Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skype Linux Reads Password and Firefox Profile

Posted by samzenpus on from the to-send-better-ads dept.

mrcgran writes "Users of Skype for Linux have just found out that it reads the files /etc/passwd, firefox profile, plugins, addons, etc, and many other unnecessary files in /etc. This fact was originally discovered by using AppArmor, but others have confirmed this fact using strace on versions 1.4.0.94 and 1.4.0.99. What is going on? This probably shows how important it is to use AppArmor in any closed-source application in Linux to restrict any undue access to your files."

12 of 335 comments (clear)

  1. Incorrect by bakuun · · Score: 4, Informative

    put the spyware in Kazaa...

    It is true that the same people were the main creators of Kazaa and Skype. However, those creators had nothing to do with the introduction of spyware into Kazaa. They are not to blame for what others did. The introduction of the spyware was included in Kazaa first after the program was sold from the creators.

  2. Re:Why.. by 19thNervousBreakdown · · Score: 4, Informative

    This is somewhat silly anyway. The Firefox plugins, OK, I don't know why they'd read that, maybe they're checking for a Skype plugin, but who cares? As for /etc/passwd, it's not /etc/shadow. Not only that, but they don't even have to write code that reads /etc/passwd. Try changing the "passwd: compat" line in /etc/nsswitch.conf to "passwd: nis" or something like that, chances are your read of /etc/passwd will go away. It's probably just doing something like getting your real name. Calm down and get some real evidence of wrongdoing like a packet capture of private information going out over the wire before you cry wolf.

    --
    <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
  3. Re:/etc/password by JosefAssad · · Score: 4, Informative

    That, and this

    --
    The Banjo Players Must Die!
  4. Re:Why.. by compm375 · · Score: 5, Informative

    Well, I just searched the source of Pidgin (because it is open source) and found it does indeed access /etc/passwd through getpwuid(getuid()) for use in Bonjour, Silc, and Zephyr protocols. There is no direct access to /etc/passwd and no use of getpwuid without using the current users uid through getuid. Skype may be doing the same thing, but there is really no way to know, is there?

  5. Re:Shadow passwords FTW by Bazman · · Score: 4, Informative

    True, but if your list of usernames leaks out it saves remote attackers having to try non-existent usernames in a dictionary attack...

    Corollary: dont use passwords vulnerable to dictionary attacks...

  6. The list by DaleGlass · · Score: 5, Informative
    Here's the list, reordered somewhat to group related things together.

    /dev/snd/controlC0 rw, /dev/snd/pcmC0D0c rw, /dev/snd/pcmC0D0p rw, /dev/snd/pcmC0D1c rw, /dev/snd/timer r, /usr/share/alsa/** r,
    ALSA sound devices. Perfectly normal given that skype uses sounds

    /home/*/.Skype rw, /home/*/.Skype/** rw, /usr/bin/skype mr, /usr/share/skype/** r,
    Skype's own files, ok

    /home/*/.config/Trolltech.conf r, /home/*/.fontconfig/* r, /home/*/.fonts/* r, /usr/share/fonts/** r, /usr/share/icons/** r, /usr/share/locale-langpack/**r, /usr/share/X11/XKeysymDB r, /var/cache/fontconfig/* r, /var/lib/defoma/fontconfig.d/fonts.conf r, /etc/fonts/** r,
    Seems harmless. Font stuff, icons, locales.

    /home/*/.Xauthority r, /home/*/.ICEauthority r,
    Needed to talk to the X server. X authorization info. Seems ok.

    /home/*/.kde/share/config/kioslaverc r,
    KDE integration? Probably not sensitive

    /home/*/.mozilla r, /home/*/.mozilla/plugins r, /home/*/.mozilla/firefox r,
    No clue what it's looking for there.

    /tmp/** rw,
    Temp directory, harmless

    /etc/resolv.conf r, /etc/hosts r, /etc/nsswitch.conf r, /etc/gai.conf r,
    DNS stuff, it needs to connect to servers after all

    /etc/passwd r, /etc/group r,
    Maybe harmless. No passwords here, only lists of usernames and home directories. And RL names, if specified. As other people suggested, may be just being used to find something like the home directory. Might be used to gather stats on number of users on the system, names, etc. Probably not a huge deal unless RL names are specified, but still interesting.

    /proc/1/cmdline r,
    Command line for init. On my system contains only the runlevel. Not sure what's interesting to look at here, but it is quite unusual.

    /proc/interrupts r,
    Interrupt statistics. This would allow determining the number of CPUs, hardware present (from listed module names), activity levels of various devices. Potential for gathering hardware statistics. Not sure what would a legitimate use for this be.

  7. Please by joto · · Score: 4, Informative

    Please, before you submit (or accept) an article about security to (or on) slashdot, make sure you understand rudimentary unix programming. There is no way any non-trivial unix program is going to NOT read /etc/passwd. /etc/passwd needs to be read for almost any trivial thing to be accomplished, such as finding out your home-directory so that .skype can be read, or for displaying ownership of files in a file-dialog.

    Now, as to why skype needs to read firefox configuration files, I have no idea. I haven't used skype, so I don't know what it does. But most likely this is done, because some users asked for a certain "integration" feature, whether it's bookmarks or plugins, or whatever...

  8. Re:Why.. by perlchild · · Score: 5, Informative

    Seems like people don't understand unix at all, when they post to security lists...
    Just checking your own identity in unix requires a call to getpwnam, getpwent or their equivalent, which means that a function call in glibc has to read the password file. Practically every unix program does that... It reads in the whole file in memory and looks for you, unless you're using the db source, yp, nis+ or an external module: nss_ldap, nss_mysql, nss_pgsql. It's doing that to find YOU out... That's normal, system-wide behaviour, and not sinister at all(that's also why there's a nscd daemon to cache those results, to prevent your machine from grinding to a halt if you have 200k+ entries in that file.

    Now unless the legacy api gets redesigned to NOT do a line by line scan, anyone using strace/ltrace/dtrace/tusc needs to filter out these internal "housekeeping" calls, which are perfectly normal, needing to find out if _you_ can open up your own log file...

    The /etc/passwd /etc/group files are public files precisely because they are referred to in this manner. That's why shadow passwords are so necessary.

  9. Re:your a queer by JackieBrown · · Score: 4, Informative

    Nice try,

    Debian uses shadow passwords. It's one of the questions in the installer.

  10. Re:your a queer by jlarocco · · Score: 5, Informative

    not every distro of linux uses shadow passwords (think debian or netbsd)

    First: NetBSD isn't a Linux distro.

    Second: Debian uses shadow passwords.

    Third: There's nothing wrong with reading /etc/passwd. POSIX even has an API for accessing it in user code. See the man pages for getpwuid, getpwnam, getpwent, setpwent and endpwent. For example, everytime you do "ls -l", it uses information from /etc/passwd.

    In any case, there's really no excuse for not using shadow passwords.

    --
    Maybe not
  11. Re:Why.. by jimicus · · Score: 4, Informative

    Of course an ls command can trigger a read of /etc/passwd. ls -l shows owners as username rather than numeric UID - where do you think it gets that information from?

    This is why a shadow password file was invented in the first place.

  12. Re:Why.. by gtwilliams · · Score: 5, Informative

    The most common reason these applications and others read /etc/passwd is that they call getpwuid() to obtain a struct that contains the user's home directory. Now the application knows where to find its configuration files.

    --
    Garry Williams