[SOLVED]Did AUR installation mess sth up with file system permissions?

860lacov · 2023-01-04 19:46:01

I wanted to install surfshark-gui-bin

After installation I've got a message in terminal:

warning: directory permissions differ on /etc/
filesystem: 755  package: 777
warning: directory permissions differ on /usr/
filesystem: 755  package: 777
warning: directory permissions differ on /usr/lib/
filesystem: 755  package: 777
warning: directory permissions differ on /usr/lib/systemd/
filesystem: 755  package: 777
warning: directory permissions differ on /usr/lib/systemd/system/
filesystem: 755  package: 777
warning: directory permissions differ on /usr/lib/systemd/user/
filesystem: 755  package: 777
warning: directory permissions differ on /var/
filesystem: 755  package: 777
warning: directory permissions differ on /var/lib/
filesystem: 755  package: 777
Configuration file /usr/lib/systemd/user/surfsharkd.service is marked world-writable. Please remove world writability permission bits. Proceeding anyway.

I've checked and it seems that every directory permissions are ok

lrwxrwxrwx   1 root root    7 10-18 23:01 bin -> usr/bin
drwxr-xr-x   5 root root 4096 1970-01-01  boot
drwxr-xr-x  20 root root 4260 01-04 08:00 dev
drwxr-xr-x   1 root root 3656 01-04 20:36 etc
drwxr-xr-x   1 root root    4 2021-09-01  home
lrwxrwxrwx   1 root root    7 10-18 23:01 lib -> usr/lib
lrwxrwxrwx   1 root root    7 10-18 23:01 lib64 -> usr/lib
drwxr-xr-x   1 root root    0 08-14 23:31 mnt
drwxr-xr-x   1 root root   90 01-04 20:36 opt
drwxr-xr-x   1 root root    0 10-02 21:12 pen
dr-xr-xr-x 330 root root    0 01-04 07:57 proc
drwxr-x---   1 root root  144 12-04 21:43 root
drwxr-xr-x  31 root root  740 01-04 08:00 run
lrwxrwxrwx   1 root root    7 10-18 23:01 sbin -> usr/bin
drwxr-xr-x   1 root root   14 2021-07-24  srv
dr-xr-xr-x  13 root root    0 01-04 07:57 sys
drwxrwxrwt  14 root root  440 01-04 20:36 tmp
drwxr-xr-x   1 root root   80 01-04 20:36 usr
drwxr-xr-x   1 root root  116 01-04 00:20 var

But... I didn't pay attention before, so I can't verify that.
It's more a sanity check, but could you please take a look and tell me if everything is ok?

I've ckecked surfsharkd.service too.

-rw-rw-rw- 1 root root 302 01-04 20:36 /usr/lib/systemd/user/surfsharkd.service

Should I change this service permission to 755?

Just to be sure I removed surfshark-gui-bin and during the uninstallation process there was an information:

Error: unknown connection 'surfshark_ipv6'.
Error: cannot delete unknown connection(s): 'surfshark_ipv6'.
Error: unknown connection 'surfshark_wg'.
Error: cannot delete unknown connection(s): 'surfshark_wg'.
Error: unknown connection 'surfshark_openvpn'.
Error: cannot delete unknown connection(s): 'surfshark_openvpn'.

Should I care?

Last edited by 860lacov (2023-02-06 19:52:35)

Head_on_a_Stick · 2023-01-04 20:40:49

Your filesystem is fine, the errors were just for the package itself.

Remove any and all traces of surfshark, that AUR package extracts a .deb that is absolutely terrible. Whoever packaged that for Debian doesn't have a clue what they're doing.

Here's what lintian(1) says about it:

https://0x0.st/oRYm.txt

Those embedded libraries are particularly worrying for a browser. Do not use it!

loqs · 2023-01-04 20:53:10

Head_on_a_Stick wrote:

Remove any and all traces of surfshark, that AUR package extracts a .deb that is absolutely terrible.

The PKGBUILD's .install is not nice either https://aur.archlinux.org/cgit/aur.git/ … rk-gui-bin
Edit:
Kill some processes, remove some temp files, remove some files that may belong to root, delete some files from users home directories, change the firewall config:

	systemctl disable --global surfsharkd.service || true
	systemctl disable surfsharkd2.service || true

	systemctl stop surfsharkd2.service || true

	/etc/init.d/surfshark stop || true
	/etc/init.d/surfshark2 stop || true

	kill -15 $(pidof surfshark) || :
	kill -15 $(pgrep surfsharkd) || :

	rm -rf /run/surfshark || :
	rm -f /tmp/surfsharkd.sock || :
	rm -f /tmp/surfshark-electron.sock || :
	rm -f $XDG_RUNTIME_DIR/surfsharkd.sock || :
	rm -f $XDG_RUNTIME_DIR/surfshark-electron.sock || :

	rm -f '/usr/bin/surfshark' || :

	# Surfshark post-remove
	nmcli connection delete surfshark_ipv6 || true
	nmcli connection delete surfshark_wg || true
	nmcli connection delete surfshark_openvpn || true

	shopt -s globstar
	if [ "$1" = purge ]; then
	    rm -rf /home/**/.config/Surfshark || true
	fi

	rm -rf /home/**/.cache/Surfshark || true

Last edited by loqs (2023-01-04 20:58:30)

Trilby · 2023-01-04 20:58:07

Calling that "not nice" is quite an understatement. I hadn't even considered problems of that magnitude being introduced by a post_install script. Unfortunately, simply uninstalling the package will not remove those effects, but it will all have to be cleaned up manually (edit: loqs' edits appear to be outlining this process). I wonder if / how such things could be prevented by pacman...

Has someone reported that package for deletion yet? I will now (too) just in case.

Last edited by Trilby (2023-01-04 21:02:43)

loqs · 2023-01-04 21:05:51

I think you could remove the package without the postinstall script with:

pacman -R --noscriptlet surfshark-gui-bin

Trilby · 2023-01-04 21:12:00

That would pevent the post_removal scriptlet, but assuming someone installed the package already (without the --noscriptlet flag) the damage will have already been done. EDIT: ooh, yes, the post_remove is quite ... er, "not nice" too.

Last edited by Trilby (2023-01-04 21:13:24)

860lacov · 2023-01-04 22:19:17

I have some VPN settings in NetworkManager imported from config files.
I just wanted to try the application...

So what can/should I do if I already installed and removed the package without any flag?
Installation with pikaur and uninstall with pacman.

Last edited by 860lacov (2023-01-04 22:20:39)

cfr · 2023-01-05 04:17:48

860lacov wrote:

I have some VPN settings in NetworkManager imported from config files.
I just wanted to try the application...
So what can/should I do if I already installed and removed the package without any flag?
Installation with pikaur and uninstall with pacman.

You'll have to go through the post_install and post_remove instructions and remove stray files etc. There's nothing you can do about the files it has deleted, but unless you had developed a custom configuration for it, that's probably no great loss. There may be stray services in /usr/lib/systemd/ you want to remove, for example. (One under user/ and one under system/.) Since those were created by the script, but not removed by it, they'll still be contaminating your system. You basically have to clean up after it by hand, so just work through the PKGBUILD scriptlets.

860lacov · 2023-01-05 16:50:06

chmod 4755 '/opt/Surfshark/chrome-sandbox' || true

There is no /opt/Surfshark directory
So not a problem here?
------------------------------

mkdir -p /usr/lib/systemd/user || true

My directory user has permissions:

drwxr-xr-x 1 root root

Inside there are a lot of things but not related to surfshark
Is ok?
------------------------------

mkdir -p /usr/lib/systemd/system || true

My directory system permissions:

drwxr-xr-x 1 root root

Looks good I think?
------------------------------

chmod 755 '/opt/Surfshark/resources/dist/resources/surfsharkd.js' || true
chmod 755 '/opt/Surfshark/resources/dist/resources/surfsharkd2.js' || true
chmod 755 '/opt/Surfshark/resources/dist/resources/update' || true
chmod 755 '/opt/Surfshark/resources/dist/resources/diagnostics' || true

Like in the beginning, there is no Surfshark inside /opt
------------------------------

chmod 755 '/etc/init.d/surfshark' || true
chmod 755 '/etc/init.d/surfshark2' || true

Don't have init.d there
------------------------------

rm -rf /run/surfshark || :
rm -f /tmp/surfsharkd.sock || :
rm -f /tmp/surfshark-electron.sock || :
rm -f $XDG_RUNTIME_DIR/surfsharkd.sock || :
rm -f $XDG_RUNTIME_DIR/surfshark-electron.sock || :

No /run/surfshark
No /tmp/surfshark
My $XDG_RUNTIME_DIR is /run/user/1000 and there is nothing surfshark related too.
------------------------------
I don't know what to do with:

nmcli connection delete surfshark_ipv6 || true
nmcli connection delete surfshark_wg || true
nmcli connection delete surfshark_openvpn || true

and this:

iptables -S | grep surfshark_ks | sed -r '/.*comment.*surfshark_ks*/s/-A/iptables -D/e' || true
ip6tables -S | grep surfshark_ks | sed -r '/.*comment.*surfshark_ks*/s/-A/ip6tables -D/e' || true
update-desktop-database -q

So I think that my directories are ok. Am I right?
But I'm not sure what do do with nmcli and iptables.

Last edited by 860lacov (2023-01-05 16:52:38)

cfr · 2023-01-06 02:01:58

860lacov wrote:

I don't know what to do with:

nmcli connection delete surfshark_ipv6 || true
nmcli connection delete surfshark_wg || true
nmcli connection delete surfshark_openvpn || true

Do you actually have nmcli installed? If not, it is irrelevant. Even if you do, it is probably irrelevant. Unless you created configurations with 'surfshark' in their names which had nothing to do with surfshark, it won't matter as you presumably would want to delete anything surfshark related.

860lacov wrote:

iptables -S | grep surfshark_ks | sed -r '/.*comment.*surfshark_ks*/s/-A/iptables -D/e' || true
ip6tables -S | grep surfshark_ks | sed -r '/.*comment.*surfshark_ks*/s/-A/ip6tables -D/e' || true
update-desktop-database -q

I would check that your iptables/ip6tables rules look as expected but this should (hopefully) not have deleted anything unrelated to surfshark. You might not even be using iptables/ip6tables if you're using netfilter instead. If you use some interface for configuring your firewall, you should be able to use that to check instead.

When you reboot, you could run

sudo journalctl -b --no-pager | grep -i surfshark

just to check nothing is showing up. (This isn't a perfect check or anything, but you think you've got everything so it is just an additional measure.)

860lacov · 2023-01-06 14:47:47

cfr wrote:

Do you actually have nmcli installed? If not, it is irrelevant. Even if you do, it is probably irrelevant. Unless you created configurations with 'surfshark' in their names which had nothing to do with surfshark, it won't matter as you presumably would want to delete anything surfshark related.
I would check that your iptables/ip6tables rules look as expected but this should (hopefully) not have deleted anything unrelated to surfshark. You might not even be using iptables/ip6tables if you're using netfilter instead. If you use some interface for configuring your firewall, you should be able to use that to check instead.

I don't use (didn't configure anything by myself) firewall at all.
I have iptables installed.
I tried to learn how to use it, but after many tries it is something that I don't understand and can't find simple enough information how to use it properly.
I did as wiki say.
# iptables -nvL
and the output is:

Chain INPUT (policy ACCEPT 3706 packets, 1313K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 4176 packets, 422K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

cfr wrote:

When you reboot, you could run
sudo journalctl -b --no-pager | grep -i surfshark
just to check nothing is showing up. (This isn't a perfect check or anything, but you think you've got everything so it is just an additional measure.)

I have nmcli installed but I didn't install it. It was a part of networkmanager package if I'm correct.

860lacov · 2023-01-08 09:48:53

I don't understand iptables but it seems that there are only docker related entries.
Could I just uninstsll docker, reset somehow iotables to default Arch values and install docker again?

Head_on_a_Stick · 2023-01-08 14:05:09

860lacov wrote:

reset somehow iotables to default Arch values

The default iptables ruleset for Arch is empty.

$ cat /etc/iptables/iptables.rules  
# Empty iptables rule file
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
$ doas iptables-save
$

And you only seem to have docker-related rules anyway so you can probably just leave things as they are.

Note that iptables-save(8) should be used to list the full ruleset. Not sure why the ArchWiki states otherwise.

salvaju29ro · 2023-02-12 08:03:07

There's a new package on the AUR that allows you to install Surfshark GUI, does anyone know if it's safe?

surfshark-client

Head_on_a_Stick · 2023-02-12 09:36:00

I wouldn't use that at all. It still uses the dodgy .deb with embedded libraries and it automatically enables and starts system and user services that run a JS binary blob for which the source is unavailable. It could be doing anything to your user's home directory.

The website for Surfshark makes a big deal about "security" but provides no links to the source code, which is simply ridiculous. Looks like a scam to me.

Arch Linux

#1 2023-01-04 19:46:01

[SOLVED]Did AUR installation mess sth up with file system permissions?

#2 2023-01-04 20:40:49

Re: [SOLVED]Did AUR installation mess sth up with file system permissions?

#3 2023-01-04 20:53:10

Re: [SOLVED]Did AUR installation mess sth up with file system permissions?

#4 2023-01-04 20:58:07

Re: [SOLVED]Did AUR installation mess sth up with file system permissions?

#5 2023-01-04 21:05:51

Re: [SOLVED]Did AUR installation mess sth up with file system permissions?

#6 2023-01-04 21:12:00

Re: [SOLVED]Did AUR installation mess sth up with file system permissions?

#7 2023-01-04 22:19:17

Re: [SOLVED]Did AUR installation mess sth up with file system permissions?

#8 2023-01-05 04:17:48

Re: [SOLVED]Did AUR installation mess sth up with file system permissions?

#9 2023-01-05 16:50:06

Re: [SOLVED]Did AUR installation mess sth up with file system permissions?

#10 2023-01-06 02:01:58

Re: [SOLVED]Did AUR installation mess sth up with file system permissions?

#11 2023-01-06 14:47:47

Re: [SOLVED]Did AUR installation mess sth up with file system permissions?

#12 2023-01-08 09:48:53

Re: [SOLVED]Did AUR installation mess sth up with file system permissions?

#13 2023-01-08 14:05:09

Re: [SOLVED]Did AUR installation mess sth up with file system permissions?

#14 2023-02-12 08:03:07

Re: [SOLVED]Did AUR installation mess sth up with file system permissions?

#15 2023-02-12 09:36:00

Re: [SOLVED]Did AUR installation mess sth up with file system permissions?

Board footer