For some reason, my Gnome 3 shell process has forked off an 'acroread' process which I did not start!
It appears to be attempting to install itself or do something in the background. This is completely unacceptable, nothing should ever attempt to download and run some unauthenticated script and should never attempt to install anything without my explicit knowledge and permission!
I consider this to be a security breach and failure of the Fedora security policies to permit this. In fact there should be a separate SELinux context for this commercial app just so it can't do anything to my system without my knowledge.
UID PID PPID C STIME TTY TIME CMD XXX 2509 2483 0 Jul10 ? 00:00:01 gnome-session XXX 2615 2509 1 Jul10 ? 00:12:04 /usr/bin/gnome-shell XXX 16717 2615 0 13:46 ? 00:00:08 acroread XXX 16769 16717 20 13:46 ? 00:29:25 /bin/sh /tmp/acrobat.n9vv0T/AdobeReader/INSTALL --lzma=/home/XXX XXX 7662 16769 0 15:40 ? 00:00:00 [INSTALL] <defunct>
Does the Gnome shell have some sort of auto-start or auto-update capability in it, that perhaps Adobe has surreptitiously hooked itself into. And how do I get it back out?
(The only reason I even have Adobe reader is because Evince can not fully handle the US IRS tax forms.)
On Mon, Jul 11, 2011 at 04:19:31PM -0400, Deron Meranda wrote:
For some reason, my Gnome 3 shell process has forked off an 'acroread' process which I did not start!
It appears to be attempting to install itself or do something in the background. This is completely unacceptable, nothing should ever attempt to download and run some unauthenticated script and should never attempt to install anything without my explicit knowledge and permission!
I consider this to be a security breach and failure of the Fedora security policies to permit this. In fact there should be a separate SELinux context for this commercial app just so it can't do anything to my system without my knowledge.
UID PID PPID C STIME TTY TIME CMD XXX 2509 2483 0 Jul10 ? 00:00:01 gnome-session XXX 2615 2509 1 Jul10 ? 00:12:04 /usr/bin/gnome-shell XXX 16717 2615 0 13:46 ? 00:00:08 acroread XXX 16769 16717 20 13:46 ? 00:29:25 /bin/sh /tmp/acrobat.n9vv0T/AdobeReader/INSTALL --lzma=/home/XXX XXX 7662 16769 0 15:40 ? 00:00:00 [INSTALL] <defunct>
Does the Gnome shell have some sort of auto-start or auto-update capability in it, that perhaps Adobe has surreptitiously hooked itself into. And how do I get it back out?
Yes, it does. Run gnome-session-properties and look at the list of applications that will automatically load at session start.
(The only reason I even have Adobe reader is because Evince can not fully handle the US IRS tax forms.)
What I'm failing to see is how this is a failing of Fedora. You installed a non-Fedora package on your system (AdobeReader is not a part of Fedora) and it is that non-Fedora package that appears to be doing things in the background on your system. You can blame the distro for compromising your system when you were the one who circumvented the trusted packages list and installed something else.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/11/2011 04:19 PM, Deron Meranda wrote:
For some reason, my Gnome 3 shell process has forked off an 'acroread' process which I did not start!
It appears to be attempting to install itself or do something in the background. This is completely unacceptable, nothing should ever attempt to download and run some unauthenticated script and should never attempt to install anything without my explicit knowledge and permission!
I consider this to be a security breach and failure of the Fedora security policies to permit this. In fact there should be a separate SELinux context for this commercial app just so it can't do anything to my system without my knowledge.
UID PID PPID C STIME TTY TIME CMD XXX 2509 2483 0 Jul10 ? 00:00:01 gnome-session XXX 2615 2509 1 Jul10 ? 00:12:04 /usr/bin/gnome-shell XXX 16717 2615 0 13:46 ? 00:00:08 acroread XXX 16769 16717 20 13:46 ? 00:29:25 /bin/sh /tmp/acrobat.n9vv0T/AdobeReader/INSTALL --lzma=/home/XXX XXX 7662 16769 0 15:40 ? 00:00:00 [INSTALL] <defunct>
Does the Gnome shell have some sort of auto-start or auto-update capability in it, that perhaps Adobe has surreptitiously hooked itself into. And how do I get it back out?
(The only reason I even have Adobe reader is because Evince can not fully handle the US IRS tax forms.)
Look in /etc/xdg/autostart
or in ~/.config/autostart
On Mon, Jul 11, 2011 at 04:56:56PM -0400, Darryl L. Pierce wrote:
What I'm failing to see is how this is a failing of Fedora. You installed a non-Fedora package on your system (AdobeReader is not a part of Fedora) and it is that non-Fedora package that appears to be doing things in the background on your system. You can blame the distro for
s/can/can't/
Doh!
compromising your system when you were the one who circumvented the trusted packages list and installed something else.
What I'm failing to see is how this is a failing of Fedora. You installed a non-Fedora package on your system (AdobeReader is not a part of Fedora) and it is that non-Fedora package that appears to be doing things in the background on your system. You can blame the distro for compromising your system when you were the one who circumvented the trusted packages list and installed something else.
Thanks for the info about xdg. I was unable to find that on my previous searches, and it doesn't show up in the graphical Gnome preferences.
Sorry, I didn't mean to blame the distro; you're right, this was a third party package problem. ... Except that the Gnome 3 shell doesn't provide any feedback or information that it will run things in the background, nor is there any apparent method of listing those things (from the default install anyway).
I do blame Adobe though. Yes, I contemplated very long very before installing acroread because I do try to keep my system extremely pure .. but alas, the needs to fill out tax forms nudged me over. But Adobe to their failing did not notify me that their software would periodically attempt to download and install software on my system without my knowledge. Bad on them.
Concerning Fedora. This could perhaps be partially guarded against if there were an SELinux context into which I could label the "foreign" software -- that would prohibit it from accessing the network, or running scripts out of /tmp. Is there such a type label that I could chcon /usr/local/bin/acroread ??
Thanks
On Mon, Jul 11, 2011 at 05:13:27PM -0400, Deron Meranda wrote:
What I'm failing to see is how this is a failing of Fedora. You installed a non-Fedora package on your system (AdobeReader is not a part of Fedora) and it is that non-Fedora package that appears to be doing things in the background on your system. You can blame the distro for compromising your system when you were the one who circumvented the trusted packages list and installed something else.
Thanks for the info about xdg. I was unable to find that on my previous searches, and it doesn't show up in the graphical Gnome preferences.
Sorry, I didn't mean to blame the distro; you're right, this was a third party package problem. ... Except that the Gnome 3 shell doesn't provide any feedback or information that it will run things in the background, nor is there any apparent method of listing those things (from the default install anyway).
Look at it from a usability point of view. See that list of apps in the gnome-session-properties app? How distracting/obnoxious/cluttering would it be for Gnome to tell us about every single one of them starting? I can't think of a way for it to notify the user about each of them without being a PITA.
I do blame Adobe though. Yes, I contemplated very long very before installing acroread because I do try to keep my system extremely pure .. but alas, the needs to fill out tax forms nudged me over. But Adobe to their failing did not notify me that their software would periodically attempt to download and install software on my system without my knowledge. Bad on them.
Yeah, but it's SOP. The Windows version does a (just about every day) download of updates for Adobe. Really, you'd think by now they could get it stabilized, right? :)
Concerning Fedora. This could perhaps be partially guarded against if there were an SELinux context into which I could label the "foreign" software -- that would prohibit it from accessing the network, or running scripts out of /tmp. Is there such a type label that I could chcon /usr/local/bin/acroread ??
That I don't know.
On Mon, Jul 11, 2011 at 17:13:27 -0400, Deron Meranda deron.meranda@gmail.com wrote:
I do blame Adobe though. Yes, I contemplated very long very before installing acroread because I do try to keep my system extremely pure .. but alas, the needs to fill out tax forms nudged me over. But Adobe to their failing did not notify me that their software would periodically attempt to download and install software on my system without my knowledge. Bad on them.
If you just needed fill out forms, evince might have worked for you.
Concerning Fedora. This could perhaps be partially guarded against if there were an SELinux context into which I could label the "foreign" software -- that would prohibit it from accessing the network, or running scripts out of /tmp. Is there such a type label that I could chcon /usr/local/bin/acroread ??
You can run programs in a sandbox which will limit what they can do. You can use 'man sandbox' to see how to use it.
If you just needed fill out forms, evince might have worked for you.
I tried Evince first, but there was some form it was having difficulty with. And given there is a deadline for tax things, I didn't have a lot of time to try to figure it out and was kind of forced to try acroread. What I should have done in retrospect was create a brand new Unix user account, did my "dirty" things there, and then deleted it all.
I was just surprised to find that it was somehow auto-installing things when I didn't ask it to, and when I didn't start the application myself. I don't like surprises like that.
You can run programs in a sandbox which will limit what they can do. You can use 'man sandbox' to see how to use it.
Thanks for that. It sounds useful.
On 07/12/2011 04:19 AM, Deron Meranda wrote:
For some reason, my Gnome 3 shell process has forked off an 'acroread' process which I did not start!
It appears to be attempting to install itself or do something in the background. This is completely unacceptable, nothing should ever attempt to download and run some unauthenticated script and should never attempt to install anything without my explicit knowledge and permission!
I consider this to be a security breach and failure of the Fedora security policies to permit this. In fact there should be a separate SELinux context for this commercial app just so it can't do anything to my system without my knowledge.
UID PID PPID C STIME TTY TIME CMD XXX 2509 2483 0 Jul10 ? 00:00:01 gnome-session XXX 2615 2509 1 Jul10 ? 00:12:04 /usr/bin/gnome-shell XXX 16717 2615 0 13:46 ? 00:00:08 acroread XXX 16769 16717 20 13:46 ? 00:29:25 /bin/sh /tmp/acrobat.n9vv0T/AdobeReader/INSTALL --lzma=/home/XXX XXX 7662 16769 0 15:40 ? 00:00:00 [INSTALL] <defunct>
Does the Gnome shell have some sort of auto-start or auto-update capability in it, that perhaps Adobe has surreptitiously hooked itself into. And how do I get it back out?
(The only reason I even have Adobe reader is because Evince can not fully handle the US IRS tax forms.)
FWIW, I installed acroread via the yum repo of adobe. There are no processes being started in GNOME or KDE at login.
On Mon, Jul 11, 2011 at 4:39 PM, Deron Meranda deron.meranda@gmail.com wrote:
If you just needed fill out forms, evince might have worked for you.
I tried Evince first, but there was some form it was having difficulty with. And given there is a deadline for tax things, I didn't have a lot of time to try to figure it out and was kind of forced to try acroread. What I should have done in retrospect was create a brand new Unix user account, did my "dirty" things there, and then deleted it all.
We'll, it's not trivial (depending on your definition of trivial) but you can (mis)-use mock to create a chroot environment which is easily nuked when you're done with it. You have to use Xnest to create an X session that you can export to your X session but it does work.
I've used this for testing packages I'm troubleshooting on other releases of Fedora than what I'm running.
Thanks, Richard