How to block Acroread 7 with SuSE FW2?
Since I don't like that Acroread 7 sends messages home, I would like to do something like this: iptables -A OUTPUT -m owner --cmd-owner acroread -j DROP How do I include this using the SuSE FW2 of 9.2? Al
Al, On Sunday 17 April 2005 09:16, Al Bogner wrote:
Since I don't like that Acroread 7 sends messages home, I would like to do something like this:
What leads you to believe that it sends messages to Adobe? I'd be a little surprised that it would do such a thing without there being an option that can be disabled, and I see no indication that there's an option for controlling it in the Preferences dialog. There is a Proxy configuration panel in that dialog. You could just point it to a non-existent proxy server.
iptables -A OUTPUT -m owner --cmd-owner acroread -j DROP
How do I include this using the SuSE FW2 of 9.2?
Al
Randall Schulz
Am Sonntag, 17. April 2005 18:32 schrieb Randall R Schulz:
Al,
On Sunday 17 April 2005 09:16, Al Bogner wrote:
Since I don't like that Acroread 7 sends messages home, I would like to do something like this:
What leads you to believe that it sends messages to Adobe? I'd be a
First, you should keep your eyes open if you're interested in computer security. Second, acroread 7 does not talk to ADOBE, it can talk (through javascript in pdf files) to whoever published the pdf file you're reading. See various news sites for more details.
little surprised that it would do such a thing without there being an option that can be disabled, and I see no indication that there's an option for controlling it in the Preferences dialog.
because it cannot be disabled thru configuration. As far as i know, in one of the articles about it it said that deleting the content of the acroread plugin directory would disable this "feature", with the additional benefit of faster startup of acroread. bye, MH
Hi. Am 04/17/2005 06:32 PM schrieb Randall R Schulz:
What leads you to believe that it sends messages to Adobe? I'd be a little surprised that it would do such a thing without there being an option that can be disabled, and I see no indication that there's an option for controlling it in the Preferences dialog.
See http://lwn.net/Articles/129729/. Michael.
On Sun, Apr 17, 2005 at 09:32:10AM -0700, Randall R Schulz wrote:
On Sunday 17 April 2005 09:16, Al Bogner wrote:
Since I don't like that Acroread 7 sends messages home, I would like to do something like this:
What leads you to believe that it sends messages to Adobe? I'd be a little surprised that it would do such a thing without there being an option that can be disabled, and I see no indication that there's an option for controlling it in the Preferences dialog.
Well, how about running ethereal? Yes, it does send these messages and there is no *real* way to disable thits: You can disable this by disabling JavaScript in the configuration. Disabling JS on the other hand will bring up a requester to turn JS on again each time you exit Acroread, so sooner or later you will accidentally turn JS on again. There is one other "solution", namely to move the plugins away but after doing that, not only JS will be turned off, but also searchin the the document won't work and other things as well. I think Adobe is working hard on making kpdf my primary pdf-viewer - and they've mostly succeeded. (xpdf should do too of course)
There is a Proxy configuration panel in that dialog. You could just point it to a non-existent proxy server.
Yes.
iptables -A OUTPUT -m owner --cmd-owner acroread -j DROP
How do I include this using the SuSE FW2 of 9.2?
You can enalbe the FW_CUSTOMRULES and put the rule into the custom script. ciao Joerg -- Joerg Mayer <jmayer@loplof.de> We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology.
Joerg Mayer wrote
iptables -A OUTPUT -m owner --cmd-owner acroread -j DROP
How do I include this using the SuSE FW2 of 9.2?
You can enalbe the FW_CUSTOMRULES and put the rule into the custom script.
I tried that and the rule does work on -default SuSE kernels. On -smp SuSE kernels, I always get riemann /root# iptables -A OUTPUT -m owner --cmd-owner telnet -j DROP iptables: Invalid argument Comparing the .configs from the -default and -smp kernels, I couldn't find a setting that would explain why the rule does not work on the smp kernels. Has someone an idea? cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *
Am Montag, 18. April 2005 10:59 schrieb Frank Steiner:
I tried that and the rule does work on -default SuSE kernels. On -smp SuSE kernels, I always get
riemann /root# iptables -A OUTPUT -m owner --cmd-owner telnet -j DROP iptables: Invalid argument
Comparing the .configs from the -default and -smp kernels, I couldn't find a setting that would explain why the rule does not work on the smp kernels.
well it could be possible that it just does not work in smp kernels, and thus is not compiled in as sson as you configure a smp kernel. bye, MH -- Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
Am Sonntag, 17. April 2005 18:32 schrieb Randall R Schulz:
Since I don't like that Acroread 7 sends messages home, I would like to do something like this:
What leads you to believe that it sends messages to Adobe?
I didn't mean Adobe with "home".
There is a Proxy configuration panel in that dialog. You could just point it to a non-existent proxy server.
That is one possibility. But if you have a lot if machines using the same gateway it would be easier to control it with a firewall.
iptables -A OUTPUT -m owner --cmd-owner acroread -j DROP
How do I include this using the SuSE FW2 of 9.2?
ls -1 /usr/lib/Adobe/Acrobat7.0/Reader/intellinux/plug_ins Accessibility.api AcroForm AcroForm.api Annotations Annots.api checkers.api DigSig.api EFS.api EScript.api ewh.api LegalPDF.api MakeAccessible.api PDDom.api PPKLite.api SaveAsRTF.api SearchFind.api SendMail.api SOAP.api Spelling.api wwwlink.api Which of these plugins do I have to remove to keep the privacy? Al
Am Sonntag, 17. April 2005 18:32 schrieb Randall R Schulz: ls -1 /usr/lib/Adobe/Acrobat7.0/Reader/intellinux/plug_ins [...] Which of these plugins do I have to remove to keep the privacy?
The ECMAscript/Javascript plugin is EScript.api. But some other plugins depend on this one and should be disabled too. I haven't no linux system here right now but for my Acrobat7-Windows the list is: Accessibility.api, PPKLite.api, Annots.api, ADBC.api, DigSig.api, AcroForm.api, HTML2PDF.api, Multimedia.api, Checkers.api, PictureTasks.api, SOAP.api, Spelling.api, Updater.api, weblink.api Information about the plugins (and dependencies) should be available in the help menu. -- Michel Messerschmidt, lists@michel-messerschmidt.de
In order to block that traffic you could make the acroread executable SGID 'acro' and then block all traffic coming from group 'acro'. Iptables has an option for doing this by using the --gid-owner option. Of course that works only with a local firewall. Regards nordi
nordi, I'd like to learn more about this, would you mind to give an example for such a rule? Would you recommand other SGID to block, which? Thanks in advance, Carl Am Sonntag, 17. April 2005 18:52 schrieb nordi:
In order to block that traffic you could make the acroread executable SGID 'acro' and then block all traffic coming from group 'acro'. Iptables has an option for doing this by using the --gid-owner option. Of course that works only with a local firewall.
Regards nordi
Carl A. Schreiber wrote:
I'd like to learn more about this, would you mind to give an example for such a rule?
I did it with the following rule: iptables -A OUTPUT -m owner --gid-owner talker -j REJECT Then I set /usr/bin/netcat to be owned by group 'talker' and to mode 2755 (SGID). After that I could not connect anywhere with netcat. Once I chmodded netcat back to 755 it worked again. Regards nordi
Al Bogner wrote:
Since I don't like that Acroread 7 sends messages home, I would like to do something like this:
iptables -A OUTPUT -m owner --cmd-owner acroread -j DROP
I don't have an answer for you, but am curious about this issue. Do you have further info regarding what and how it 'sends messages home?' -- Until later, Geoffrey
Al Bogner wrote: I don't have an answer for you, but am curious about this issue. Do you have further info regarding what and how it 'sends messages home?'
The site http://www.remoteapproach.com/ provides a "service" to track the usage of a PDF document. I haven't seen one of those PDFs myself, but rumours say it is implemented with embedded javascript. The Adobe javascript implementation allows many things users commonly don't expect. The implementation of javascript in PDF somehow reminds me of VBA macros in MS Office: - it is a powerful programming language - it is enabled by default - there is no sufficient security concept - there are ways to "auto-execute" code in a document (for example just by opening, closing, printing... a document) See http://partners.adobe.com/public/developer/en/pdf/PDFReference16.pdf and http://partners.adobe.com/public/developer/en/acrobat/sdk/pdf/javascript/Acr... for details. -- Michel Messerschmidt, lists@michel-messerschmidt.de
participants (10)
-
Al Bogner -
Carl A. Schreiber -
Frank Steiner -
Geoffrey -
Joerg Mayer -
Mathias Homann -
Michael Schachtebeck -
Michel Messerschmidt -
nordi -
Randall R Schulz