In association with heise online

27 August 2007, 14:33

Confusion due to Skype file access

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

An ambitious user using the AppArmor security application has observed that Skype for Linux opens some strange files. After having published his observations in the Skype forum , suspicions of espionage are circulating on the Internet, although the explanation is probably quite harmless.

AppArmor is a Linux security extension, which can be used to fine-grain access rights. For instance, the software allows users to restrict access of programs to a few individual files and prohibit and log access attempts to all other files. When a user did this to increase his system's security, he noticed that Skype opened the /etc/passwd file and recursively searched the Firefox directory in his home directory. Other users have confirmed this behaviour with the strace utility. As a consequence, espionage suspicions have immediately started to circulate on the internet. A German reader has even established a connection to the Federal Trojan.

However, the explanation is probably quite harmless. AppArmor and strace do not only register direct file access, but also access attempts caused by executing system functions in libraries. For instance, accessing /etc/passwd is required in order to assign a numerical user ID to the user name. Some system functions and many programs do this by default. The harmless ls command for example delivers:

# strace -eopen ls -l
open("/etc/passwd", O_RDONLY) = 4

It is a common method to fetch the users home directory from the relevant entry in passwd (with something like getpwuid()). Also, the file passwd, despite its name, no longer contains any passwords. Searching the Firefox directory, on the other hand, is more critical, since confidential information is often stored there. But again, the explanation could be a harmless and plausible one.

One possible reason to read the Firefox directory is in order to retrieve from there proxy settings as it is done by Skype for Windows with Internet Explorer. This is supported by tests performed by heise Security, in which Skype opened only directories. The only real file it opened in the Firefox directory was prefs.js which does indeed contain the proxy settings. Another reason for Skype to access the user's directory might simply be to check if the user has installed the vendor's Firefox extension.

So far, the vendor has not published any statements about all this, but there should be no need to worry about file accesses such as these.

Incidentally, for security reasons, the path to your Firefox configuration files contains a random "username". Remember never to post the full path including that random string because that would compromise the security of your system.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit