LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 08-27-2007, 08:09 AM   #1
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora
Posts: 2,560

Rep: Reputation: 474Reputation: 474Reputation: 474Reputation: 474Reputation: 474
skype and reading /etc/password file how to stop?


i was reading on slashdot the other day and it turns out that Skype is accessing /etc/password and many other /etc directories. The article

Quote:
"Users of Skype for Linux have just found out that it reads the files /etc/passwd, firefox profile, plugins, addons, etc, and many other unnecessary files in /etc. This fact was originally discovered by using AppArmor, but others have confirmed this fact using strace on versions 1.4.0.94 and 1.4.0.99. What is going on? This probably shows how important it is to use AppArmor in any closed-source application in Linux to restrict any undue access to your files."
http://forum.skype.com/index.php?showtopic=95261

https://wiki.ubuntu.com/AppArmor

when i looked up more details on the AppAmor it is a SuSe based application. is there a way to get it to run under Gentoo/Sabayon?

there is a very good chance that i will be getting a job that will take me out of the country and i planed on using skype to keep in touch with my wife and kids. i will be running Sabayon or Debian on my laptop (99% chance it will be Sabayon) and this makes me a bit uncomfortable when it comes to security.
 
Old 08-27-2007, 08:47 AM   #2
lakris
Member
 
Registered: Sep 2004
Location: Stockholm, Sweden
Distribution: Ubuntu, RedHat, SuSe, Debian, Slax
Posts: 102

Rep: Reputation: 15
The files in /etc that are world readable are so for a reason. For example, passwd is THE place to know a users most basic config. Any program or user should be able to read files there. Sensitive info should not be readable by anyone. Any sensible distro have this sorted out.
If You are paranoid chmod the files 700 or the whole directory. But other things may break. There are distros and methods to tighten world access to system files. But what are You actually afraid of?
This is the default behaviour of most systems.
 
Old 08-27-2007, 09:41 AM   #3
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora
Posts: 2,560

Original Poster
Rep: Reputation: 474Reputation: 474Reputation: 474Reputation: 474Reputation: 474
just my lack of understanding how things work. not sure i like the idea of a 3rd party app, or any for that matter, accessing my password file.

so with these settings you are stating it should be ok.

Code:
ls -laF /etc/passwd
-rw-r--r-- 1 root root 3286 2007-04-18 23:04 /etc/passwd
 
Old 08-27-2007, 09:53 AM   #4
pwc101
Senior Member
 
Registered: Oct 2005
Location: UK
Distribution: Slackware
Posts: 1,847

Rep: Reputation: 128Reputation: 128
Your password is held in /etc/shadow, and is encrypted with a one-way hash, so they'd have to brute-force the shadow file in order to get your password. Also, /etc/shadow is readable only by root.

Even if they do have access to your /etc/passwd file, the most sensitive thing in there is your username, which shouldn't be a problem so long as your password is suitably strong, even if that data were to become common knowledge.
 
Old 08-27-2007, 12:52 PM   #5
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora
Posts: 2,560

Original Poster
Rep: Reputation: 474Reputation: 474Reputation: 474Reputation: 474Reputation: 474
ahh, thank you for that explanation. feels better now.
 
Old 08-27-2007, 02:10 PM   #6
lakris
Member
 
Registered: Sep 2004
Location: Stockholm, Sweden
Distribution: Ubuntu, RedHat, SuSe, Debian, Slax
Posts: 102

Rep: Reputation: 15
Quote:
Originally Posted by lleb View Post
so with these settings you are stating it should be ok.

Code:
ls -laF /etc/passwd
-rw-r--r-- 1 root root 3286 2007-04-18 23:04 /etc/passwd
Yes, this is normal and loads of programs actually need the information in passwd. And as pwc101 pointed out, the really sensitive info (Your encrypted password) is held in a file not readable by others than system owner/root. The passwd file isn't more sensitive than any other, really. Any information in it could be had in a number of other ways, by non priviledged users, but it's there to facilitate things.

There was also a discussion (in the link You provided) regarding Skype's habit of reading other programs (Mozilla/Firefox) config information. It's the same thing there. It is a way for this program to determine what environment it is running in. In Your personal config files or world readable files. Almost every program You use daily is doing the same thing. So they can do a better job.

Some people regard this as bordering on spyware. Well then we have loads of spyware running, no matter what platform we use. Gimp finding out if there's a ghostscript installed. Firefox looking to see if it's the preferred browser. Winzip stealing extensions and more and more, Some say that Skype should be "open" about it. I think it's a non issue. Security lies in a completely different scope.

So keep using Skype if You like it. I would trust it!
 
Old 08-29-2007, 04:44 AM   #7
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 53
Hummm
/bin/ls also read /etc/passwd

Even worse, it's been written by Richard Stallman!!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
perl : stop reading a file when condition ok frenchn00b Programming 7 07-05-2007 02:37 AM
Gambas: reading a shell password Mattentaart Linux - Software 2 10-30-2005 05:39 AM
openssh won't stop asking for password ViragoRider Linux - Networking 1 08-27-2005 11:30 PM
fgets never stop reading from socket!? Thinking Programming 1 04-06-2005 09:38 AM
reading password-encrypted powerpoint files? JustinHoMi Linux - Software 2 02-22-2005 01:27 PM


All times are GMT -5. The time now is 12:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration