Suspicious behaviour: Script requesting root password on login to X11 on Ubuntu with Dropbox installed
Dropbox Executing Suspicious Root Script in /tmp
After a recent system update, I began seeing a sudo prompt at login asking for permission to run a mysterious shell script from /tmp
. The prompt looked like this:
Screenshot from 2025-07-23 06-05-39.png
It referred to a temporary file, /tmp/tmp8peqse64
, which no longer existed by the time I checked. I managed to capture the content of a similar script later:
#!/bin/bash
chown -h -R 1000 "/home/john/Dropbox"
chmod -R u+rwX "/home/john/Dropbox"
This script forcibly resets ownership and permissions on the Dropbox folder. It executes with root privileges and deletes itself after running — a classic signature of a transient payload.
Journal Evidence
I captured journal output showing the script was run immediately after Dropbox launched:
IMG_3B4C8212-2B88-40BC-9C19-4E0E569DB0E1.jpeg
Community Reports
Searching online, I found other users reporting the same issue. For example, this Ask Ubuntu thread describes Dropbox creating a sudo prompt at login to fix sync issues by chmodding the Dropbox folder.
Conclusion
While this behaviour appears to be Dropbox's internal "repair" mechanism, it is deeply flawed. It:
- Creates and runs a temporary root shell script
- Self-deletes to hide its presence
- Modifies folder ownership and permissions recursively
This is dangerous behaviour for any background service — even more so for one that syncs sensitive files to the cloud.
Recommendations
- Manually fix Dropbox folder permissions:
sudo chown -R $USER:$USER ~/Dropbox chmod -R u+rwX ~/Dropbox
- Consider reinstalling Dropbox to remove custom or damaged launchers
- Log and inspect all
/tmp
scripts created at login
Until Dropbox corrects this design flaw, be cautious with any unexpected root prompts — even if they look routine.