Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Linux

Skype Linux Reads Password and Firefox Profile 335

mrcgran writes "Users of Skype for Linux have just found out that it reads the files /etc/passwd, firefox profile, plugins, addons, etc, and many other unnecessary files in /etc. This fact was originally discovered by using AppArmor, but others have confirmed this fact using strace on versions 1.4.0.94 and 1.4.0.99. What is going on? This probably shows how important it is to use AppArmor in any closed-source application in Linux to restrict any undue access to your files."
This discussion has been archived. No new comments can be posted.

Skype Linux Reads Password and Firefox Profile

Comments Filter:
  • by strredwolf ( 532 ) on Sunday August 26, 2007 @10:42AM (#20362385) Homepage Journal
    This is why you should have shadow passwords, so that your encrypted password isn't stored in /etc/passwd.
    • by Bazman ( 4849 ) on Sunday August 26, 2007 @11:17AM (#20362675) Journal
      True, but if your list of usernames leaks out it saves remote attackers having to try non-existent usernames in a dictionary attack...

      Corollary: dont use passwords vulnerable to dictionary attacks...

  • Why.. (Score:5, Insightful)

    by mikkelm ( 1000451 ) on Sunday August 26, 2007 @10:42AM (#20362389)
    .. only closed source applications? I don't think most people read the entire sources of open source applications that they use.
    • Re:Why.. (Score:5, Insightful)

      by lilomar ( 1072448 ) <lilomar2525@gmail.com> on Sunday August 26, 2007 @10:47AM (#20362435) Homepage
      Not everyone has to, just one person.

      When I use Open Source apps, I do so knowing that there are many developers and hobbyists that have looked over the code, so I know that there aren't any glaring security flaws.

      Imagine this had been an Open Source product for a minute... instead of an article just saying that it read /etc/ files, it would have said this part of the code reads the files, this is why it is nessasary, or here is a patch to stop it from doing this.
      • Re:Why.. (Score:5, Interesting)

        by mikkelm ( 1000451 ) on Sunday August 26, 2007 @11:05AM (#20362569)
        Well, obviously it also only took one person to discover the same in a closed source application.

        Of course it would be easier to see the hows and whys in an open source application, but once you know, you know, and that's really at the core of the matter.
        • Re: (Score:3, Interesting)

          by Tribbin ( 565963 )
          So you really think that if the code was open source from the start this would not have been addressed earlier?

          BTW, it makes me wonder what we don't know about Skype for Windows where you do not have as many tools for monitoring file-access and stuff.
      • Re:Why.. (Score:5, Interesting)

        by optimus2861 ( 760680 ) on Sunday August 26, 2007 @11:06AM (#20362581)

        Imagine this had been an Open Source product for a minute... instead of an article just saying that it read /etc/ files, it would have said this part of the code reads the files, this is why it is necessary, or here is a patch to stop it from doing this.

        Interesting you should say that - did you read the linked thread on the Skype forum? Here's a later post (emphasis added):

        i was a bit curious and tried strace on a few internet/network programs. it seems programs like skype, gaim, and perhaps other chat software all look in /etc/ passwd
        Pidgin nee Gaim is GPL. A quick search on one of its mailing lists shows no useful hits for /etc/passwd. A later comment on this thread shows that something as innocuous as an ls command will trigger reads of /etc/passwd. Sounds like this is being overblown.
        • Re:Why.. (Score:5, Informative)

          by perlchild ( 582235 ) on Sunday August 26, 2007 @12:20PM (#20363205)
          Seems like people don't understand unix at all, when they post to security lists...
          Just checking your own identity in unix requires a call to getpwnam, getpwent or their equivalent, which means that a function call in glibc has to read the password file. Practically every unix program does that... It reads in the whole file in memory and looks for you, unless you're using the db source, yp, nis+ or an external module: nss_ldap, nss_mysql, nss_pgsql. It's doing that to find YOU out... That's normal, system-wide behaviour, and not sinister at all(that's also why there's a nscd daemon to cache those results, to prevent your machine from grinding to a halt if you have 200k+ entries in that file.

          Now unless the legacy api gets redesigned to NOT do a line by line scan, anyone using strace/ltrace/dtrace/tusc needs to filter out these internal "housekeeping" calls, which are perfectly normal, needing to find out if _you_ can open up your own log file...

          The /etc/passwd /etc/group files are public files precisely because they are referred to in this manner. That's why shadow passwords are so necessary.
        • Re:Why.. (Score:5, Informative)

          by jimicus ( 737525 ) on Sunday August 26, 2007 @12:33PM (#20363311)
          Of course an ls command can trigger a read of /etc/passwd. ls -l shows owners as username rather than numeric UID - where do you think it gets that information from?

          This is why a shadow password file was invented in the first place.
      • Flawed logic (Score:5, Interesting)

        by Sycraft-fu ( 314770 ) on Sunday August 26, 2007 @11:20AM (#20362695)
        First you assume that the person(s) that read it would catch anything evil in it. It's not like the evil code is necessairily going to be in a function called doEvil(), it could be very cleverly hidden among legit functions so that most people would miss it. With good obfuscation it wouldn't be hard to make something that people would have to play with a debugger just to figure out what is going on, and as such miss it on anything less than a really intense code audit.

        Second, you assume the people who look at it aren't in on it. So maybe a couple people look at the code and find the evil bits. They contact the developer and ask what's up. The developer then lets them in to his cabal, who can use the evil bits for their own ends. The people decide they like this and don't tell anyone. The people who read the code have to be honest for this to work.

        Third you assume that anyone other than the developer even bothers to look at the code. Not always a valid assumption, just because the code if you there doesn't mean anyone gives a shit. Maybe it is too complicated, maybe they just don't care, regardless the code being open is no guarantee that someone looked.

        Fourth, you assume that the binaries are the same as the source. I'm betting at least some of the time, and probably more often than that, you install things from a binary package. It's easy and much faster than compiling everything. Great, but how do you know the source follows the binaries? It would be easy to release an untainted source, and then tainted binaries. That the checksums differed wouldn't be of any note, since it could just be that different compile options were used, or even a different compiler (for example using ICC since it generates more efficient binary code). As such no source audit would ever turn up the problems.

        Finally, even if you compile your own, you assume that nothing else is in on it. I'll refer you to the classic Ken Thompson story http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com]. Some other program, and not just the compiler, could be in on inserting a trojan. It might never exist in source form, yet always get compiled in. Thus even a build from a verified source isn't a defense.

        Really, what it comes down to is open source may give you a warm, fuzzy feeling but it isn't actually proof everything is on the level. Really, you have to test what the software actually does when it is run. You can't say "Well the source is open so it can't do anything evil," because you just don't know that. It's far more useful to analyze how the program acts on a system, than to look over the code.

        After all, if looking at the code revealed everything, OSS would never have any bugs. You'd look at the code, see all the bugs, they'd all get fixed. Yet it does, nasty ones. My favourite is the BIND flaw discovered back around 2000 that was in essentially every version of BIND ever. Despite the fact that many people had looked at the code, nobody had ever noticed this. There was no ill intent, no conspiracy, it just wasn't something people saw.

        As such the same could be done for something evil. Hide it well enough in the code, and nobody will notice it.
        • Re:Flawed logic (Score:5, Insightful)

          by DaleGlass ( 1068434 ) on Sunday August 26, 2007 @11:52AM (#20362943) Homepage

          First you assume that the person(s) that read it would catch anything evil in it. It's not like the evil code is necessairily going to be in a function called doEvil(), it could be very cleverly hidden among legit functions so that most people would miss it. With good obfuscation it wouldn't be hard to make something that people would have to play with a debugger just to figure out what is going on, and as such miss it on anything less than a really intense code audit.

          This sort of "evil" is very transparent. You can code a hidden buffer overflow/exploit/backdoor in such a way that it's not obvious (= instead of == for example, caught in the Linux kernel once). But how do you hide an access to say, /proc/interrupts? You need to spell out the filename, and there's got to be an open or fopen for it somewhere. Any attempt to encode the filename is going to be weird and suspicious. Plus, file parsing would be quite a bit than a single line of code, so it's hard not to notice something is being read, stored, etc.

          Second, you assume the people who look at it aren't in on it. So maybe a couple people look at the code and find the evil bits. They contact the developer and ask what's up. The developer then lets them in to his cabal, who can use the evil bits for their own ends. The people decide they like this and don't tell anyone. The people who read the code have to be honest for this to work.

          Uh huh. Such a thing would be an outright admission of evildoing. Depending on what is being done it might be enough for a lawsuit, and definitely enough for mass publication all over the web to ruin the developer's name. Slashdot had a story on some Mac developer who claimed there was an anti-piracy check that'd delete the user's documents folder. Just the claim (which the developer says wasn't real and intended to scare people off) resulted in such outrage he's probably unemployable for years now.

          No, anybody with any brains would deny any wrongdoing and claim a hacked server, or pretend that no mail is arriving at all.

          Fourth, you assume that the binaries are the same as the source. I'm betting at least some of the time, and probably more often than that, you install things from a binary package. It's easy and much faster than compiling everything. Great, but how do you know the source follows the binaries? It would be easy to release an untainted source, and then tainted binaries. That the checksums differed wouldn't be of any note, since it could just be that different compile options were used, or even a different compiler (for example using ICC since it generates more efficient binary code). As such no source audit would ever turn up the problems.

          But 99% of Linux software is delivered by the distribution, with the package maintainer often being completely unrelated to the developer. While it's not impossible for something weird to be going on, those distribution maintainers do things like patching the source and dealing with its bugs. You can bet that eg, the Debian maintainer of Firefox looked at the source.

          Finally, even if you compile your own, you assume that nothing else is in on it. I'll refer you to the classic Ken Thompson story http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com]. Some other program, and not just the compiler, could be in on inserting a trojan. It might never exist in source form, yet always get compiled in. Thus even a build from a verified source isn't a defense.

          That's a tricky one, but you can use a different compiler. Compile gcc with icc for instance. For OSS I think this approach is unlikely due to the frequence with which somebody decides "let's rewrite this part". It's easy to make a compiler that hiddenly changes some well known part of the source, but it's much harder to deal with a complete reorganization of it. To keep it up would need updates

        • Re:Flawed logic (Score:4, Interesting)

          by SanityInAnarchy ( 655584 ) <ninja@slaphack.com> on Sunday August 26, 2007 @12:56PM (#20363507) Journal

          It's not like the evil code is necessairily going to be in a function called doEvil(), it could be very cleverly hidden among legit functions so that most people would miss it.

          The more obfuscated it is, the more likely it is that the open source community would just rewrite that chunk of code for being too difficult to understand.

          The challenge is not only to make it impossible to see what the code is doing, but to make it possible to think you know what the code is doing, and still miss what it's really doing. And at the end of the day, it has to spell out /etc/passwd in the code somewhere, or it has to have code that generates it, and it would take a LOT of work to write code which generates '/etc/passwd' while also never spelling it and looks innocent.

          (Ditto for any other way you'd do this. There are standard library functions to access passwd, and those would be just as hard to hide.)

          Second, you assume the people who look at it aren't in on it. So maybe a couple people look at the code and find the evil bits. They contact the developer and ask what's up. The developer then lets them in to his cabal, who can use the evil bits for their own ends. The people decide they like this and don't tell anyone.

          You only need one whistleblower developer to end that charade. And that one whistleblower would bring in hundreds or thousands of developers who'd never bothered to look at the code, who would read it and say "Yep. Looks evil."

          Compare that to proprietary software -- it takes someone actively trying to reverse-engineer the software in some way; here, running it in a restricted environment. Even once you have someone doing that, it can be a lot less trivial than "just look at the source" for someone else to verify it.

          Third you assume that anyone other than the developer even bothers to look at the code. Not always a valid assumption, just because the code if you there doesn't mean anyone gives a shit. Maybe it is too complicated, maybe they just don't care, regardless the code being open is no guarantee that someone looked.

          Well, this is Skype we're talking about. It's popular enough that someone would have looked.

          Also, consider the person making such "evil" software -- would they really be ballsy enough to assume no one would read the source? True, there could be some open projects with "evil" code in them that nobody's bothered to read, but anyone doing that is taking the chance that someone, somewhere, would read it and discover what they're doing.

          And then there's the question of what happens when they discover it. Like right now, no one has a clue why Skype would be reading passwd. We assume it's evil, but we don't really know. Were it open source, we could just go read the code, and instantly see if there's a legitimate reason. If there wasn't, we could patch the "evil" bits out and keep using Skype as if nothing happened.

          Fourth, you assume that the binaries are the same as the source. I'm betting at least some of the time, and probably more often than that, you install things from a binary package. It's easy and much faster than compiling everything. Great, but how do you know the source follows the binaries? It would be easy to release an untainted source, and then tainted binaries.

          As the sibling post says, in general, most distros compile from source. So if you trust Ubuntu, say, you don't have to trust a hypothetically open source Skype in this respect -- the Ubuntu people would have compiled it from source themselves, and cryptographically signed the binaries.

          Some other program, and not just the compiler, could be in on inserting a trojan. It might never exist in source form, yet always get compiled in. Thus even a build from a verified source isn't a defense.

          That kind of rules out it being Skype's fault, then, for

      • by nwbvt ( 768631 )

        First of all, it is rare that only one person reads the source for any commercial software product. Code reviews are standard in most organizations, and even if not, there are many developers at work maintaining that code.

        Second, with open source apps, you really don't know that. It is perfectly possible for someone to submit a bad patch and no one bothers to really look at it in depth (at least not as in depth as you would need to catch a well disguised security breach). A lot of people use software

    • [Why...] only closed source applications? I don't think most people read the entire sources of open source applications that they use.

      And not everyone will use a tool to check what their closed source application is actually doing either. When using popular open source software there's a good chance that someone has already scanned the entire source and therefore a good chance that mischief would have been uncovered.

      With closed source the chance that someone will uncover mischief, which they can only

    • Re: (Score:3, Informative)

      by Ajehals ( 947354 )
      Not to take away from your message - because you have a point, I think in the context of the summary it would be because you *can* find out what is happening if you realise something strange is going on and if you have the source. If you don't have the source, you may be able to figure out what is going on, and to a certain degree why, but you wont be clear until the company tells you what its doing (and you trust them). In the end it comes down to trust though (as with most things). I only use software
    • Re: (Score:3, Insightful)

      by DaleGlass ( 1068434 )
      Because for something as well known as Skype, somebody would be bound to read it at some point if it was open.

      For example, I work on the Second Life source, and I and other people read quite big chunks of it. You can bet that the moment somebody noticed something fishy there'd be blog entries about it all over the web, and dozens of people looking at that and other parts of the source. And it'd have happened much earlier than if it was found by chance by some admin stracing or checking the logs.

      In fact pret
    • Re:Why.. (Score:5, Informative)

      This is somewhat silly anyway. The Firefox plugins, OK, I don't know why they'd read that, maybe they're checking for a Skype plugin, but who cares? As for /etc/passwd, it's not /etc/shadow. Not only that, but they don't even have to write code that reads /etc/passwd. Try changing the "passwd: compat" line in /etc/nsswitch.conf to "passwd: nis" or something like that, chances are your read of /etc/passwd will go away. It's probably just doing something like getting your real name. Calm down and get some real evidence of wrongdoing like a packet capture of private information going out over the wire before you cry wolf.

      • Re: (Score:3, Informative)

        Or most likely, getting the user's home directory so it knows where to find $HOME/.Skype to get the user's configuration settings. Virtually any program will do this, via the getpwnam function, section 3 of the Linux man page.
        • by jgrahn ( 181062 )

          Or most likely, getting the user's home directory so it knows where to find $HOME/.Skype to get the user's configuration settings. Virtually any program will do this, via the getpwnam function, section 3 of the Linux man page.

          It's probably better to simply getenv("HOME") to find $HOME. It's already in your process; why bother asking a file (or possibly a remote database)?

          But yes, there are other mundane and valid reasons for reading /etc/passwd.

      • "Calm down and get some real evidence of wrongdoing like a packet capture of private information going out over the wire before you cry wolf."

        Because it's not at all possible if they're being sneaky enough to read files they really shouldn't be reading in the first place, they wouldn't ever dare encrypt it before they sent it back to a central server. Oh no, that'd be faaar too clever.

        Possible rational reasons for stupidity and violation of trust don't cut it when it comes to privacy. "Oh, the governm
        • This is more like, "Oh, the government can get look op your name from your social security number. Don't worry, that's one of the reasons the social security number exists. Well, no, I can't say that the government hasn't used that information to also find my address and dispatch a highly trained team of assassins to brutally slay me, my family, everyone with a drop of my blood in their veins, and everyone I've ever loved or has loved me."

      • There are in reality many very reasonable reasons why a program might read your passwd file. There are in fact innumerable standard unix function calls that do just that (this has already been pointed out). Now, if I could be bothered looking at the strace its very easy to tell if its doing this via a libc/glibc function call or whether its implementing such a call internally. Even if its internal it could be because they've statically linked in a library that does getpw* calls - who knows.

        However, the poin
      • Calm down and get some real evidence of wrongdoing like a packet capture of private information going out over the wire before you cry wolf.

        Well, the private information going out over the wire is kind of encrypted...

        But think about the big picture. Aren't the guys making Skype the same guys that put the malware in Kazaa? It's the opposite of crying wolf -- when you say "I'm innocent!" for long enough when it's not true, no one will believe you're innocent even when you are.

        People wonder why we don't tru

    • by cduffy ( 652 )
      Most people don't need to. One person needs to. That's a much lower bar.

      Additionally (and perhaps more importantly) -- in the case of OSS, the individual programmer is putting their public reputation on the line. In the case of proprietary software, the credit and blame generally goes to a faceless corporation.
    • Because if an open-source app did it then there would be a big media storm followed by a fork if the change isn't rescinded.
  • /etc/password (Score:5, Insightful)

    by Colin Smith ( 2679 ) on Sunday August 26, 2007 @10:44AM (#20362405)
    Is a public file, as are virtually all the others in /etc.

    What's it doing? Well, what libraries is it linked with? Perhaps it's converting your UID into a name among other things.

     
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      No kidding. If you go over the list of files it reads, it seems pretty clear it's just a normal running GUI program, nothing evil.

      The only thing that stands out is when it checks the Mozilla profile, but I'll bet that it's doing that to make sure that the "skype:" URL handler is enabled and adding it if it isn't.

      In other words, this is a complete non-story.
    • Re:/etc/password (Score:4, Informative)

      by JosefAssad ( 1138611 ) on Sunday August 26, 2007 @11:07AM (#20362593) Homepage
      That, and this [skype.com]
  • I am not suprised (Score:5, Interesting)

    by figleaf ( 672550 ) on Sunday August 26, 2007 @10:46AM (#20362423) Homepage
    We already knows that Skype records a lot of other information including your BIOS : http://www.pagetable.com/?p=27 [pagetable.com]
  • What a load of FUD (Score:5, Insightful)

    by arivanov ( 12034 ) on Sunday August 26, 2007 @10:50AM (#20362459) Homepage
    Dunno about AppArmour, but there is no way in hell to distinguish between legitimate getpwnam, getpwuid, etc calls and reading the whole passwd file on a linux system using strace.

    Example:

    strace on ls -laF immediately gives

    open("/etc/passwd", O_RDONLY) = 4

    Followed by quite a few reads out of it. So by the logic of the poster ls -laF is a horrible application doing horrible things to your system.

    Unless you have read the source or single-stepped trhough the app with a debugger, examined the data and found that it does something nefarious like sending skype the whole of your /etc/passwd you should not claim that it does something illegitimate.

    • by 11223 ( 201561 ) on Sunday August 26, 2007 @10:55AM (#20362507)
      Oh my God! ls -laF is looking at my .mozilla directory! In fact, it's looking at every file in my home directory! GNU binutils is teh spywarez! ... what do you mean, it's supposed to do that?
    • Re: (Score:3, Insightful)

      by DaleGlass ( 1068434 )
      Heh, but ls has a perfectly legitimate reason for it: Looking up account names. You can see that plain 'ls' doesn't open it, because the short format doesn't show usernames (now if it did in this case that'd be interesting as well). And if you still think it's suspicious you can get the source and look at it.

      Now what exactly does skype need to know my or anybody else's account name for? I've got no clue, but I'd be very interested to find out.
      • by DavidTC ( 10147 ) <slas45dxsvadiv D ... neverbox DOT com> on Sunday August 26, 2007 @11:20AM (#20362689) Homepage

        Um, because it wanted to refer to you as using real name, which is the entire damn point of having the field in /etc/passwd? Or even your username?

        Without looking in /etc/passwd all it would know is your UID.

        Or perhaps it's not even the thing doing it, perhaps it's using a shell script to see if the skype: handler is registered in Skype, and that script does 'ls -l' to check file sizes.

        What I'd be interested in figuring out is exactly the fuck confidential information people think is hanging out in /etc/password? We all know that there are actually no passwords in that file, right?

        And everyone know that programs access it all the time, right? Which is why it's deliberately world-readable?

        Seriously, this entire article was made by someone who knows how to use strace but hasn't bothered running it on other programs, and has no idea what /etc/passwd is for.

        • Re: (Score:2, Troll)

          by DaleGlass ( 1068434 )

          Um, because it wanted to refer to you as using real name, which is the entire damn point of having the field in /etc/passwd? Or even your username?

          Why would it need to? Skype has its own accounts, if it wants to refer to me by name it can use whatever I entered in my account info.

          Or perhaps it's not even the thing doing it, perhaps it's using a shell script to see if the skype: handler is registered in Skype, and that script does 'ls -l' to check file sizes.

          That'd be a stupid way of doing it, and I think Ap

          • "Why would it need to? Skype has its own accounts, if it wants to refer to me by name it can use whatever I entered in my account info."

            So that it can fill in sensible defaults in the 'register account' dialog. Having sensible defaults is good usability.
            • So that it can fill in sensible defaults in the 'register account' dialog. Having sensible defaults is good usability.


              But it doesn't do that. I just made a new user account, ran skype, and starting creating a new skype account. Skype leaves the full name field blank.
          • by Junta ( 36770 )
            On the /etc/passwd thing, first off, I don't see what they could get from that in 99% of systems. As has been noted *many* times before, no password or hash of a password is stored there most times. You mention 'real' names, which *possibly* in there, but the *vast* majority of desktop linux installs I see don't have anything accurate for the users full name. Any attempt to correlate that data, for whatever bizarre reason, wouldn't get them very far. Almost certainly all the worrisome /etc calls are mad
      • by arivanov ( 12034 )
        It has no other legtimate means of getting your GECOS. As a result, I would expect it to do a /etc/passwd read via the getpw family of calls during initial registration. Doing it later on is not strictly necessary, but not very "nefarious" either.
    • by mpeg4codec ( 581587 ) on Sunday August 26, 2007 @11:21AM (#20362701) Homepage

      Dunno about AppArmour, but there is no way in hell to distinguish between legitimate getpwnam, getpwuid, etc calls and reading the whole passwd file on a linux system using strace.

      Example:

      strace on ls -laF immediately gives

      open("/etc/passwd", O_RDONLY) = 4

      Try ltrace, which is similar to strace but lists library calls [man section 3] instead of system calls [section 2]. Running your same example with ltrace, one will see:
      getpwuid(1000, 0xbfaa1073, 0xbfaa0d08, 1000, 0x805c088) = 0xb7f8c9b8
      where 1000 is my uid and the rest of the params are pointers to memory locations.

      So yes, it's possible to distinguish, just not using strace. Proper tool for the job and all that.

      Of course all this would be moot if we had access to the source, which is the underlying issue being debated here.
      • Well, I just tried to ltrace it, it's interesting.

        Lots of output, but no getpw or open in it, and before starting skype says "Binary file corrupted. Please reinstall skype". So can't get very far with ltrace.

        Either ltrace screws something up, or skype intentionally makes it not work.
        • by makomk ( 752139 )
          Skype has some rather paranoid anti-debugging measures; it sounds like ltrace is tripping one of them. I'm surprised strace is allowed; presumably the Skype developers either didn't know how to block it or didn't care.
        • Skype probably using some timing measures to prevent the user from attaching a debugger, and ltrace may alter the timing enough so that Skype believes this is the case. If you're outputting the ltrace debugging to the terminal, that could very well be the case, because terminal output is pretty slow. Maybe outputting it using the -o flag would make it work. I don't use Skype, otherwise I'd try myself.
    • by mysidia ( 191772 ) on Sunday August 26, 2007 @12:58PM (#20363517)

      This article looks like guerilla advertising for SuSE/AppArmor, a Novell product.

      It's a fine example of why people who don't understand the C Library and Linux/BSD/POSIX SDK and how to disassemble the application should not be relying much on AppArmor to tell them what's good and evil.

      The trouble is the library does it, not the application, and a few reads of some files can't tell you the application's intent, or show whether the information is being encrypted and sent out to the software maker or not.

      This reminds me of folks that spend day and night reading firewall logs and mailing out hundreds of complaints to networks if a host so much as pinged them or tried to make a port 25 connection.

      Sure, they could be a spammer or hacker, but just because you set alarms -- a connection attempt doesn't say that anything evil is being attempted. I'd be far more concerned if someone said Skype read something from /etc/shadow, then the very next thing it did was to make a port 80 connection to Skype's servers and send a HTTP POST submission with lots of binary jibberish.

      Any program that needs to do so much as lookup the user's shell, home directory, username attribute, or real name needs to examine /etc/passwd.

      Most non-trivial applications need the user's home directory to load their user preference files. Some internal shell script of Skype may even need the user and group names, in order to establish appropriate file permissions.

      Sure, there are environment variables that popular distributions' shells use; however for an application like Skype to be portable, it may not be able to rely on a particular environment variable like 'HOME' being set -- it may be safest just to getpwuid() the user and lookup their home directory that way.

      In any case, the SOFTWARE DEVELOPER would have the option of using getpwuid() instead of getenv("HOME"). It's the developers' choice.

      Applications can accomplish things in fairly boneheaded ways sometimes, but that doesn't indicate anything malicious or evil.

  • hard to avoid (Score:2, Informative)

    by m2943 ( 1140797 )
    Many of those files are perfectly legitimate for any application to read.

    In any case, you don't need AppArmor to find what files something opens, just use strace.
  • virtually *any* linux distribution uses shadowed passwords s oour encryted password is kept in a separate file. Anyone "rolling their own" should have the forsight to do the same.
  • First: The reason why most applications want to access the /etc/passwd file is to get your home directory. man getpwent for how this works.

    Second: Any modern Linux system will use a shadow password file, its been years since I've seen a system use a regular password file.

  • I can't speak to the Firefox profile access, but if an application wants to look at the GECOS field to find your real user name, the only way to do that on a non-NIS (or other network authentication scheme) system is to look at /etc/passwd. This is also why shadow passwords should always be used, because /etc/passwd can't be locked down.

    Paranoia without understanding how UNIX works is inappropriate.
    • Re: (Score:2, Interesting)

      by jguthrie ( 57467 )
      I seem to be able to confirm this. When I run skype, it does not read /etc/password, I expect because my user information is distributed using LDAP. Therefore, it instead connects to nscd.
  • by harlows_monkeys ( 106428 ) on Sunday August 26, 2007 @11:03AM (#20362559) Homepage
    It's quite common for programs to read /etc/passwd. For example, use strace on "ls -l", and you'll see it reading /etc/passwd.

    It is via /etc/passwd that you convert a UID to a user name.

  • by Anonymous Coward on Sunday August 26, 2007 @11:08AM (#20362601)
    In the research I did for my doctoral thesis, I found the shocking secret that getty and login and even init both read /etc/password and other files in /etc. My research has not yet found a valid reason for this. I am left feeling that Linux itself is spyware. My proposed solution is to only mount filesystems when a user is not logged in.
  • 1989 called... (Score:4, Interesting)

    by itsdapead ( 734413 ) on Sunday August 26, 2007 @11:12AM (#20362639)

    They want their critical Unix vulnerability back.

    Darn - all I have to do is cat /etc/passwd from a regular account... let's see... gee, the sysadmin on this machine is a dumbass - what sort of root password is "x"?

    OMG its on Mac OS as well - the root password here is '*' - well, at least they've used a non-alphabetic character.

    What's that you say Mr Sock... /etc/passwd is a public file and no security-conscious distro has actually stored passwords in there since the encryption was cracked (at least for dictionary words) sometime in the 80s?

    Wake me up if Skype actually emails a readable copy of /etc/passwd to the black hats - even then, it shouldn't be enough to compromise a system (although a list of usernames might be handy).

  • Yeah, it's not quite kosher that the program reads this stuff, but what's more important is tracking what goes from the program back to Skype headquarters. Has anyone tried reading the traffic from it while not connected to a voice call, etc.? Want to get mad about something? Then at least ensure there's a valid and serious reason to do so.
  • what does it do with the data it reads?
  • The list (Score:5, Informative)

    by DaleGlass ( 1068434 ) on Sunday August 26, 2007 @11:25AM (#20362721) Homepage
    Here's the list, reordered somewhat to group related things together.

    /dev/snd/controlC0 rw, /dev/snd/pcmC0D0c rw, /dev/snd/pcmC0D0p rw, /dev/snd/pcmC0D1c rw, /dev/snd/timer r, /usr/share/alsa/** r,
    ALSA sound devices. Perfectly normal given that skype uses sounds

    /home/*/.Skype rw, /home/*/.Skype/** rw, /usr/bin/skype mr, /usr/share/skype/** r,
    Skype's own files, ok

    /home/*/.config/Trolltech.conf r, /home/*/.fontconfig/* r, /home/*/.fonts/* r, /usr/share/fonts/** r, /usr/share/icons/** r, /usr/share/locale-langpack/**r, /usr/share/X11/XKeysymDB r, /var/cache/fontconfig/* r, /var/lib/defoma/fontconfig.d/fonts.conf r, /etc/fonts/** r,
    Seems harmless. Font stuff, icons, locales.

    /home/*/.Xauthority r, /home/*/.ICEauthority r,
    Needed to talk to the X server. X authorization info. Seems ok.

    /home/*/.kde/share/config/kioslaverc r,
    KDE integration? Probably not sensitive

    /home/*/.mozilla r, /home/*/.mozilla/plugins r, /home/*/.mozilla/firefox r,
    No clue what it's looking for there.

    /tmp/** rw,
    Temp directory, harmless

    /etc/resolv.conf r, /etc/hosts r, /etc/nsswitch.conf r, /etc/gai.conf r,
    DNS stuff, it needs to connect to servers after all

    /etc/passwd r, /etc/group r,
    Maybe harmless. No passwords here, only lists of usernames and home directories. And RL names, if specified. As other people suggested, may be just being used to find something like the home directory. Might be used to gather stats on number of users on the system, names, etc. Probably not a huge deal unless RL names are specified, but still interesting.

    /proc/1/cmdline r,
    Command line for init. On my system contains only the runlevel. Not sure what's interesting to look at here, but it is quite unusual.

    /proc/interrupts r,
    Interrupt statistics. This would allow determining the number of CPUs, hardware present (from listed module names), activity levels of various devices. Potential for gathering hardware statistics. Not sure what would a legitimate use for this be.

    • Skype is a realtime app (in both a2d and d2a directions). Interrupt statistics, CPU loads etc are vital for the app to decide what quality of encoding/decoding it can afford to do.

      Regarding /etc/{passwd,group} others have pointed out this is probably for the GECOS info of the current user. Should be easy to check using a debugger - just need to recompile the C library.

      To me, the oddest part is the wholesale reading of mozilla and firefox profiles.
      • Skype is a realtime app (in both a2d and d2a directions). Interrupt statistics, CPU loads etc are vital for the app to decide what quality of encoding/decoding it can afford to do.

        Why isn't it looking in /proc/cpuinfo then? /proc/interrupts doesn't contain any indication of how many interrupts can be serviced, nor the time it takes to service one, or the load caused by the interrupt, so it seems quite pointless performance-wise.

        Best harmless use that comes to mind: Skype knows that device X and device Y cre

    • Skype has some pay features that come with interesting provisions. For example, you can buy a SkypeIn phone number cheaply for personal use. If you're a business, you pay a different rate for a number that you can use, say, from multiple sites (for example, for follow-the-sun customer service). Temp directory and hardware information are two things that are very rarely the same...
  • Otherwise Skype ist dead for me. The outage was bad enough. There are many alternatives. Ekiga rulz for example.
  • Please (Score:5, Informative)

    by joto ( 134244 ) on Sunday August 26, 2007 @12:00PM (#20363037)

    Please, before you submit (or accept) an article about security to (or on) slashdot, make sure you understand rudimentary unix programming. There is no way any non-trivial unix program is going to NOT read /etc/passwd. /etc/passwd needs to be read for almost any trivial thing to be accomplished, such as finding out your home-directory so that .skype can be read, or for displaying ownership of files in a file-dialog.

    Now, as to why skype needs to read firefox configuration files, I have no idea. I haven't used skype, so I don't know what it does. But most likely this is done, because some users asked for a certain "integration" feature, whether it's bookmarks or plugins, or whatever...

  • The firefox profile is a little weird, but programs read /etc/passwd all the time to get the running user ID and groups. If you are not using shadow passwords, you should be, and all normal Unix distros are. Want to know a secret? If you use LDAP, it will query LDAP to find out your UID and GID also. It's normal. /etc/shadow is a different story. Root is the only one that can read that file, and if you are running skype as root, you're foolish.

    I'd suggest that anyone with concern about skype on linux si
  • There is an official Skype Firefox extension. IIRC it recognises phone numbers in web pages and makes them into links so that you can call them more easily. Skype is probably looking for it's extension.
  • Any application may read /etc/passwd and other files there. In fact Skype may just read it to find its own UID/GID and doing it in this way is prefectly acceptable. There are two things that every halfway secure Unix system does to secure /etc/passwd 1) shadow-passwords, i.e. that actual encrypted passwards are in /etc/shadwo, which is not readable except for root and 2) salting, which makes dictionary attacks against encrypted passwords much, much harder.

    Symmary: Nothing to see here, except some people tha
  • I stopped using Skype just a short time ago, mainly because of eBay's attitude toward AMD64 support:
    http://forum.skype.com/index.php?showtopic=93068 [skype.com]

    Since then I have found that there are already standards based open source replacements for Skype, mainly SIP and Ekiga. In contrast to Skype they got video conferencing and you can get a public telephone number for free.

    Also I started to think about what would be needed for the german "Bundestrojaner" and compare it to Skype:
    - it is installed on a majority of s
  • This probably shows how important it is to use AppArmor in any closed-source application in Linux to restrict any undue access to your files.

    It shows how important it is to secure your system, whether Linux, Windows, or any other, against trusting any app too much with resources not created by, or explicitly granted to, the trusted app.

    It also shows that it's too hard to trust closed source apps on any platform, even when closed source is the default status.

    It also shows that AppArmor can protect you from u

  • This is like a blast of deja vu...in the early 1990's the ISP Prodigy was accused of stealing information from their users, based on bits of personal information that some users found in their cache files (due to the client using uninitialized disk space, reclaimed from previously deleted files by the OS). Much paranoia and very little enlightenment followed in online discussions. See e.g. http://en.wikipedia.org/wiki/Prodigy_(ISP)#Spyware -like_behavior [wikipedia.org]

Never test for an error condition you don't know how to handle. -- Steinbach

Working...