OSX updater: consider disabling privilege escalation
In Firefox 52 (since 49), the Firefox updater will attempt to gain elevated privileges on OSX if necessary to apply an update. See: https://bugzilla.mozilla.org/show_bug.cgi?id=394984
So far I have not tested this with an ESR52-based Tor Browser, but we should decide whether we want to leave this feature enabled or remove it before the first stable release of Tor Browser 7.0.
On Windows, we disabled similar code because (1) most Windows users probably do not install Tor Browser in a directory that requires admin privileges and (2) we did not want to audit the code (e.g., we did not want there to be a chance that someone could be tricked into granting more privileges, perhaps due to malware that took advantage of another security bug).
On OSX the situation is a little different because we do encourage people to drop TorBrowser.app into /Applications, which does require admin privileges. I personally use an account on OSX that has Admin privileges at all times, so updates work fine for me with TB 6.x and earlier... but that is not considered best security practice on OSX (actually, I usually do not install TB in /Applications at all because I keep several versions around to make it easier to triage bugs).
Cc: Tim and Linda who may also have some thoughts on this. To be sure, there is a security vs. usability tradeoff here.