45

Situation

I was about to install Skype on a laptop driven by Ubuntu 18.04 LTS Desktop. The software installation helper graciously informs me that Skype

is unconfined. It can access all your personal files and system resources

as per the screenshot below.

screenshot software installer ubuntu 18.04

Apparently there must be reasons to make a distinction from applications that do not call for this warning.

Reality-checks

  • Can Skype really scan anything I have in my home directory regardless of the permissions set to files and directories? Does it become like a sort of superuser?
  • What is the meaning of system resources there? Does it go about functional resources like broadband and memory, or is that an understatement for control on all applications?

Mitigation

  • How is it possible for an average "power user" to confine such an unconfined application?

Beside the mere answering, pointing out to interesting readings is also appreciated.

Improve this question
7
  • 41
    Just to put this in context, any software you install is unconfined and has full access to your personal files, unless measures are taken to prevent it, such as it being a strict Snap or by only running it under a different, unprivileged user account. Your browser, word processor, games etc. typically have full access to your user account's files. This is indeed an antiquated security model; mobile devices have a much more isolated model. snap is somewhat of a step in the right direction too.
    – multithr3at3d
    Commented Mar 15, 2020 at 19:41
  • 8
    Probably not worth putting as an answer, but Canonical (the company that does much of the development of Ubuntu) have been pushing Snaps quite hard, which they argue are simpler and more secure than the older Debian packaging machinery, which they also still support. These warnings look like they're trying to steer you away from Debian packages, but Debian packages remain widely used and supported.
    – James_pic
    Commented Mar 16, 2020 at 13:55
  • 6
    You could also use firejail to confine Skype.
    – Benjamin
    Commented Mar 16, 2020 at 14:19
  • @James_pic Skype itself provides a Debian package at go.skype.com/skypeforlinux-64.deb It would be interesting, for the non-expert at least, to know in which respects it differs from some golden-standard deb package and a Snap packaging...
    – XavierStuvw
    Commented Mar 16, 2020 at 14:22
  • 3
    @James_pic According to that screenshot, it came up during an snap installation, its not a .deb installation
    – Ferrybig
    Commented Mar 16, 2020 at 16:01

2 Answers 2

Reset to default
63

Why am I getting this message?

The idea of snap is to be an "app store for Linux", with much of the same benefits as app stores for other platforms, such as iOS or Android. One of the big advantages is that applications are rather confined, unable to interact with your OS unless the user gives it specific permissions.

In snap, there are several different "confinement" settings, as documented here:

  • Strict

    Used by the majority of snaps. Strictly confined snaps run in complete isolation, up to a minimal access level that’s deemed always safe. Consequently, strictly confined snaps can not access your files, network, processes or any other system resource without requesting specific access via an interface (see below).

  • Classic

    Allows access to your system’s resources in much the same way traditional packages do. To safeguard against abuse, publishing a classic snap requires manual approval, and installation requires the --classic command line argument.

  • Devmode

    A special mode for snap creators and developers. A devmode snap runs as a strictly confined snap with full access to system resources, and produces debug output to identify unspecified interfaces. Installation requires the --devmode command line argument. Devmode snaps cannot be released to the stable channel, do not appear in search results, and do not automatically refresh.

The Skype app is most likely a "Classic" snap, which means you don't get the same benefits as from a strict confinement.

Can Skype really do anything on my system?

Skype can do as much as any other traditional binary can do, such as those installed via apt. It does not generally become "some kind of super user", but it could use sudo or other means to ask to become a privileged process. The easiest way to do that is to simply refuse running as anything but root.

However, Skype cannot magically bypass any file permissions, unless you specifically gave the binary capabilities to do so.

What does it mean by system resources?

Think about apps on your smartphone. Applications have to ask to access your files, your contacts, your microphone, your camera, your location, etc.

Snap in its strict confinement setting does allow applications to access these, but individual applications need to request access to these interfaces. Of course, you as the user can forbid an application from accessing them. Perhaps you don't want an application to access the network because you don't want to use network-enabled features.

What the installer is telling you is that, since Skype is a "classic" snap, you cannot stop Skype from accessing all these resources (network, camera, etc.), at least not in an easy way.

How is it possible to confine such an application?

You can, if you so desire, try to create a strictly confined snap yourself. I assume that this will be a difficult-if-not-impossible task, else Microsoft had done that. Or maybe it's super easy, barely an inconvenience, and Microsoft just didn't care.

You could also create a limited user and configure your system to run the application as this user, then restrict that limited user from accessing resources such as the network, the web cam, etc.

Improve this answer
18
  • 28
    It should be noted that by the very nature of what Skype is supposed to be doing, it needs access to the network, the web cam, the microphone, the speakers, the address book, and the file system.
    – Jörg W Mittag
    Commented Mar 16, 2020 at 5:48
  • 4
    @JörgWMittag Understandable. But does it need access to the whole file system by such a very nature of its?
    – XavierStuvw
    Commented Mar 16, 2020 at 7:58
  • 26
    Skype includes file sharing, so it needs at least read access to every file you might potentially want to share, and it needs write access to at least one directory.
    – Jörg W Mittag
    Commented Mar 16, 2020 at 8:00
  • 3
    @XavierStuvw Without complete knowledge of everything the app does and how it does it, the user has no way to determine the minimum set of permissions required. At best, you could deny all accesses, create a program that tests all combinations, then determine the one which provides you with the best functionality. Such a testing program will be highly valuable, likely worth billions as it essentially automates all usability testing.
    – iheanyi
    Commented Mar 16, 2020 at 14:19
  • 4
    @Bracco23 There's a difference between an app asking the user to select a file they want and only getting access to that specific file (which is what Skype needs) and the app having unlimited access to all the files in itself (something that skype really doesn't require). As I understand it, Android skype is the former, while desktop Skype is the latter.
    – Voo
    Commented Mar 17, 2020 at 16:47
15

It’s like this comic:

XKCD see https://xkcd.com/1200/ for credits and licensing

Generally, any program that runs under your account can access any resources that your account can access.

Can Skype really scan anything I have in my home directory regardless of the permissions set to files and directories?  Does it become like a sort of superuser?

As stated in MechMK1’s answer, no, it does not become more privileged than you.  But, even if you chmod a file to 0, as long as you still own the file, any program (running under your user ID) can chmod it back to a more permissive access mode.

In general, it can do anything that malware can do if it runs on your system as you.  For example, it can

  • modify your .bashrc, .bash_profile, or similar file to start it (or a component of it) every time you login.
  • monitor your keystrokes (subject to constraints that are beyond the scope of this question).
  • maybe read your screen (?)

How is it possible for an average "power user" to confine such an unconfined application?

If you’re paranoid that Skype (or any other program) is malware, but you want to run it anyway, there are some things you can do to protect yourself (and your data).  In (roughly) decreasing order of security:

  • As suggested by Benjamin, isolate the untrusted software in some sort of jail, sandbox, container or virtual machine.
    • Depending on how paranoid you are, you could have one isolation area for all untrusted software, or one for each untrusted program.
  • As suggested by MechMK1, create another user (with a different UID) for the untrusted software, and always run the software as that user (with sudo or su, or by logging in as the other user in another virtual terminal).
    • Again, you could create one such user for all untrusted software, or one user for each untrusted program.
  • Create a separate user account for your most sensitive data.
    This is pretty much the same as the above bullet, but looking at it from the opposite direction.
  • Encrypt your most sensitive data.  This is the least secure of these options, as
    • it does not prevent the software from deleting or overwriting your files, and
    • as long as untrusted software is running as you, it can probably monitor a lot of your actions, and possibly read your data when you decrypt it to work with it.

None of the above is guaranteed.

Getting back to this:

Does it become like a sort of superuser?

For completeness, a program (that can run unconfined) can become privileged in the usual ways:

  • It can invoke sudo or su and hope you type the password.  (Advice: Don’t do that!)
  • It can invoke sudo or su and try to guess the password.
  • It can invoke sudo and hope that you used sudo within the past five minutes, so your credentials are still cached (see the Sudoers Manual).
  • It can exploit a privilege-escalation vulnerability in the operating system.

etc.  The confinement procedures discussed above can mitigate some of these attacks.

Improve this answer
9
  • Err, if it requires admin rights to install, then your "Create a separate user account for your most sensitive data" option is utterly useless because any admin account can gain access to any other account.
    – user21820
    Commented Mar 18, 2020 at 6:10
  • That's precisely what snaps are supposed to change… except they did not enforce it from the start so there are still too many apps that are not appropriately confined.
    – Jan Hudec
    Commented Mar 18, 2020 at 20:44
  • @user21820: Well, sure, if you download a black box binary executable program that says “I’m the Skype installer; run me (unconfined) as root”, it’s like finding an opaque bottle labeled “Drink me” — either you trust it blindly or you throw it away.  (Or you do forensic analysis to assess its safety.)  But if the installer is a script that says install --owner=bin --group=bin --mode=755 ./skype /bin/skype, then there’s no problem running as “admin”.  (Of course --owner=root --mode=4755 is a horse of a different color.) … (Cont’d)
    – Scott - Слава Україні
    Commented Mar 20, 2020 at 0:30
  • (Cont’d) …  Aside from the fact that you arbitrarily singled out a sentence from my answer, your comment would have been more suitable for the question itself (‘‘Does it become like a sort of superuser?’’).   But it’s rather trivial that, if you run a program as superuser, then it runs as superuser.
    – Scott - Слава Україні
    Commented Mar 20, 2020 at 0:30
  • @Scott: I think you missed my point. My point is that almost all applications that the average user intends to install are executables that demand maximum rights. So that particular sentence of your post is bad advice for the average user, and hence I singled it out. Don't forget that users who can distinguish between the kinds of installers you mentioned in your comment mostly do not even need to read your post, and users who cannot are likely to come away from your post with the misconception that having separate accounts is sufficient.
    – user21820
    Commented Mar 20, 2020 at 8:26

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .