Suspicious behaviour: Script requesting root password on login to X11 on Ubuntu with Dropbox installed

 

Dropbox Executing Suspicious Root Script in /tmp

After a recent system update, I began seeing a sudo prompt at login asking for permission to run a mysterious shell script from /tmp. The prompt looked like this:



Screenshot from 2025-07-23 06-05-39.png

It referred to a temporary file, /tmp/tmp8peqse64, which no longer existed by the time I checked. I managed to capture the content of a similar script later:

#!/bin/bash
chown -h -R 1000 "/home/john/Dropbox"
chmod -R u+rwX "/home/john/Dropbox"

This script forcibly resets ownership and permissions on the Dropbox folder. It executes with root privileges and deletes itself after running — a classic signature of a transient payload.

Journal Evidence

I captured journal output showing the script was run immediately after Dropbox launched:



IMG_3B4C8212-2B88-40BC-9C19-4E0E569DB0E1.jpeg

Community Reports

Searching online, I found other users reporting the same issue. For example, this Ask Ubuntu thread describes Dropbox creating a sudo prompt at login to fix sync issues by chmodding the Dropbox folder.

Conclusion

While this behaviour appears to be Dropbox's internal "repair" mechanism, it is deeply flawed. It:

  • Creates and runs a temporary root shell script
  • Self-deletes to hide its presence
  • Modifies folder ownership and permissions recursively

This is dangerous behaviour for any background service — even more so for one that syncs sensitive files to the cloud.

Recommendations

  • Manually fix Dropbox folder permissions:
    sudo chown -R $USER:$USER ~/Dropbox
    chmod -R u+rwX ~/Dropbox
  • Consider reinstalling Dropbox to remove custom or damaged launchers
  • Log and inspect all /tmp scripts created at login

Until Dropbox corrects this design flaw, be cautious with any unexpected root prompts — even if they look routine.

Popular posts from this blog

Automatically Fix Song Metadata and Filenames on Linux with Beets

throttle traffic on apache

script to show all files with disk usage sizes