Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Privacy Linux

Skype Linux Reads Password and Firefox Profile 335

Posted by samzenpus from the to-send-better-ads dept.
mrcgran writes "Users of Skype for Linux have just found out that it reads the files /etc/passwd, firefox profile, plugins, addons, etc, and many other unnecessary files in /etc. This fact was originally discovered by using AppArmor, but others have confirmed this fact using strace on versions 1.4.0.94 and 1.4.0.99. What is going on? This probably shows how important it is to use AppArmor in any closed-source application in Linux to restrict any undue access to your files."
This discussion has been archived. No new comments can be posted.

Skype Linux Reads Password and Firefox Profile More

Skype Linux Reads Password and Firefox Profile

Comments Filter:

  • I've discovered even worse Linux privacy problems (Score:5, Funny)

    by Anonymous Coward on Sunday August 26, 2007 @12:08PM (#20362601)
    In the research I did for my doctoral thesis, I found the shocking secret that getty and login and even init both read /etc/password and other files in /etc. My research has not yet found a valid reason for this. I am left feeling that Linux itself is spyware. My proposed solution is to only mount filesystems when a user is not logged in.

  • Re:What a load of FUD (Score:4, Funny)

    by mpeg4codec ( 581587 ) on Sunday August 26, 2007 @12:21PM (#20362701) Homepage

    Dunno about AppArmour, but there is no way in hell to distinguish between legitimate getpwnam, getpwuid, etc calls and reading the whole passwd file on a linux system using strace.

    Example:

    strace on ls -laF immediately gives

    open("/etc/passwd", O_RDONLY) = 4

    Try ltrace, which is similar to strace but lists library calls [man section 3] instead of system calls [section 2]. Running your same example with ltrace, one will see:
    getpwuid(1000, 0xbfaa1073, 0xbfaa0d08, 1000, 0x805c088) = 0xb7f8c9b8
    where 1000 is my uid and the rest of the params are pointers to memory locations.

    So yes, it's possible to distinguish, just not using strace. Proper tool for the job and all that.

    Of course all this would be moot if we had access to the source, which is the underlying issue being debated here.

  • Re:But...More Secure? (Score:5, Funny)

    by NickFortune ( 613926 ) on Sunday August 26, 2007 @02:11PM (#20363621) Homepage Journal

    In fact, with all that open source, isn't it easier to see what is going on so I can write a better exploit?

    That, sir, is a very good point. In fact it's such a good point, it makes me wonder why no one has ever suggested such a thing before, here on Slashdot.

    Fortunately, there is a simple fix, readily suggested by the exemplary record set by The Microsoft Corporation. All we need to do is change the file "/etc/passwd" to be "/etc/.passwd". That way, the file will no longer show up on directory listings. And, since no one on earth is clever enough to think of running "ls -a", that means that no one will know where the password file is, so no one will be able to break in. Security Through Obscurity FTW!

    Furthermore, if we apply this policy rigorously throughout the whole of the Linux operating system, I'm sure we can make Linux' security record every bit a good as Windows in no time at all.

  • Re:But...More Secure? (Score:2, Funny)

    by Zibri ( 1063838 ) on Sunday August 26, 2007 @07:46PM (#20366425)
    No, no, no! That wont do at all. Then everybody could make changes to all the files. It should be "chmod -R 774 /", and then you add every user to the admin group, except for the guest user.

  • Re:Shadow passwords FTW (Score:5, Funny)

    by ATMD ( 986401 ) on Sunday August 26, 2007 @09:21PM (#20367017) Journal
    +1 Paranoid...

Slashdot Top Deals

All seems condemned in the long run to approximate a state akin to Gaussian noise. -- James Martin

Close