At-spi2 and package bloat

It is frustrating to me that this accessibility stuff (along with lots of other bloatware) is required to use MATE. I am not in need of a screen-reader, so why must I install and run accessibility software to begin with?

When I look into the conf file on a fresh 19.04 install in: /usr/share/defaults/at-spi2/accessibility.conf I see lines like:

<policy context="default">
  <allow user="root">
 <allow send_destination="*" eavesdrop="true"/>
<allow eavesdrop="true">
<allow own="*"/>
</policy>

Not sure what all that is telling me, but it sounds totally legit... what could possibly go wrong? Well, they do call it "SPI", so I guess they got the name right.

Does anyone know a good way in a post systemd world to stop this nonsense from running? Ideally, the file manager and the desktop environment should not be package dependent on what should be an optional piece of accessibility software. I could say the same for lib-goa* (I don't need or want a GNOME account anymore than I want a Facebook or a google account or an STI, so why do I need this gnome account library installed AT ALL?) and that geo-location spyware stuff that calls home every two seconds? Why is that installed by default, AT ALL? I was at least able to remove it with a minimum of fuss (and watch the network traffic plummet).

And why on earth does the systemd default setting call out over the network EVERY 32 SECONDS to set the current time? Yeah, I fixed it-- but it should have had a sane default to begin with.

1 Like

So I tried removing it by editing the desktop file, copying it to ~/.config/autostart, and even removing the /etc/xdg/autostart/ desktop file entirely. No love. Still starts.

Then I tried this (removing execute permission):

No love, the system becomes unresponsive while systemd keeps trying to start this thing that won't start up. Spams the log file too.

There was a variable at one time that paid lip service to shutting this thing down: NO_AT_BRIDGE=1.
Yeah... nada. Still starts.

I have grepped for the executable name across the entire disk and moved every instance of anything that appears to call this. It still starts it, or tries to. Removing the package, removes lots of other things that should not depend on it in the first place... sigh.

Next I go through every file in the spi2 package to see if I can figure out how to stop systemd from ever trying to start this.

Far more effort than should be required to remove something unneeded and unwanted by 80% + of the userbase.

So, the process is started before you login (by the greeter as well). Placing:

export NO_AT_BRIDGE=1

in /etc/environment seems to tame the beast and get it to not start up.

There is an important distinction to make. Ubuntu will include things that Canonical developers think should be included.

The desktop environment MATE on the other hand is developed by MATE developers and is much cleaner. AFAIK the desktop MATE has none of the dependencies you mention and can be installed on most distros.

I have MATE on MX Linux that boots with sysvinit and the closest thing to MATE dependency bloat I have come is a dependency on a samba package.

It's nice because it reminds me of the good old Ubuntu days "Linux for human beings" and all that. It reminds me of why I use Linux instead of Windows. I control what software is installed and which processes are running.

So I updated to 19.10 today. Even with this entry still present, SPI2 is more than happy to run and do its spying. I am going to have to shop for a new distro and maybe a new desktop environment.

On my non-Ubuntu MATE system (Manjaro, KDE), I just noticed this is installed too, so it's not specific to Ubuntu.

Turns out it's a GTK3 dependency, so it can't be easily removed without breaking GTK applications or removing those applications as well as they provide accessibility support.

at-spi2-core → at-spi2-atk → gtk3

More about what it is here:

In theory, you could stop the process(es) from running (consuming less then 12 MiB of RAM) by removing the executable bit from them:

sudo chmod -x /usr/lib/at-spi2-core/at-spi2-registryd
sudo chmod -x /usr/lib/at-spi2-core/at-spi-bus-launcher 

:warning: But this is a bad idea - as my test in a VM resulted in a black screen on next reboot!

These are provided in the at-spi2-core package, but removing that would uninstall caja (file manager) and Ubuntu MATE's meta packages. (Might be OK if you use an alternate file manager)

Removing libatspi2.0-0 is a bad idea too as it would remove GTK3.


If this process is doing malicious things, please share your findings. Part of accessibility support is to be able to read input and know what's focused. :mag:

I guess an analogy - AT-SPI is a plug socket and screen readers are the plug :electric_plug: There for those who need it... but there's an attempt to rip the socket out the wall. :boom:

Many other distros and desktops are based on GTK3 (Cinnamon, GNOME, XFCE, LXDE). Qt is the only alternate toolkit (KDE being a Qt desktop), but like GTK, KDE has its own accessibility service too (kaccess).

1 Like

Yep, I want to rip the "socket" out of the wall-- it is like having a wall socket in a swimming pool. It is extremely poor design. There is no technical or sane reason to require a poorly documented, ill-configured, and ill programmed spyware daemon to run in the background-- just to run a widget toolkit (gtk3). Accessibility in GNOME 2 days worked just fine without making it a mandatory shovel-ware requirement.

As for an exploit-- the whole thing is an exploit factory, just look at the configuration file. All you have to do is disguise your exploit as an "accessibility applet" and you are good to go. There is no technical reason for the spi framework to run by default (or even be installed) unless selected at installation time. Running it is basically running a pluggable spyware kit.

Try this though: Start a popular password program like KeePassX in ubuntu MATE. It starts right up. Close it. Remove/disable the spi daemon from ubunutu-mate, and then restart it. Now it takes 20+ seconds to startup up. It hangs there displaying nothing-- while it tries to connect to "accessibility" spi-ware daemon. Eventually it times out and gives up. The fact that a password manager is configured to talk to spi by DEFAULT-- without me explicitly telling it to, is a major security violation. The fact that I cannot shut this off without recompiling the app from source is insanity. What, you don't want all your passwords "accessible" as a big juicy target? No, not really.

It is obvious to me that the gtk3 policy makers (basically GNOME3 ) aren't happy with competition to GNOME-- like MATE. They are now hiding behind politically correct nonsense like "accessibility" to require you to use the entire pile of GNOME3 bloat, or to abandon gtk3.

Fine my me-- I have begun the process of removing gtk apps from my system.
My solution (at least temporarily) is to use lxQT, which doesn't have this nonsense (and no kaccess running). I may go back to StumpWM and extend it to have the desktop environment features I desire. We will see. But I am done with anything gtk at this point.

1 Like

I understand. As far as exploiting, the same could be said for any part of your system as soon as (and if) the root account is compromised.

The accessibility service is no more of a security risk then say, Xorg, the display manager:

2 Likes

I don't think it is a fair comparison. We need a display server either in the form of X.org or in the form of Wayland and moving all the vulnerabilities to the Wayland compositors. We need that if we want a graphical desktop. We don't need mandatory accessibility running for 80 % of the population. So I think there is a difference between GTK2 and GTK3 bloat.

1 Like

I compared AT-SPI to X11 since they both forms of input. X11 especially as it's not sandboxed, and could read the contents of another window. It was my thoughts on this:

I was hinting that a malicious X11 program could be just as likely as a dodgy program that plugs into the accessibility service. Then again, I don't know the technical internals, except that AT-SPI runs on D-Bus.

I do agree that you should be able to remove the service if you don't need it, but it looks tightly integrated into GTK3 that it would have side effects if yanked out. I sure hope GTK4's design is more modular in the future. :crossed_fingers:

I completely agree with @eleven11. My primary issue with it is that when its running it induces some kind of eye strain. Unable to pin point what the root cause is.
export NO_AT_BRIDGE=1 also does not solve the problem.
The best solution I could find was to remove /usr/share/dbus-1/services/org.a11y.*

Of course they would come back when the package is upgraded. On arch you can block them by adding NoExtract = usr/share/dbus-1/services/org.a11y.* in /etc/pacman.conf as mentioned in https://bbs.archlinux.org/viewtopic.php?id=189975 There may be equivalents in other distros.

Hope this helps.