vulnerability

Stories From An IT Security Professional

Zeitgeist Daemon on Xubuntu does not respect your privacy

On

Zeitgeist Daemon on Xubuntu does not respect your privacy

By Dobin Rutishauser

I toyed around with my Xubuntu, and found the strange named process “Zeitgeist”. What’s this?

“zeitgeist-daemon  is  a  daemon which keeps track of activities on your system (file usage, browser history, calendar events, etc.) and  logs them  into  a  central  database. It does not only create a chronologic register, but also supports tagging  and  can  establish  relationships between activities.”

All this information is provided by external applications which communicate with zeitgeist-daemon over D-Bus. Interested programs can connect with it and request information, insert new items or modify existing information (delete items, add tags, bookmark items and so on).

http://manpages.ubuntu.com/manpages/karmic/man1/zeitgeist-daemon.1.html

Uhm – say what?

It’s probably used for Ubuntu search thingy, which does not exist in Xubuntu. Lets take a quick look:

dobin@unreal:~$ ps auxww | grep -i zeitgeist
dobin 20163 0.0 0.0 592172 6352 ? Sl 2013 0:02 zeitgeist-datahub
dobin 20171 0.0 0.0 274500 4148 ? Sl 2013 0:00 /usr/bin/zeitgeist-daemon

dobin@unreal:~$ lsof -p 20163 | grep '/home/dobin' | awk '{print $9;}'
/home/dobin
/home/dobin/.local/share/mime/mime.cache
/home/dobin/.local/share/zeitgeist/activity.sqlite-shm
/home/dobin/.local/share/zeitgeist/activity.sqlite
/home/dobin/.local/share/zeitgeist/activity.sqlite-wal
/home/dobin/.local/share/zeitgeist/activity.sqlite-shm

dobin@unreal:~/.local/share/zeitgeist$ sqlite3 activity.sqlite
sqlite> .dump
INSERT INTO "uri" VALUES(586,'file:///home/dobin/Downloads/DexGuard%20Tutorial.rar');
[...]
INSERT INTO "text" VALUES(150,'BHUSA09-McDonald-WindowsHeap-PAPER.pdf');
INSERT INTO "text" VALUES(429,'BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf');
[...]
INSERT INTO "uri" VALUES(129,'file:///home/dobin/Workspace/SentinelFirefoxPlugin');
INSERT INTO "uri" VALUES(136,'file:///home/dobin/Workspace/SentinelFirefoxPlugin/1.png');
[...]

Seems to be a goldmine for the next forensic investigation!

Where does it come from?

dobin@unreal:~$ pstree
[...]
├─lightdm─┬─Xorg
│ ├─lightdm─┬─init─┬─Thunar───2*[{Thunar}]
[...]
│ │ │ ├─zeitgeist-daemo───{zeitgeist-daemo}
│ │ │ ├─zeitgeist-datah───10*[{zeitgeist-datah}]
│ │ │ └─zeitgeist-fts─┬─cat
│ │ │ └─{zeitgeist-fts}

Seems to be started from lightdm.

To disable, open /etc/xdg/autostart/zeitgeist-datahub.desktop and set “NoDisplay=false”. Disable with “Session and Startup” in Ubuntu Settings.

Leave a Reply

Your email address will not be published. Required fields are marked *