Skype - saved God saves

Hello I think many have heard about the acclaimed story with the fact that skype reads the files / etc / passwd and ~ / .mozilla. Of course, there is nothing really bad about it, and it has been repeatedly explained that the passwords are not / etc / passwd, but are placed in a cached form in / etc / shadow, and it reads the firefox config to determine the proxy / extensions settings, etc. P. etc. But still there are no real facts, but we cannot look at the source code to verify the integrity of the developers' intentions. So, from this position there are several exits:

• Continue to use Skype, considering the rest of the paranoid.
• Give up on Skype, and use an open alternative ( OpenWengo for example).
• Restrict Skype access to system resources, and protect yourself from surprises.
  
  

Today I will tell you about the third paragraph.

And AppArmor , a relatively new security system developed by Novell and available in most of today's popular distributions, will help us with this.



To begin with, it needs to be installed (as far as I know, by default it is set only in OpenSuse).

Installation is carried out by looking for everything connected with AppArmor in your manager.

At a minimum, we will need:

apparmor-parser

apparmor-profiles

apparmor-utils

libapparmor1

perl-libapparmor

apparmor-dbus

Well, and all sorts of dependencies :)

')

Install, reboot. We try, whether AppArmor is started



# apparmor_status



If he writes:

apparmor module is loaded.

apparmor filesystem is not mounted.

So not everything is as good as we would like.



We try to restart

# /etc/init.d/apparmor restart

If it responds with a crash without any intelligible messages, open the file / boot / grub /menu.lst from the root in a text editor and add it to the parameters of the radar that we use:

apparmor = 1



Reboot again and repeat the procedure. Further two options:

If it works: apparmor_status should give information about downloaded profiles and software - rejoice and read on.

If not, google :)



So, AppArmor launched, now we need to explain to him what to do with Skype.

There are options:



• Add Skype to the list of programs for enforced profiles:

# aa-enforce skype

It didn’t work for me (Mandriva 2008.1), and it gave me a bunch of awkward bugs.



• Manually configure your profile for Skype.

To do this, create a text file

/etc/apparmor.d/usr.bin.skype

And we write the following into it:

 #include <tunables / global>
 / usr / bin / skype {
   #include <abstractions / audio>
   #include <abstractions / base>
   #include <abstractions / fonts>
   #include <abstractions / kde>
   #include <abstractions / nameservice>
   /etc/gai.conf r,
   /home/*/.ICEauthority r,
   /home/*/.asoundrc r,
   /home/*/.Skype/** krw,
   /home/*/.Xauthority r,
   /home/*/.config/* kr,
   /home/*/.config/Trolltech.conf krw,
   /home/*/.qt/* rw,
   / opt / kde3 / share / fonts / r,
   /home/*/.kde/share/config/kioslaverc r,
   / proc / * / cmdline r,
   / proc / interrupts r,
   /tmp/.ICE-unix/* w,
   /tmp/.X11-unix/* w,
   / usr / bin / skype mr,
   / usr / share / X11 / * r,
   / usr / share / icons / ** r,
   / usr / share / skype / ** kr,
 }

(I'm not an AppArmor customization specialist, and I’ll be happy to hear notes and additions.)



Everything, now we can use Skype, without being afraid for the personal data. It will have access only to those folders that we allow in the profile file.