Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skype Linux Reads Password and Firefox Profile

Posted by samzenpus on from the to-send-better-ads dept.

mrcgran writes "Users of Skype for Linux have just found out that it reads the files /etc/passwd, firefox profile, plugins, addons, etc, and many other unnecessary files in /etc. This fact was originally discovered by using AppArmor, but others have confirmed this fact using strace on versions 1.4.0.94 and 1.4.0.99. What is going on? This probably shows how important it is to use AppArmor in any closed-source application in Linux to restrict any undue access to your files."

5 of 335 comments (clear)

  1. I've discovered even worse Linux privacy problems by Anonymous Coward · · Score: 5, Funny

    In the research I did for my doctoral thesis, I found the shocking secret that getty and login and even init both read /etc/password and other files in /etc. My research has not yet found a valid reason for this. I am left feeling that Linux itself is spyware. My proposed solution is to only mount filesystems when a user is not logged in.

  2. Re:What a load of FUD by mpeg4codec · · Score: 3, Funny

    Dunno about AppArmour, but there is no way in hell to distinguish between legitimate getpwnam, getpwuid, etc calls and reading the whole passwd file on a linux system using strace.

    Example:

    strace on ls -laF immediately gives

    open("/etc/passwd", O_RDONLY) = 4

    Try ltrace, which is similar to strace but lists library calls [man section 3] instead of system calls [section 2]. Running your same example with ltrace, one will see:
    getpwuid(1000, 0xbfaa1073, 0xbfaa0d08, 1000, 0x805c088) = 0xb7f8c9b8
    where 1000 is my uid and the rest of the params are pointers to memory locations.

    So yes, it's possible to distinguish, just not using strace. Proper tool for the job and all that.

    Of course all this would be moot if we had access to the source, which is the underlying issue being debated here.
  3. Re:But...More Secure? by NickFortune · · Score: 4, Funny

    In fact, with all that open source, isn't it easier to see what is going on so I can write a better exploit?

    That, sir, is a very good point. In fact it's such a good point, it makes me wonder why no one has ever suggested such a thing before, here on Slashdot.

    Fortunately, there is a simple fix, readily suggested by the exemplary record set by The Microsoft Corporation. All we need to do is change the file "/etc/passwd" to be "/etc/.passwd". That way, the file will no longer show up on directory listings. And, since no one on earth is clever enough to think of running "ls -a", that means that no one will know where the password file is, so no one will be able to break in. Security Through Obscurity FTW!

    Furthermore, if we apply this policy rigorously throughout the whole of the Linux operating system, I'm sure we can make Linux' security record every bit a good as Windows in no time at all.

    --
    Don't let THEM immanentize the Eschaton!
  4. Re:But...More Secure? by Zibri · · Score: 2, Funny

    No, no, no! That wont do at all. Then everybody could make changes to all the files. It should be "chmod -R 774 /", and then you add every user to the admin group, except for the guest user.

  5. Re:Shadow passwords FTW by ATMD · · Score: 5, Funny

    +1 Paranoid...

    --
    Nobody else has this sig.