ExtensionInstallForcelist managed policy fail if extension was previously externally installed and removed
Reported by
ykonoto...@gmail.com,
Sep 28 2016
|
|||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Steps to reproduce the problem: 1. Put "gphhapmejobijbbhgpjhcjognlahblep.json" file to "/usr/share/chromium/extensions". 2. Open Chromium with clean profile. 3. GNOME Shell integration extension will be auto installed from Chrome Store. 4. Remove GNOME Shell integration extension and close Chromium. 5. Remove "/usr/share/chromium/extensions/gphhapmejobijbbhgpjhcjognlahblep.json" file. 6. Put "chrome-gnome-shell.json" to "/etc/chromium/policies/managed". 7. Open Chromium What is the expected behavior? 1. GNOME Shell integration extension should be installed by enterprise policy. 2. User should not be able to remove extension. What went wrong? 1. GNOME Shell integration extension is not installed. 2. Attempt to install it from Chrome Store is failed with message "GNOME Shell integration (extension ID "gphhapmejobijbbhgpjhcjognlahblep") is blocked by the administrator." Did this work before? N/A Chrome version: 53.0.2785.116 Channel: stable OS Version: Gentoo stable Flash Version: Shockwave Flash 23.0 r0 This issue was reported for GNOME Shell integration extension: https://github.com/nE0sIghT/chrome-gnome-shell-mirror/issues/11. According to "ExtensionInstallForcelist" policy documentation [1]: "This policy takes precedence over a potentially conflicting ExtensionsInstallBlacklist policy" - this statement is not working. [1] https://www.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist
,
Sep 30 2016
,
Sep 30 2016
1. Do you have other policies like ExtensionsInstallBlacklist configured too?
Because the message that you mentioned ("Extension... is blocked by the administrator") is usually displayed because of such policies. Also you refer to the sentence in the documentation that speaks about the ExtensionsInstallBlacklist policy.
2. After you put the chrome-gnome-shell.json file and run Chromium, are there any errors displayed on the chrome://extensions page?
3. It would be very helpful if you would attach two dumps of data displayed on the chrome://policy page: first before you put the JSON file with the policy, and second - after that.
4. Regarding blocking the extension by hacking a file in the Chrome profile. This is not very surprising, and not sure whether this can be considered as a security issue. Not only the profile files, but also the browser itself is running with the user's privileges, which means that administrator privileges are not required at all for tampering the browser.
We should, however, investigate whether it would be possible to suppress such tampering in this exact case, given that the admin policy should always take higher precedence.
,
Sep 30 2016
> 1. Do you have other policies like ExtensionsInstallBlacklist configured too? > 2. After you put the chrome-gnome-shell.json file and run Chromium, are there any errors displayed on the chrome://extensions page? No > 3. It would be very helpful if you would attach two dumps of data displayed on the chrome://policy page Attached: > first before you put the JSON file with the policy with-external-before-managed.png > and second - after that without-external-with-managed.png
,
Sep 30 2016
> the admin policy should always take higher precedence. As I think that is how is should work. But currently, extension state=2 (externaly installed extension blacklisted by user uninstall action?) is taking precendence over ExtensionInstallForcelist managed policy.
,
Oct 10 2016
,
Oct 10 2016
Currently testing a CL with a possible fix.
,
Oct 10 2016
,
Oct 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6699afb688a0c3b9d6eb85915bc475a3a3b46716 commit 6699afb688a0c3b9d6eb85915bc475a3a3b46716 Author: emaxx <emaxx@chromium.org> Date: Mon Oct 10 21:22:13 2016 Fix force policy installation of the removed pref-installed extension This fixes the issue with the extension not being force-installed through the admin policy when it was previously installed by the external preference and then manually removed by the user. BUG= 651197 TEST=Unit test Review-Url: https://codereview.chromium.org/2409743002 Cr-Commit-Position: refs/heads/master@{#424245} [modify] https://crrev.com/6699afb688a0c3b9d6eb85915bc475a3a3b46716/chrome/browser/extensions/extension_service_unittest.cc [modify] https://crrev.com/6699afb688a0c3b9d6eb85915bc475a3a3b46716/chrome/browser/extensions/pending_extension_manager.cc
,
Oct 11 2016
,
Oct 11 2016
Thanks for fast fix! Which stable version of Chromium will get this issue fixed?
,
Oct 11 2016
The commit went into 56, which will be stable only in several months. But, after the fix in 56.* version gets tested, it will be decided which older branches should receive it too.
,
Oct 14 2016
Can we check whether this is fixed on the recent builds?
,
Oct 14 2016
,
Oct 28 2016
Would it be possible to perform the test soon, so that the fix has a chance to go into 55?
,
Oct 28 2016
Geetha, please have the Chrome on Linux team verify this in R56.
,
Jan 26 2017
Is it included in 56 release?
,
Jan 26 2017
And I hope you guys backport it to Chromium 55 too. Debian Stretch is shipping with version 55 and we'd like to see Chromium and GNOME Shell Extension work out of the box.
,
Jan 27 2017
Yes, the change went into 56 (>=56.0.2888.0) and into the following branches. However, it was not backported into 55 and earlier releases. And most likely won't be now, given that this is not a security issue or any kind of complete breakage for the product users. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by ykonoto...@gmail.com
, Sep 28 2016Because of this bug any user without administration privileges may disable ExtensionInstallForcelist policy for any extension. Steps: 1. Locate Preferences file in Chromium profile 2. Find key with extension id under "extensions" key. 3. Change "state" key to "2". Example for GNOME Shell integration: "extensions": { "gphhapmejobijbbhgpjhcjognlahblep": { ... "state": 2, }, ...