316
Brave appears to install VPN Services without user consent
(www.ghacks.net)
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
much thanks to @gary_host_laptop for the logo design :)
I don't use Windows but if you install a program that requires a service on Linux, the service will be written to your system's services daemon awaiting your activation. I don't see what the issue with that is.
What's to stop the installer on Linux from configuring the service such that the service always runs on boot? e.g.
systemctl enable malware.service
.Linux doesn't have "installers" as Linux uses package managers. The only way you can get malware is if you manually add a bad repo.
So it doesn't really matter in the long run
Are you really serious making this claim? lol.
Yes, prove me wrong. As long as your running a up to date system there shouldn't be anything that could be easily compromised.
I've been using Linux (and UNIX) professionally since the kernel version started with a "1." I have no need to try to prove anything to you. Linux has installers other than just those invoked by a package manager, and it is laughable that you claim otherwise.
You still need to manually enable the service. The configuration of the service has zero effect on its activation or lifecycle.
Huh? Any script can create a service, enable it and then start it. What would make you think the brave package (or just the application itself) can't do this?
Not possible to start or enable a created service without user intervention. You don't know what you are talking about.
Systemd "enabled" services are literal symlinks... whenever a target runs, it tries to start also all the service files on its "wants" directory.
You can literally enable any service for next boot by making a symlink in
/etc/systemd/system/multi-user.target.wants/
(or whichever other target you want it to run on) as root (and installation scripts are run as root).This is actually very close (just tested and confirmed it). I somehow stand corrected about requiring manual enablement but this is just using the package manager to do the dirty work for you.
However the program itself cannot write into those directories without root permissions. You still have to allow your package manager to do this with root permissions as mentioned.
Installing as user does not require root, to be clear. You can use systemd without root by specifying user.
Installing a package requires root which will automatically give the package manager permission to write anywhere on the system. To create a systemd service in user that will automatically start at boot requires root, someguy here commented with the how.
However you can run any installed binary via Desktop files as a user (no root) on login by writing to
~/.config/autostart
.My comment wasn't about installing the package. You seemed to think that systemd required root, which it does not. Further, you can have systemd user processes start at boot. I do this exact thing with Duplicacy, no root required.
The entire premise is for a package/manager to create a running/permanent service that will be started after boot AND does not require user intervention (for the avoidance of doubt, enabling the systemd service counts as intervention).
One way to do this is to create the service file and do the symlink to a folder that systemd automatically runs on boot. For both user and system systemd files you require root to make these modifications.
Another way is to create a Desktop file in the path I shared.
If you have more ways I'd be happy to hear them.
Again, it's not true, so you don't need to keep acting like it's the case. You do not need root to create systemd entries for a single user. Systemd is pretty much just symlinks all the way down. You can test this yourself, so I don't know why you're saying it's not possible when me and many others in this thread have told you that you were incorrect in the first place.
I was correct you need root to create systemd-wide systemd service that will run on boot , user systemd files can't. What they can do, is run after login. Which has more or less the same effect for a single-user setup. And I did admit I was partially wrong.
This was never about runlevel 0 or 1 programs. This was always about whether or not a user can use systemd without root. Why would Brave need to start a VPN service at an init runlevel (before most networking services)? It would make more sense to start at login.
You entirely misunderstood my argument(s). The title says "Brave appears to install VPN Services without user consent". My comment was an exploration of this using Linux's tools (systemctl). But nevertheless, creating a VPN network requires elevated permissions.
Then why did you say "you don't know what you're talking about" and are just now bringing up systemctl? Moving goalposts maybe?
Bruh you just ran the command to enable the 'written' service. Comprehension is a problem in this community.
Read my argument again.
OK.. challenge accepted. Maybe you don't know about systemd user services.
Content of
mytrojan.sh
:Content of
myscript.sh
:Now run the script (
mytrojan.sh
) and check service status after that:You failed. This requires the user to run a script aka manual intervention.
Now imagine that the script is set to run as part of the brave installation - you type "yes" please download brave, brave installs brave and runs this script. Linux isn't immune to malware as you seem to think.
You would need the power of root to do all these aforementioned things (run a VPN service).
And am not saying that Linux is immune to malware, just that it's not out of the norm to have package managers install services crucial for operation during installation. Since Windows doesn't have package managers, I'm gonna replace package managers with packages in this reasoning.
I thought that you only were ignorant, but no, you're more than that!
Maybe am ignorant but at least I understand the questions before I answer them.