Skype Linux Reads Password and Firefox Profile 335
mrcgran writes "Users of Skype for Linux have just found out that it reads the files /etc/passwd, firefox profile, plugins, addons, etc, and many other unnecessary files in /etc. This fact was originally discovered by using AppArmor, but others have confirmed this fact using strace on versions 1.4.0.94 and 1.4.0.99. What is going on? This probably shows how important it is to use AppArmor in any closed-source application in Linux to restrict any undue access to your files."
Incorrect (Score:4, Informative)
It is true that the same people were the main creators of Kazaa and Skype. However, those creators had nothing to do with the introduction of spyware into Kazaa. They are not to blame for what others did. The introduction of the spyware was included in Kazaa first after the program was sold from the creators.
hard to avoid (Score:2, Informative)
In any case, you don't need AppArmor to find what files something opens, just use strace.
Re:Why.. (Score:3, Informative)
GECOS field (Score:1, Informative)
But why Skype wants to access all firefox settings remains a mystery. But it might look for proxy information.
reading /etc/passwd is normal (Score:4, Informative)
It is via /etc/passwd that you convert a UID to a user name.
Re:Why.. (Score:5, Informative)
This is somewhat silly anyway. The Firefox plugins, OK, I don't know why they'd read that, maybe they're checking for a Skype plugin, but who cares? As for /etc/passwd, it's not /etc/shadow. Not only that, but they don't even have to write code that reads /etc/passwd. Try changing the "passwd: compat" line in /etc/nsswitch.conf to "passwd: nis" or something like that, chances are your read of /etc/passwd will go away. It's probably just doing something like getting your real name. Calm down and get some real evidence of wrongdoing like a packet capture of private information going out over the wire before you cry wolf.
Re:/etc/password (Score:4, Informative)
Re:Why.. (Score:5, Informative)
Re:Shadow passwords FTW (Score:5, Informative)
Corollary: dont use passwords vulnerable to dictionary attacks...
"/etc/passwd" is a misnomor (Score:3, Informative)
The list (Score:5, Informative)
Re:Why.. (Score:3, Informative)
Re:"/etc/passwd" is a misnomor (Score:3, Informative)
Re:Why.. (Score:1, Informative)
No idea why gaim does it, but ls has to read
Please (Score:5, Informative)
Please, before you submit (or accept) an article about security to (or on) slashdot, make sure you understand rudimentary unix programming. There is no way any non-trivial unix program is going to NOT read /etc/passwd. /etc/passwd needs to be read for almost any trivial thing to be accomplished, such as finding out your home-directory so that .skype can be read, or for displaying ownership of files in a file-dialog.
Now, as to why skype needs to read firefox configuration files, I have no idea. I haven't used skype, so I don't know what it does. But most likely this is done, because some users asked for a certain "integration" feature, whether it's bookmarks or plugins, or whatever...
Re:Why.. (Score:5, Informative)
Just checking your own identity in unix requires a call to getpwnam, getpwent or their equivalent, which means that a function call in glibc has to read the password file. Practically every unix program does that... It reads in the whole file in memory and looks for you, unless you're using the db source, yp, nis+ or an external module: nss_ldap, nss_mysql, nss_pgsql. It's doing that to find YOU out... That's normal, system-wide behaviour, and not sinister at all(that's also why there's a nscd daemon to cache those results, to prevent your machine from grinding to a halt if you have 200k+ entries in that file.
Now unless the legacy api gets redesigned to NOT do a line by line scan, anyone using strace/ltrace/dtrace/tusc needs to filter out these internal "housekeeping" calls, which are perfectly normal, needing to find out if _you_ can open up your own log file...
The
Re:your a queer (Score:5, Informative)
Debian uses shadow passwords. It's one of the questions in the installer.
Skype is due to be replaced (Score:2, Informative)
http://forum.skype.com/index.php?showtopic=93068 [skype.com]
Since then I have found that there are already standards based open source replacements for Skype, mainly SIP and Ekiga. In contrast to Skype they got video conferencing and you can get a public telephone number for free.
Also I started to think about what would be needed for the german "Bundestrojaner" and compare it to Skype:
- it is installed on a majority of systems
- it is protected against decompilation / debuggers
- it bypasses almost any firewall
- it uses encryption for network traffic
- it may send lots of data even when not making a call
- it might have already been deployed by the NSA
- eBay has a history of cooperating with federal agencies
Tom
Re:your a queer (Score:5, Informative)
First: NetBSD isn't a Linux distro.
Second: Debian uses shadow passwords.
Third: There's nothing wrong with reading /etc/passwd. POSIX even has an API for accessing it in user code. See the man pages for getpwuid, getpwnam, getpwent, setpwent and endpwent. For example, everytime you do "ls -l", it uses information from /etc/passwd.
In any case, there's really no excuse for not using shadow passwords.
Re:Why.. (Score:5, Informative)
This is why a shadow password file was invented in the first place.
Re:your a queer (Score:4, Informative)
leen@debian64:~$ cat
4.0
leen@debian64:~$ ls -lA
-rw-r----- 1 root shadow 1171 2007-08-17 01:41
Re:You idiots: (Score:1, Informative)
Run them, no.
Retard troll, at least get the terminology right.
AppArmor - Ubuntu? (Score:1, Informative)
Instead, we have again Ubuntu users claiming everything and not doing anything but copying (yes I know GNU)
Re:your a queer (Score:4, Informative)
Actually, there is, but for the entirely opposite reason. If you read passwd you'll miss any network based users, such as users authorized over LDAP, kerberos, or others.
getpwent and company, on the other hand, will get you those. As would getent or similar command line utility.
Re:Why.. (Score:5, Informative)
Underhanded C contest (Score:3, Informative)
Re:Shadow passwords FTW (Score:3, Informative)
Except that /etc/shadow is only readable by root. A userland application can't access it.