I'm using Skype 1.4.0.99 in my Ubuntu Gutsy Tribe-4, and I decided to setup an AppArmor profile to isolate skype from the rest of my system (since Skype access the network, I would like to protect my system against a potential 0-day remote flaw in Skype, by restricing Skype to access only those files strictly required, like those in the folder ~/.Skype -- so that, in case skype is compromised, only skype files would suffer).

AppArmor is a new subsystem which provides fine-grained mandatory access control for applications in Linux. https://wiki.ubuntu.com/AppArmor

It's easy to set up AppArmor in Ubuntu Gutsy Tribe-4:
sudo apt-get install apparmor apparmor-profiles apparmor-utils

now, you can use
sudo aa-status (to list caged applications)
sudo aa-genprof [app] (to protect [app]: it creates a profile for [app] given a normal run of [app])
sudo aa-enforce [app] (uses the resulting profile [app] and starts enforcing it)
sudo /etc/init.d/apparmor stop (stops apparmor and then...)
sudo /etc/init.d/apparmor start (...reloads any modified profile)

now, after doing an aa-genprof skype, I ended up with the profile below after starting skype and doing a skype test call. It means that skype 1.4.0.99 is trying to access ALL these files, for read ® and read-write (rw). I double checked it by removing lines in this profile. If I remove the line which includes /etc/ passwd, AppArmor will complain that Skype is trying to access those files in the log file /var/log/messages, like

CODE

...
Aug 25 01:34:02 desknote kernel: [ 9116.625673] audit(1188002042.632:13467): REJECTING r access to /etc/ passwd (skype(8470) profile /usr/bin/skype active /usr/bin/skype)
...

and the same for /home/*/.mozilla/firefox and all the other lines. In firefox, even more strangely, Skype enumerates all folders and subfolders inside firefox recursively, like plugins, extension, add-ons like ScrapBook, and tries to open (read) all of them!


Now, my question: Why is Skype for Linux accessing my passwd file and my firefox plugins? Why is it accessing those other files inside /etc, instead of restricting itself only to skype files?

---
PS: I had to add a space between /etc/ and passwd because the forum post submission was crashing if they were together. Be sure to edit the file below and remove the space if you want to use the profile without AppArmor complaining.
---

CODE

# vim:syntax=apparmor
# Last Modified: Sat Aug 25 00:37:50 2007
#include <tunables/global>

/usr/bin/skype {
  #include <abstractions/base>

  /dev/snd/controlC0 rw,
  /dev/snd/pcmC0D0c rw,
  /dev/snd/pcmC0D0p rw,
  /dev/snd/pcmC0D1c rw,
  /dev/snd/timer r,
  /home/*/.Skype rw,
  /home/*/.Skype/** rw,
  /home/*/.config/Trolltech.conf r,
  /home/*/.fontconfig/* r,
  /home/*/.fonts/* r,
  /home/*/.Xauthority r,
  /home/*/.kde/share/config/kioslaverc r,
  /home/*/.ICEauthority r,
  /home/*/.mozilla r,
  /home/*/.mozilla/plugins r,
  /home/*/.mozilla/firefox r,
  /usr/bin/skype mr,
  /usr/share/alsa/** r,
  /usr/share/fonts/** r,
  /usr/share/icons/** r,
  /usr/share/locale-langpack/** r,
  /usr/share/skype/** r,
  /usr/share/X11/XKeysymDB r,
  /var/cache/fontconfig/* r,
  /var/lib/defoma/fontconfig.d/fonts.conf r,
  /tmp/** rw,
  /etc/fonts/** r,
  /etc/resolv.conf r,
  /etc/hosts r,
  /etc/nsswitch.conf r,
  /etc/gai.conf r,
  /etc/ passwd r,
  /etc/group r,
  /proc/1/cmdline r,
  /proc/interrupts r,
}

[UPDATED:]
With regard to skype 1.4.0.99 accessing my firefox files:
[the log messages below are in /var/log/messages, after starting skype with apparmor]

1. if my skype profile does not contain /home/*/.mozilla/firefox r, nor /etc/ passwd:

Aug 26 16:23:52 desknote kernel: [ 1208.993214] audit(1188141832.101:12): REJECTING r access to /etc/ passwd (skype(6542) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:23:52 desknote kernel: [ 1209.625206] audit(1188141832.733:13): REJECTING r access to /home/zaphodb/.mozilla/firefox (skype(6551) profile /usr/bin/skype active /usr/bin/skype)

2. if in my apparmor profile I add /home/*/.mozilla/firefox r and /etc/ passwd:

Aug 26 16:27:20 desknote kernel: [ 1417.417407] audit(1188142040.580:15): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default (skype(6748) profile /usr/bin/skype active /usr/bin/skype)

3. if in my apparmor profile I add /home/zaphodb/.mozilla/firefox/4h99k4vs.default r,:

Aug 26 16:29:22 desknote kernel: [ 1538.898403] audit(1188142162.095:17): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/searchplugins (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.899579] audit(1188142162.095:18): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/bookmarkbackups (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.900681] audit(1188142162.095:19): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/chrome (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.901627] audit(1188142162.099:20): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/gm_scripts (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.902695] audit(1188142162.099:21): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/chatzilla (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.903559] audit(1188142162.099:22): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/extensions (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.904408] audit(1188142162.099:23): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/ScrapBook (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.905227] audit(1188142162.099:24): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/adblockplus (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.906121] audit(1188142162.103:25): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/prefs.js (skype(6851) profile /usr/bin/skype active /usr/bin/skype)

and so on...
skype wants to see everything in my firefox settings!

The same with mozilla plugins, just remove the line with /home/*/.mozilla/plugins r, in the apparmor profile:

Aug 26 16:34:32 desknote kernel: [ 1849.222177] audit(1188142472.505:27): REJECTING r access to /home/zaphodb/.mozilla/plugins (skype(6956) profile /usr/bin/skype active /usr/bin/skype)


This post has been edited by ZaphodB: Sun Aug 26 2007, 16:45

I just did an strace on Skype and can confirm your findings.

I fact I have recently been thinking about the "Bundestrojaner" german minister Schäuble is planning to use and found that Skype would be the perfect place to hide it:
- it is installed on a majority of systems
- it is protected against decompilation / debuggers
- it bypasses almost any firewall
- it uses encryption for network traffic
- it may send lots of data even when not making a call
- it might have already been deployed by the NSA
- eBay has a history of cooperating with federal agencies

But of course you would not care about big brother reading your harddrive unless you are a terrorist...

Tom

Why don't you guys grow up? there is no big brother. You sound like hippies stuck in the seventies.

I can confirm the same behavior in skype 1.4.0.94. Skype is trying to read /etc/ passwd as well.

strace -v -i -s 9999 /usr/local/bin/skype 2> skype.log
...
[0053e7a2] open("/etc/ passwd", O_RDONLY) = 12
[0053e7a2] fcntl64(12, F_GETFD) = 0
[0053e7a2] fcntl64(12, F_SETFD, FD_CLOEXEC) = 0
[0053e7a2] fstat64(12, {st_dev=makedev(3, 2), st_ino=132772, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=1403, st_atime=2007/08/09-23:01:33, st_mtime=2007/07/17-13:17:21, st_ctime=2007/07/17-13:17:21}) = 0
[0053e7a2] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7341000
[0053e7a2] read(12, "root:x:0:0:root:/root:/bin/bash\nbin:x:1:1: ..... all your content of passwd
...

Heh skype guys, how about an official explanation. I would say the content of etc-passwd is none of your concern...

@leo115usa: you don't know what you're talking about, maybe you will know when you are grown up...

Why don't you guys grow up? there is no big brother.

The poster asked a very reasonable question, so try to show a bit of respect rather than dissing anything anyone says with no facts to back up your statement. The fact is that on modern linux systems /etc/ passwd will not have a password (unencrypted *or* encrypted) present. But the reason as to why Skype thinks it necessary to read anything from there is a good question since it has no need for a list of user names on the current system simply running as the user and they can get that name from other more conventional means.

"Why don't you guys grow up? there is no big brother. You sound like hippies stuck in the seventies".

No dear ajsoft, the user did not ask a reasonable question. The user is offensive and childish in his form of communication.

One can only wonder why you would defend this form of derogatory insinuation about the persons behind clearly technical issues, with facts, right here on this page to back it up.

And strangely at the end you actually come aroud to back up the questions asked by others - Why does Skype feel the need to read the stuff that is not needed for running Skype nor any of their g.d. business??? What is in this folders it reads is ireelevant.

The program only does what it is programmed to do. So why was Skype programmed to look in other folders and monitor activity on the user machine?

I do believe there is a bigbrother-twin at large here. And it wouldn't surprise me if this has nothing to do with National Security nor the NSA. But simply a private enterprise datamining without user approval to learn about usage patterns to use them commercially.

Not that it makes it any better. But there seems to be a great difference in "National Moral" and "Commercial Moral".

Everyones a patriot when it comes to terrorism, but anything goes in business.

So -

I would like to second the motion for an explanation from Skype!

No dear ajsoft, the user did not ask a reasonable question. The user is offensive and childish in his form of communication.

Depends what user you think I'm referring to doesn't it. I refer to the originator of the thread asking a reasonable question, and I was suggesting that Mr "Why dont you grow up" (which is why I actually quoted his message in the first place) show more respect and provide a technical basis for "there is no big brother". Since you seem to agree with all of us (apart from Mr "why dont you grow up" of course ;-)) that is my only conclusion

if they don't explain that im finished with skype, that's the last straw.

if they don't explain that im finished with skype, that's the last straw.

Mee too

i was a bit curious and tried strace on a few internet/network programs.
it seems programs like skype, gaim, and perhaps other chat software all look in /etc/ passwd
while programs like firefox do not look in /etc/ passwd.

So I'd guess that something makes it needed for the messenger programs to look in the passwd file, but I am also curious about the technical reasons why.

If anyone knows I'd like to know too.

...
it seems programs like skype, gaim, and perhaps other chat software all look in /etc/ passwd
while programs like firefox do not look in /etc/ passwd.
...

that's interesting, it's a bit assuring to know that it's not solely skype which does that. It's just that skype has so many strange things going on - you get suspicious easily.

An official answer would be nice, though. With an in-depth explanation, not just "yeah it needs that"

It's funny, the very same thing has been discovered in the Windows version a while ago:

"Skype reads your BIOS" see: http://www.theinquirer.net/default.aspx?article=37489

I wonder what more is needed for people to think stop using it...

This post has been edited by warpdesign: Sun Aug 26 2007, 17:09

I'm waiting for some good answers too. This thread even got slashdotted by now.

And why can't the forum software deal with /etc/ passwd written together?

[paranoia being edited]
well, slashdot gave a handfull of legit reasons why this file could be read.
still no ideas on whats with the firefox profiles.

either way, im waiting for an announcment.

ps.
the forum software may block /etc/ passwd, or it could be done via the webserver itself, as a security measure, its quite common to kill anything that has a path to /etc/ in the post/get.

This post has been edited by Meltir: Sun Aug 26 2007, 17:26

Uhm, run strace on ls -l and you'll see that even checks /etc/ passwd. Clearly ls is spyware as well!

Or, perhaps, the programs are looking for your home directory, or converting a UID to a username. *gasp* And unless you are running a very, very old installation of Linux, your passwords aren't located in /etc/ passwd anyway, they're in /etc/ shadow. There's a reason everyone local to a machine can read /etc/ passwd

Yes !! I agree with tsuehpsyde, run strace on almost anything under /usr/bin, gnome-terminal or gedit or ls or even pidgin, it will look through passwd file among other things. I do not think that it was the intension of Skype developers to read and sneak on your passwd make up. If you have a solaris or aix box with you, do the same on similar programs and they too will read through passwd file.

-GGR

As already stated, the fact that /etc/ passwd is read via open("/etc/ passwd", O_RDONLY) doesn't mean anything. This could by part of a routine to fetch the login name etc. (which is quite a common task in Unix software).

As already stated, the fact that /etc/ passwd is read via open("/etc/ passwd", O_RDONLY) doesn't mean anything. This could by part of a routine to fetch the login name etc. (which is quite a common task in Unix software).

yes that's true,

CODE

ls -ls

does it too. That mans that skype is fine.

oh wait, skype reads my firefox-profil...

...but

CODE

find ~ -exec cat {} \;

reads my whole homedir, so if find is not evil skype isn't also evil?

Wow - I was about to install skype on my Feisty machine till I read this. I used to like using skype, but if this kind of crap is going to make Ubuntu less secure, I'll go back to carrier pigeons.

yes that's true,

CODE

ls -ls

does it too. That mans that skype is fine.

oh wait, skype reads my firefox-profil...

...but

CODE

find ~ -exec cat {} \;

reads my whole homedir, so if find is not evil skype isn't also evil?

Well, find does that because you specifically ordered it to while ls does it implicitly (in order to convert uid's to user names). What is Skype's reason to access your Firefox profile? I can only think of one legit reason: to check whether Firefox has the Skype extension installed. If that's the reason, then all this browhaha has been for nothing. But, then again, the only way to really know is to check whether Skype stops searching the Firefox profile after having found the Skype extension. And no, I'm not currently in position to do that check right now (perhaps in a few days).