which .deb to install jitsi?

Ralf Mardorf silver.bullet at zoho.com
Sun Jun 26 13:22:50 UTC 2016


On Sun, 26 Jun 2016 06:10:47 -0500, Christopher wrote:
>WARNING!!!
>
>JITSI creates a user on the Linux system that it is installed to. The
>user shown by /etc/passwd that it creates does not have a shell of
>/bin/false or /bin/nologin. The shell for the user is /bin/bash or
>/bin/sh, leaving a backdoor to the system it was installed upon. Not
>only that, the software hijacks the web browser by adding content to
>it that remains even once a user has removed the extensions/add-ons
>associated with it once JITSI itself has been removed by the package
>manager for all corresponding deb packages. That is not all. There's
>more than that.

That software adds an entry to /etc/passwd with a shell is nothing
unusual.

If you e.g. run

  getent passwd | grep sh

You most likely will see things as

  debian-spamd:x:111:123::/var/lib/spamassassin:/bin/sh

If you run

  awk -F'[/:]' '{if ($3 >= 1000 && $3 != 65534) print $1}' /etc/passwd

you most likely will see the "real" users, excepted "root".

That even purging a package doesn't remove all the content, e.g. if a
command installs content to a user's home, is not per se an indication
for something bad, it's an expected behaviour.

What does "That is not all" mean? Please elaborate this "information".

On Sun, 26 Jun 2016 09:44:42 +0000 (UTC), thufir wrote:
>I can't get rid of this broken package:
>
>thufir at mordor:~$ sudo apt-get -f install

Sure, "--fix-broken", aka "-f" shouldn't remove packages, it
should install missing packages.

Please don't break the thread and in addition change the subject to
continue your original request.

>but get the same result with:
>sudo apt-get --force-yes remove jitsi-meet-tokens

"--force-yes" gains you nothing, on the contrary, it just doesn't care
about user interaction.

Please, post the output of the commands you run, don't claim something
fishy as "get the same result".

Either run

  $ sudo apt-get remove jitsi-meet-tokens

or

 $ sudo apt-get purge jitsi-meet-tokens

and post the output you get. By all means this must remove the package
or at least mention that that package can't be removed, because it's a
dependency of another package. If the package gets removed, then not
necessarily all the content of the package gets removed, too. It is a
third party package and .e.g. might run a script that downloads and
installs things alongside the package management.

As the last resort, simply restore your install from the backup that
was recommended:

On Fri, 24 Jun 2016 20:27:19 +0200, Ralf Mardorf wrote:
>_Don't install it!_ If you insist in installing it without knowledge
>and vague information provided by upstream, consider to backup you
>install first.

However, if I understand correctly you first need to install a "jitsi"
package and not a "jitsi-foo-bar" package.

As already pointed out try

  sudo dpkg -i --force-depends /path/jitsi*deb
  sudo apt-get update && sudo  apt-get install --fix-broken

And do not break the thread again, do not change the subject again,
assumed you should expect useful help.

Btw. consider to send a request to a jitsi mailing list:

https://jitsi.org/Development/MailingLists

The experts are on those lists, not on this list.

Regards,
Ralf








More information about the ubuntu-users mailing list