commit 4b081d4c8ef9c35d7da35add93287ebd49ce6dc0
parent 7a46436da4826a14ad4be6e47252c9b115705f4f
Author: Antoine Amarilli <a3nm@a3nm.net>
Date: Sat, 8 Aug 2015 18:27:44 +0200
skype
Diffstat:
| skype | | | 181 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
1 file changed, 181 insertions(+), 0 deletions(-)
diff --git a/skype b/skype
@@ -0,0 +1,181 @@
+#!/bin/bash
+
+# skype wrapper script
+# check that Skype is correctly sandboxed and start it or stop it
+# this script is not part of Skype and not endorsed by Microsoft, inc.
+# use as: skype start, skype stop, skype status
+# inspired by http://pleonasm.info/blog/2012/10/privilege-separation-with-xpra/
+
+# sandbox user is "skype"
+VOLUME="/home" # where quotas are setup
+ID=`whoami`
+PRIVATE="/home/$ID/.ssh/id_rsa" # an existing file that you want to protect
+QUOTA="512000" # skype's quota, in bytes
+DCMD="sudo su skype -s /bin/bash -c"
+PRIVPORT="23" # a port that skype shouldn't be able to access
+
+if groups skype | tr -d ':' | tr ' ' '\n' | grep -v '^$' |
+ grep -v skype | grep -v audio > /dev/null
+then
+ echo "skype should be in group skype and audio, actual groups are:"
+ groups skype
+ echo aborted
+ exit 1
+fi
+
+if [ ! -f "$PRIVATE" ]
+then
+ echo "\$PRIVATE is not correctly set: cannot reach $PRIVATE"
+ echo aborted
+ exit 2
+fi
+
+if $DCMD "ls $PRIVATE >/dev/null 2>/dev/null"
+then
+ echo "skype shouldn't be able to access $PRIVATE"
+ echo aborted
+ exit 2
+fi
+
+BADL=$(xhost | sed 1d | grep -v "SI:localuser:$ID" | wc -l)
+if [ $BADL -gt 0 ]
+then
+ echo "bad xhost permissions:"
+ xhost
+ echo aborted
+ exit 3
+fi
+
+if $DCMD xinput 2>/dev/null >/dev/null
+then
+ echo "skype shouldn't be able to connect to the X server but can:"
+ $DCMD xinput
+ echo aborted
+ exit 4
+fi
+
+if ! (quotaon -p "$VOLUME" | grep '^user' | grep 'is on' >/dev/null)
+then
+ echo "quotas are not enabled for $VOLUME:"
+ quotaon -p "$VOLUME"
+ echo aborted
+ exit 5
+fi
+
+RQUOTA=$($DCMD "quota --show-mntpoint" |
+ grep -A1 "$VOLUME" | sed 1d | awk '{print $3}' | tr -dc '0-9\n')
+
+# http://stackoverflow.com/a/806923
+re='^[0-9]+$'
+if ! [[ $RQUOTA =~ $re ]]
+then
+ echo "could not understand quota for skype"
+ $DCMD "quota --show-mntpoint"
+ echo aborted
+ exit 6
+fi
+
+if [ ! "$RQUOTA" -gt 0 ]
+then
+ echo "no quota for skype seems set"
+ $DCMD "quota --show-mntpoint"
+ echo aborted
+ exit 6
+fi
+
+if [ ! "$RQUOTA" -le "$QUOTA" ]
+then
+ echo "quota limit for skype is $RQUOTA which is >$QUOTA"
+ $DCMD "quota --show-mntpoint"
+ echo aborted
+ exit 6
+fi
+
+if ! ($DCMD "cat /proc/\$\$/cgroup" |
+ grep 'memory:/skype' >/dev/null)
+then
+ echo "skype processes are not in the skype cgroup for memory:"
+ $DCMD "cat /proc/\$\$/cgroup"
+ echo aborted
+ exit 7
+fi
+
+if $DCMD "curl portquiz.net:80 2>/dev/null >/dev/null"
+then
+ if $DCMD "curl portquiz.net:$PRIVPORT 2>/dev/null >/dev/null"
+ then
+ echo "skype port $PRIVPORT is not filtered"
+ echo aborted
+ exit 8
+ fi
+else
+ echo "skype cannot access portquiz.net:80, are you connected?"
+ echo aborted
+ exit 9
+fi
+
+# now everything is in order
+
+LISTCMD="pgrep -u skype"
+# don't hang looking for .Xauthority at the wrong place
+export XAUTHORITY="/home/skype/.Xauthority"
+DISPLAYNUM=213 # X display number for skype
+LOG="/home/skype/xpra/:${DISPLAYNUM}.log"
+
+case "$1" in
+start)
+ echo "starting skype..."
+ $DCMD "xpra --no-pulseaudio \
+ --mmap-group --socket-dir=/home/skype/xpra \
+ start :$DISPLAYNUM 2>&1"
+ # ugly, can we do better?
+ echo "waiting for session to be ready..."
+ $DCMD "tail -f $LOG" | while read l
+ do
+ echo "$l"
+ if echo "$l" | grep "xpra is ready" > /dev/null
+ then
+ break
+ fi
+ done
+ echo "session is ready"
+ # give access to the pulseaudio credentials
+ pax11publish -D :$DISPLAYNUM -e
+ echo "running skype"
+ # run skype
+ $DCMD "DISPLAY=:$DISPLAYNUM /home/skype/skype/skype" &
+ echo "now attaching"
+ ;&
+attach)
+ xpra --socket-dir=~skype/xpra attach :$DISPLAYNUM
+ ;;
+detach)
+ xpra --socket-dir=~skype/xpra detach :$DISPLAYNUM
+ ;;
+stop)
+ if $LISTCMD > /dev/null
+ then
+ echo "stopping skype..."
+ $LISTCMD | $DCMD "xargs kill"
+ sleep 2
+ if $LISTCMD > /dev/null
+ then
+ echo 'remaining processes:'
+ ps -u skype
+ echo 'will kill -9 in 2s'
+ sleep 2
+ $LISTCMD | $DCMD "xargs kill -9"
+ fi
+ fi
+ ;&
+*)
+ if $LISTCMD > /dev/null
+ then
+ echo "skype is running:"
+ ps -u skype
+ else
+ echo "skype is not running"
+ fi
+ ;;
+esac
+
