LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 11-23-2013, 07:19 PM   #1
Nh3xus
Member
 
Registered: Jan 2013
Location: France
Distribution: Slackware 14.1 32 bits
Posts: 130

Rep: Reputation: 33
Unhappy [Security] Firefox asks for the system keyring password


Hi,

I've a question related to the overall security of my system.

I'm running Slackware -current with Alien BoB's flash plugin package.

A few days ago, I was browsing a website that had a flash video embedded.

After a while, Firefox prompted me for the system keyring password.

This is not a normal behavior for a web browser to ask for privilege elevation.

I did cancel the prompt but I've forgotten to track down the resource that Firefox (or the flash plugin, I don't know) wanted to access.

How can I check if my system is compromised by some sort of exploit ?
 
Old 11-23-2013, 07:32 PM   #2
hitest
Senior Member
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Distribution: Slackware, OpenBSD
Posts: 4,141

Rep: Reputation: 523Reputation: 523Reputation: 523Reputation: 523Reputation: 523Reputation: 523
You could try running rkhunter. It will scan your system for known rootkits, exploits.

http://slackbuilds.org/repository/14.0/system/rkhunter/

After you install it, you run it on the CLI as root. Navigate to /usr/bin


# rkhunter --update
# rkhunter --checkall
 
1 members found this post helpful.
Old 11-24-2013, 12:47 PM   #3
Nh3xus
Member
 
Registered: Jan 2013
Location: France
Distribution: Slackware 14.1 32 bits
Posts: 130

Original Poster
Rep: Reputation: 33
Thanks you, I will give this a go.
 
Old 11-24-2013, 05:31 PM   #4
Nh3xus
Member
 
Registered: Jan 2013
Location: France
Distribution: Slackware 14.1 32 bits
Posts: 130

Original Poster
Rep: Reputation: 33
I just finished running the test.

Apparently, tere's not much to worry about.

Only 3 files were reported is "suspicious" :

Code:
/usr/sbin/adduser
/usr/bin/ldd
/usr/bin/whatis
I think they were detected as false positives since Pat did a few changes in them.

Please tell me if my "analysis" is correct.

While typing this message, the keyring prompt popped again !

I've saved the ps -ax output.

Please tell me what application tried to access some part of the system.

Here's the link of the output :

http://sebsauvage.net/paste/?513a944...CjfcBNzghJybc=

This is really driving me nuts.
 
Old 11-24-2013, 05:49 PM   #5
jon lee
Member
 
Registered: Jul 2013
Posts: 81

Rep: Reputation: Disabled
That's a highly modified system to be slackware. I take it you installed dropline gnome?
You have a lot of gnome-centric processes to be running xfce with compton.

I would try to capture the WM logs.. startx &> log.txt. If that failed to produce anything, run firefox in a terminal to see if it logs anything. Worse came to worse, you could strace firefox to see where it's coming from.
 
Old 11-24-2013, 06:03 PM   #6
Nh3xus
Member
 
Registered: Jan 2013
Location: France
Distribution: Slackware 14.1 32 bits
Posts: 130

Original Poster
Rep: Reputation: 33
Hi,

No, I've NOT installed Dropline Gnome.

I'm just using a vanilla Xfce.

Compton only needed libconfig as an external dependencies.

I wouldn't use Slackware if I wanted the Gnome stuff.

I will log my WM as you advised.

I will let you know if I have to strace Firefox.

If I don't find it in a few week, I will just resore my Clonezilla backup.

I think something HAS been changed without my approval since this keyring prompt never showed up before I browse this f%$!ing dubious website.

Thanks for your tips
 
Old 11-24-2013, 06:29 PM   #7
jon lee
Member
 
Registered: Jul 2013
Posts: 81

Rep: Reputation: Disabled
Just to give something to compare your process list with, here is my process list of xfce with compton.
http://pastebin.com/cdYTB9Hq

That should give an idea of some of the things you could eliminate.
 
Old 11-24-2013, 06:57 PM   #8
Nh3xus
Member
 
Registered: Jan 2013
Location: France
Distribution: Slackware 14.1 32 bits
Posts: 130

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by jon lee View Post
Just to give something to compare your process list with, here is my process list of xfce with compton.
http://pastebin.com/cdYTB9Hq

That should give an idea of some of the things you could eliminate.

Mhh, from a first quick look, you don't have any kind of "gnome" process running.

I think that you have done a Slackware installation with the "menu" or "expert" mode, just like me.

I'm done nothing fancy, just got rid of the whole /KDE/ and /KDEI/ plus some other "server" stuff that I don't need on a laptop.

I'm curious to see what packages you just skipped.

You seems to have skipped everything related to gnome.

I'm a bit buzy this week and I can't analyze this right now but I will compare your ps output with mine in the next weekend.

I will try to do a diff comparison between your output and mine.

Of course, I will let you know.

Thanks you
 
Old 11-24-2013, 07:35 PM   #9
hitest
Senior Member
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Distribution: Slackware, OpenBSD
Posts: 4,141

Rep: Reputation: 523Reputation: 523Reputation: 523Reputation: 523Reputation: 523Reputation: 523
Quote:
Originally Posted by Nh3xus View Post
I just finished running the test.

Apparently, tere's not much to worry about.

Only 3 files were reported is "suspicious" :

Code:
/usr/sbin/adduser
/usr/bin/ldd
/usr/bin/whatis
Yeah, I get those as well. If rkhunter shows zero rootkits I think you're likely okay. Do you have any other evidence that makes you think you've been compromised?
 
Old 11-24-2013, 08:21 PM   #10
Nh3xus
Member
 
Registered: Jan 2013
Location: France
Distribution: Slackware 14.1 32 bits
Posts: 130

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by hitest View Post
Yeah, I get those as well. If rkhunter shows zero rootkits I think you're likely okay. Do you have any other evidence that makes you think you've been compromised?
Glad to see that these are false positives

I've not that much information at the moment.

I've managed to capture the process that is related to this password prompt :

Code:
 16784 ? SLl 0:00 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
It's annoying to be interrupted by this prompt every now and then so I will troubleshoot this during this weekend.

I've thought about such rare cases so I think my Clonezilla backup will come pretty handy for that

But It's still interesting to see if _somehow_ something managed to gain access to restricted ressources.
 
Old 11-25-2013, 01:25 AM   #11
number22
Member
 
Registered: Sep 2006
Location: Earth
Distribution: Slackware 14.1 Slackware64-current multilib
Posts: 181
Blog Entries: 1

Rep: Reputation: 38
Uninstall gnome-keyring and libgnome-keyring, assuming you don't use firefox/mozilla/seamonkey etc. password management. And, you don't use ssh-agent/gpg-agent. Slackware official release notes doesn't say why these packages are needed, so take out, see if any software becoming broken. good luck.

my bad, I don't use xfce 4. try disabling Launch GNOME services in the Advanced tab of Session Manager in Xfce's settings.
Starting your xfce with --with-ck-launch for ConsoleKit session.
http://docs.xfce.org/xfce/xfce4-session/advanced

Last edited by number22; 11-25-2013 at 02:01 AM.
 
Old 11-25-2013, 03:30 AM   #12
Nh3xus
Member
 
Registered: Jan 2013
Location: France
Distribution: Slackware 14.1 32 bits
Posts: 130

Original Poster
Rep: Reputation: 33
I don't use ssh-agent/gpg-agent.

But I use the Firefox master password.

I tried a couple of minutes ago to remove the Adobe configuration folder by using this command :

Code:
$ rm -rf ~/.adobe
But still no joy, the password prompt still appears randomly.

I'm will just restore the system in an previous state with my backup.

It look like it's a pain to track down.

As a GNU/Linux user, this is the first time I encounter a possible infection on my machine.

I'm sure that even if rkhunter didn't found anything, I've something that starts along with my session and tries to access something.

Thanks for the advices though.
 
Old 11-25-2013, 05:42 AM   #13
Ilgar
Member
 
Registered: Jan 2005
Location: Istanbul, Turkey
Distribution: Slackware 14.1, Slackware64 14.1
Posts: 917

Rep: Reputation: 87
You can also try checking the "Sessions and Startup" in Xfce settings to see if any related daemon is autostarted with Xfce.

I don't think that there is an infection here -- I have a similar situation with Google Chrome. After upgrading to 14.1, Google Chrome started asking for keyring password whenever I open an account login page. I've seen this happening in other distributions before. Probably, that functionality was always there but did not activate while using the 14.0 versions of the related packages. I think it is similar to KWallet popping up in a KDE session.
 
Old 11-25-2013, 11:21 AM   #14
number22
Member
 
Registered: Sep 2006
Location: Earth
Distribution: Slackware 14.1 Slackware64-current multilib
Posts: 181
Blog Entries: 1

Rep: Reputation: 38
Quote:
Originally Posted by Nh3xus View Post
I don't use ssh-agent/gpg-agent.

But I use the Firefox master password.
the culprit likely be Firefox gnome-keyring integration, google it. To make firefox-gnome-keyring use your login keychain, set extensions.gnome-keyring.keyringName to "login" (without the double quotes) in about:config. Note the lowercase 'l' despite the the keychain name having an uppercase 'L' in Seahorse.
 
Old 11-25-2013, 06:27 PM   #15
Nh3xus
Member
 
Registered: Jan 2013
Location: France
Distribution: Slackware 14.1 32 bits
Posts: 130

Original Poster
Rep: Reputation: 33
I'm not sure this will do the trick.

I mean, I can hide the prompt but this will more likely hide the suspicious behavior.

I've installed ClamAV, and I will perform a full scan of the whole drive tomorrow while I'm at my university.

If ClamAV, doesn't report anything, I will resore the system at a previous state and change all the password stored by firefox.

I will reset the master password too.

Browser exploits do exists on GNU/Linux too I guess...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] RIPLinuX asks for a password... I don't know what password Vocay2 Linux - Software 2 10-12-2013 07:13 AM
[SOLVED] SSH: Asks for password: Permission denied (keyboard-interactive,password). tulicloure Linux - Newbie 7 02-14-2012 09:48 AM
Firefox asks for password when Gaim checks hotmail email qwerty Linux - Software 2 10-12-2005 02:02 PM
Linux Password/Security System Katrix Linux - Security 5 06-22-2001 02:03 PM


All times are GMT -5. The time now is 09:09 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration