hallo,
ich habe diesen hinweis heut mittag geschickt bekommen und denke er gehört auch hierher. vielleicht hat sich hier auch schon jmd mit beschäftigt.würde jedenfalls gerne wissen ob das problem in der 2.0beta noch besteht. für mich war es ein grund skype (bis zum beheben) nicht mehr auf neu aufgesetzten maschinen zu installieren.


- ZITAT-

I'm using Skype 1.4.0.99 in my Ubuntu Gutsy Tribe-4, and I decided to setup an AppArmor profile to isolate skype from the rest of my system (since Skype access the network, I would like to protect my system against a potential 0-day remote flaw in Skype, by restricing Skype to access only those files strictly required, like those in the folder ~/.Skype -- so that, in case skype is compromised, only skype files would suffer).

AppArmor is a new subsystem which provides fine-grained mandatory access control for applications in Linux. https://wiki.ubuntu.com/AppArmor

It's easy to set up AppArmor in Ubuntu Gutsy Tribe-4:
sudo apt-get install apparmor apparmor-profiles apparmor-utils

now, you can use
sudo aa-status (to list caged applications)
sudo aa-genprof [app] (to protect [app]: it creates a profile for [app] given a normal run of [app])
sudo aa-enforce [app] (uses the resulting profile [app] and starts enforcing it)
sudo /etc/init.d/apparmor stop (stops apparmor and then...)
sudo /etc/init.d/apparmor start (...reloads any modified profile)

now, after doing an aa-genprof skype, I ended up with the profile below after starting skype and doing a skype test call. It means that skype 1.4.0.99 is trying to access ALL these files, for read ® and read-write (rw). I double checked it by removing lines in this profile. If I remove the line which includes /etc/ passwd, AppArmor will complain that Skype is trying to access those files in the log file /var/log/messages, like


CODE

...
Aug 25 01:34:02 desknote kernel: [ 9116.625673] audit(1188002042.632:13467): REJECTING r access to /etc/ passwd (skype(8470) profile /usr/bin/skype active /usr/bin/skype)
...




and the same for /home/*/.mozilla/firefox and all the other lines. In firefox, even more strangely, Skype enumerates all folders and subfolders inside firefox recursively, like plugins, extension, add-ons like ScrapBook, and tries to open (read) all of them!


Now, my question: Why is Skype for Linux accessing my passwd file and my firefox plugins? Why is it accessing those other files inside /etc, instead of restricting itself only to skype files?

---
PS: I had to add a space between /etc/ and passwd because the forum post submission was crashing if they were together. Be sure to edit the file below and remove the space if you want to use the profile without AppArmor complaining.



---

CODE

# vim:syntax=apparmor
# Last Modified: Sat Aug 25 00:37:50 2007
#include <tunables/global>

/usr/bin/skype {
#include <abstractions/base>

/dev/snd/controlC0 rw,
/dev/snd/pcmC0D0c rw,
/dev/snd/pcmC0D0p rw,
/dev/snd/pcmC0D1c rw,
/dev/snd/timer r,
/home/*/.Skype rw,
/home/*/.Skype/** rw,
/home/*/.config/Trolltech.conf r,
/home/*/.fontconfig/* r,
/home/*/.fonts/* r,
/home/*/.Xauthority r,
/home/*/.kde/share/config/kioslaverc r,
/home/*/.ICEauthority r,
/home/*/.mozilla r,
/home/*/.mozilla/plugins r,
/home/*/.mozilla/firefox r,
/usr/bin/skype mr,
/usr/share/alsa/** r,
/usr/share/fonts/** r,
/usr/share/icons/** r,
/usr/share/locale-langpack/** r,
/usr/share/skype/** r,
/usr/share/X11/XKeysymDB r,
/var/cache/fontconfig/* r,
/var/lib/defoma/fontconfig.d/fonts.conf r,
/tmp/** rw,
/etc/fonts/** r,
/etc/resolv.conf r,
/etc/hosts r,
/etc/nsswitch.conf r,
/etc/gai.conf r,
/etc/ passwd r,
/etc/group r,
/proc/1/cmdline r,
/proc/interrupts r,
}







With regard to skype 1.4.0.99 accessing my firefox files:
[the log messages below are in /var/log/messages, after starting skype with apparmor]

1. if my skype profile does not contain /home/*/.mozilla/firefox r, nor /etc/ passwd:

Aug 26 16:23:52 desknote kernel: [ 1208.993214] audit(1188141832.101:12): REJECTING r access to /etc/ passwd (skype(6542) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:23:52 desknote kernel: [ 1209.625206] audit(1188141832.733:13): REJECTING r access to /home/zaphodb/.mozilla/firefox (skype(6551) profile /usr/bin/skype active /usr/bin/skype)

2. if in my apparmor profile I add /home/*/.mozilla/firefox r and /etc/ passwd:

Aug 26 16:27:20 desknote kernel: [ 1417.417407] audit(1188142040.580:15): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default (skype(6748) profile /usr/bin/skype active /usr/bin/skype)

3. if in my apparmor profile I add /home/zaphodb/.mozilla/firefox/4h99k4vs.default r,:

Aug 26 16:29:22 desknote kernel: [ 1538.898403] audit(1188142162.095:17): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/searchplugins (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.899579] audit(1188142162.095:18): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/bookmarkbackups (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.900681] audit(1188142162.095:19): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/chrome (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.901627] audit(1188142162.099:20): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/gm_scripts (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.902695] audit(1188142162.099:21): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/chatzilla (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.903559] audit(1188142162.099:22): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/extensions (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.904408] audit(1188142162.099:23): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/ScrapBook (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.905227] audit(1188142162.099:24): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/adblockplus (skype(6851) profile /usr/bin/skype active /usr/bin/skype)
Aug 26 16:29:22 desknote kernel: [ 1538.906121] audit(1188142162.103:25): REJECTING r access to /home/zaphodb/.mozilla/firefox/4h99k4vs.default/prefs.js (skype(6851) profile /usr/bin/skype active /usr/bin/skype)

and so on...
skype wants to see everything in my firefox settings!

The same with mozilla plugins, just remove the line with /home/*/.mozilla/plugins r, in the apparmor profile:

Aug 26 16:34:32 desknote kernel: [ 1849.222177] audit(1188142472.505:27): REJECTING r access to /home/zaphodb/.mozilla/plugins (skype(6956) profile /usr/bin/skype active /usr/bin/skype)


danke für euer interesse

Ui. Da hast du aber ein seeehr altes Thema ausgegraben.

Kurz gesagt: Auch Skype 2.0 wird auf diese Verzeichnisse zugreifen, da die Standardfunktionen von Qt zur Profilbestimmung auf diese Dateien zugreifen. Eher also ein Punkt sich an Trolltech zu wenden.

Mehr dazu im englischen Forum: http://forum.skype.com/index.php?showtopic...1&hl=passwd

hey, war das also schon mal thema und 's hat nicht geholfen......
danke für die info betr. 2.0

leutz ihr habt mich + x überzeugt. die einzige Un-freie software
ist entfernt. wird auch auf keiner weiteren maschine von uns
mehr installiert werden.

vielleicht is da ja der wurm drin .....