page redirects to unstable and experimental anyway, and I don't really want to mix with those. In the past the difference was more than branding, so I'm already used to sticking to stock Mozilla builds.

[techwizrd]

On Ubuntu, you can use the Official Mozilla Daily PPA[1] to get the latest versions of Firefox. They have PPAs for each channel and you can then use the normal package manager to update your Firefox.

1: https://launchpad.net/~ubuntu-mozilla-daily/+archive/ppa

[shmerl]

Using Ubuntu PPA is not a good idea for Debian in general. I tried a similar method with LMDE though which is much closer to Debian testing, but managing those repositories was somewhat messy, so I stopped doing it.

[dkhenry]

If you have the files dropped in /opt just chown them to your primary user. I have been running like that for some time now and there shouldn't be any issues.

[shmerl]

I can chown them, but isn't that bad in general? If something breaks out from the browser, it can overwrite the binary with malicious code or whatever. Is it a real concern? Regular Linux packages aren't accessible for writing for the ordniary user offering some security barrier.

[riquito]

If something breaks out and can run as your user you're done for. For example it could put an alias in .bashrc for ssh to evilssh and you would never know it (until it's too late).

Running firefox not as root is a good idea, but keep in mind that if a user run an evil application, that user is utterly compromised.

[andor]

Such code could also install a separate malware binary, overwriting the Firefox binary is only one possibility. If you really want to prevent malicious writes, use SELinux (or AppArmor, I guess).

[drill_sarge]

Add the Debian repos from Linux Mint Debian Edition (something like deb http://packages.linuxmint.com/ debian main import backport upstream). Use Google for the exact source and how to import the keys for this server. Then install standard Firefox

[junktest]

On Debian and Ubuntu, you can try using ubuntuzilla's firefox builds http://sourceforge.net/apps/mediawiki/ubuntuzilla/index.php?...