Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
DIsabling Adobe Acrobat 7 Spyware "Feature"
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
je_fro
Retired Dev
Retired Dev


Joined: 14 Dec 2002
Posts: 236
Location: Republic of Texas

PostPosted: Mon Jun 06, 2005 7:55 am    Post subject: DIsabling Adobe Acrobat 7 Spyware "Feature" Reply with quote

Disabling Adobe Acrobat 7 Spyware "Feature"

I really like the new and improved acroread 7, but don't approve of their spyware feature discussed here:

http://lwn.net/Articles/129729/

So here's what I did...
Add a new group that I intend to give no privileges:
Code:

groupadd nopriv

...which resulted in this entry in /etc/group:
Code:

nopriv:x:440:

Then I changed ownership of (on my system) /opt/Acrobat7/acroread, and setgid on the executable.
Code:

chgrp nopriv /opt/Acrobat7/acroread
chmod 2755 /opt/Acrobat7/acroread

...which resulted in this:
Code:

# ls -l /opt/Acrobat7/
total 12
drwxr-xr-x 11 root root 80 Jun 6 01:10 Reader
drwxr-xr-x 7 root root 40 Jun 6 01:10 Resource
-rwxr-sr-x 1 root nopriv 6010 Jun 6 01:10 acroread

Finally I had to go to the kernel and enable the ipt_owner module:
Code:

<M> Owner match support

Now I'm set to run a new iptables rule whenever I boot:
Code:

$IPTABLES -A OUTPUT -m owner --gid-owner nopriv -j LOG --log-prefix=GROUP_NOPRIV:
$IPTABLES -A OUTPUT -m owner --gid-owner nopriv -j DROP

Now all I need is a "remoteapproach" pdf to open and test....hmm...they are pretty hard to find when you need one so I'll test it another way:
Code:

cd /usr/bin
chgrp nopriv lynx
chmod 2755 lynx
lynx www.google.com

And sure enough, there it is:
Code:

Jun 6 02:42:29 speedy GROUP_NOPRIV:IN= OUT=eth0 SRC=192.168.2.2 DST=24.93.40.71 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=20837 DF PROTO=UDP SPT=33010 DPT=53 LEN=59
Jun 6 02:42:29 speedy GROUP_NOPRIV:IN= OUT=eth0 SRC=192.168.2.2 DST=24.93.40.72 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=20837 DF PROTO=UDP SPT=33010 DPT=53 LEN=59


So it looks like this method will work to prevent acrobat7 from phoning home. I'm currently scouring the web for one of these "poisoned pdf's", if you find one, let me know so I can test this out.
I know there are 100 ways to do this, but this is the best one I could think of. If you can think of anything else, improvements, etc...feel free to add to this thread!

je_fro

<edit>
I had to use --gid-owner instead of --cmd owner because I have a SMP kernel and --cmd-owner is broken for me.
Code:
Jun  6 02:00:07 speedy ipt_owner: pid, sid and command matching is broken on SMP.

_________________
Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect.
--Linus Torvalds

My site with some gentoo config files:
http://je-fro.net/page.html
Back to top
View user's profile Send private message
kernelsensei
Bodhisattva
Bodhisattva


Joined: 22 Feb 2004
Posts: 5619
Location: Woustviller/Moselle/FRANCE (49.07°N;7.02°E)

PostPosted: Mon Jun 06, 2005 8:02 am    Post subject: Reply with quote

ehh, didn't know that .. thanks for the info :wink:
_________________
$ ruby -e'puts " .:@BFegiklnorst".unpack("x4ax7aaX6ax5aX15ax4aax6aaX7ax2aX5aX8 \
axaX3ax8aX4ax6aX3aX6ax3ax3aX9ax4ax2aX9axaX6ax3aX2ax4ax3aX4aXaX12ax10aaX7a").join'
Back to top
View user's profile Send private message
irondog
l33t
l33t


Joined: 07 Jul 2003
Posts: 715
Location: Voor mijn TV. Achter mijn pc.

PostPosted: Tue Jun 07, 2005 6:55 am    Post subject: Reply with quote

Why does acroread support this feature without notifying the user it's sending information across the internet?

And is Remote Approach exploiting a bug, or is this spyware "feature" something that will keep returning in future versions?
_________________
Alle dingen moeten onzin zijn.
Back to top
View user's profile Send private message
ruben
Guru
Guru


Joined: 04 Jul 2003
Posts: 462

PostPosted: Tue Jun 07, 2005 7:17 am    Post subject: Reply with quote

How about just disabling JavaScript, so a pdf cannot "phone home" ?
Back to top
View user's profile Send private message
je_fro
Retired Dev
Retired Dev


Joined: 14 Dec 2002
Posts: 236
Location: Republic of Texas

PostPosted: Tue Jun 07, 2005 9:36 am    Post subject: hmm... Reply with quote

disabling javascript turns it into nagware.
_________________
Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect.
--Linus Torvalds

My site with some gentoo config files:
http://je-fro.net/page.html
Back to top
View user's profile Send private message
matthies
n00b
n00b


Joined: 12 Dec 2004
Posts: 16

PostPosted: Thu Jul 07, 2005 7:00 pm    Post subject: Reply with quote

i tried the following, as mentioned in one of the comments at lwn.net:
Quote:

Go to $HOME/.adobe/Acrobat/7.0/JavaScripts and remove "glob.settings.js". Create a symbolic link with that name to "/dev/null". That should stop the dialog box.

worked for me :D
(although your solution is very useful for other applications that one might want to block)
Back to top
View user's profile Send private message
AxisDigital
n00b
n00b


Joined: 08 Jun 2005
Posts: 32
Location: Atlanta, GA

PostPosted: Fri Jul 08, 2005 3:17 am    Post subject: Reply with quote

Does that disable the dialogue, or the phoning home as well?
I'm definitely trying this.
Back to top
View user's profile Send private message
pinr
Apprentice
Apprentice


Joined: 26 Jan 2003
Posts: 241
Location: Monterrey, Mexico

PostPosted: Fri Jul 08, 2005 4:01 am    Post subject: Reply with quote

Why not just block
http://www.remoteapproach.com/remoteapproach/logging.asp
in iptables?
Back to top
View user's profile Send private message
matthies
n00b
n00b


Joined: 12 Dec 2004
Posts: 16

PostPosted: Fri Jul 08, 2005 7:06 am    Post subject: Reply with quote

sorry, i was a bit short there on the information :D

1. disable javascript in the acroread preferences
this will turn off 'phoning home' capabilities done with javascript (and everything else done with javascript as well - so some pdf's using fancy input forms might need this turned on gain)

2. disable the nagging dialogue box (that pops up after closing acroread that reminds you that javascript has been turned off) by deleting ~/.adobe/Acrobat/7.0/JavaScripts/glob.settings.js and creating a symlink to /dev/null with that name
Code:

cd ~/.adobe/Acrobat/7.0/JavaScripts/
mv glob.settings.js glob.settings.js.backup
ln -s /dev/null glob.settings.js


this solution isn't perfect, you might want to turn javascript back on with pdf forms that really need it (and i haven't checked if these will work without recreating the original glob.settings.js).

blocking access to http://www.remoteapproach.com/remoteapproach/logging.asp via iptables or /etc/hosts will only prevent pdf's tagged by remoteapproach, other's might be performing these 'phoning home' solutions as well, though i don't know of any.
Back to top
View user's profile Send private message
pinr
Apprentice
Apprentice


Joined: 26 Jan 2003
Posts: 241
Location: Monterrey, Mexico

PostPosted: Fri Jul 08, 2005 11:51 am    Post subject: Reply with quote

matthies wrote:

blocking access to http://www.remoteapproach.com/remoteapproach/logging.asp via iptables or /etc/hosts will only prevent pdf's tagged by remoteapproach, other's might be performing these 'phoning home' solutions as well, though i don't know of any.


Well ok, but what about bloking Acroread with:
iptables -A OUTPUT -m owner --cmd-owner acroread -j DROP
Back to top
View user's profile Send private message
matthies
n00b
n00b


Joined: 12 Dec 2004
Posts: 16

PostPosted: Fri Jul 08, 2005 12:04 pm    Post subject: Reply with quote

pinr wrote:

Well ok, but what about bloking Acroread with:
iptables -A OUTPUT -m owner --cmd-owner acroread -j DROP


there's nothing wrong with that approach, it's just that i haven't really used iptables yet :wink: . that's why i presented the approach with deleting glob.settings.js (as found at lwn.net) here, so that people who don't know their way around iptables can fix this quickly as well. and your approach certainly is the more appropriate way (and the only way you can really be sure, there always might be other spyware features in acroread).
Back to top
View user's profile Send private message
GNUtoo
Veteran
Veteran


Joined: 05 May 2005
Posts: 1919

PostPosted: Fri Jul 08, 2005 11:50 pm    Post subject: Reply with quote

now i must be frighten about running not open source software under linux
lol
is there any mention of that in the license?
Back to top
View user's profile Send private message
je_fro
Retired Dev
Retired Dev


Joined: 14 Dec 2002
Posts: 236
Location: Republic of Texas

PostPosted: Mon Jul 11, 2005 1:38 am    Post subject: Reply with quote

pinr wrote:
matthies wrote:

blocking access to http://www.remoteapproach.com/remoteapproach/logging.asp via iptables or /etc/hosts will only prevent pdf's tagged by remoteapproach, other's might be performing these 'phoning home' solutions as well, though i don't know of any.


Well ok, but what about bloking Acroread with:
iptables -A OUTPUT -m owner --cmd-owner acroread -j DROP


THat would be nice, but --cmd-owner is currently broken for SMP kernels.
_________________
Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect.
--Linus Torvalds

My site with some gentoo config files:
http://je-fro.net/page.html
Back to top
View user's profile Send private message
SeeksTheMoon
Apprentice
Apprentice


Joined: 24 Sep 2003
Posts: 163

PostPosted: Mon Jul 25, 2005 10:42 am    Post subject: Reply with quote

owner match on SMP will be broken forever:
"The core team does not see a way to fix it...if you want to use owner match,
you'll have to use UP."
"Indeed, numerous kernel developers of all fields have concluded that this
problem is impossible to fix."
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum