A close look at questionable application behavior

by Chris Josephes

There's an interesting post on the Skype forums where a Linux user asks why Skype is reading his /etc/passwd file.

Since it was posted during the weekend, and there are Skype developers out there dealing with other issues, I'm guessing he won't get a reasonable answer from a Skype developer until at least Monday.

It's not my job to cover for Skype, but I'll try to give a reassuring answer. More than likely, Skype is only reading /etc/passwd in order to get information about the userid it is running under. It may need to do this to determine its home directory, or to learn more information about the user.

If the programmers are doing it right, they're using the getpwent() system call to grab the password entry through the name service switch. That's because you may not be using a local password file at all. If you're using a workstation in a large environment, your authentication information could be stored in LDAP, NIS, or another global password map. Ironically, when a program uses getpwent(), it doesn't even know if you have a valid /etc/passwd file.

If you traced the call even further, you would see that the program is reading all of the entries in the /etc/passwd file. Since the file is sequential, there's no way around that. Nor is there an easy way to tell what happens to the data once it's read. Maybe it ignores the entries that it doesn't care about, or maybe it emails them to an insidious hacker.

The /etc/passwd file can be read by any user, so it carries the bare minimum amount of security information. The actual passwords are encrypted and stored in the /etc/shadow file, which is then protected by the operating system by making it read-only from the root account. Reading /etc/passwd might give someone a slight insight into what accounts to possibly compromise, but it won't offer any special insight on how to compromise them.

On a final note, although I encourage the testing and using of security tools, like AppArmor, I think its use in this case is unneeded. Chris Brown said it best in Protecting your applications with AppArmor:

AppArmor is not intended to provide protection against execution of ordinary tools run by ordinary users. You already have the classic Linux security model in place to constrain the activities of such programs.

Any regular user on a Unix host, should rely on the host operating system security model. I'll admit, I feel more comfortable saying that about a Unix/Linux/Mac host than I would for a Windows host. If Skype--or any application--tries to perform an action that it isn't allowed to do, the operating system should prevent it.