skype (4933B)
1 #!/bin/bash 2 3 # skype wrapper script 4 # check that Skype is correctly sandboxed and start it or stop it 5 # this script is not part of Skype and not endorsed by Microsoft, inc. 6 # use as: skype start, skype stop, skype status 7 # inspired by http://pleonasm.info/blog/2012/10/privilege-separation-with-xpra/ 8 9 # sandbox user is "skype" 10 VOLUME="/home" # where quotas are setup 11 ID=`whoami` 12 PRIVATE="/home/$ID/.ssh/id_rsa" # an existing file that you want to protect 13 QUOTA="512000" # skype's quota, in bytes 14 DCMD="sudo su skype -s /bin/bash -c" 15 PRIVPORT="23" # a port that skype shouldn't be able to access 16 17 if groups skype | tr -d ':' | tr ' ' '\n' | grep -v '^$' | 18 grep -v skype > /dev/null 19 then 20 echo "skype should be in group skype, actual groups are:" 21 groups skype 22 echo aborted 23 exit 1 24 fi 25 26 if [ ! -f "$PRIVATE" ] 27 then 28 echo "\$PRIVATE is not correctly set: cannot reach $PRIVATE" 29 echo aborted 30 exit 2 31 fi 32 33 if $DCMD "ls $PRIVATE >/dev/null 2>/dev/null" 34 then 35 echo "skype shouldn't be able to access $PRIVATE" 36 echo aborted 37 exit 2 38 fi 39 40 BADL=$(xhost | sed 1d | grep -v "SI:localuser:$ID" | 41 grep -vE 'SI:localuser:(browser|browser2|bitcoin)' | wc -l) 42 if [ $BADL -gt 0 ] 43 then 44 echo "bad xhost permissions:" 45 xhost 46 echo aborted 47 exit 3 48 fi 49 50 # somehow this stuff does not work when using xinit 51 # even when setting it up with xhost in ~/bin/startup 52 # but using startx makes it work 53 if $DCMD xinput 2>/dev/null >/dev/null 54 then 55 echo "skype shouldn't be able to connect to the X server but can:" 56 $DCMD xinput 57 echo aborted 58 exit 4 59 fi 60 61 if ! (quotaon -p "$VOLUME" | grep '^user' | grep 'is on' >/dev/null) 62 then 63 echo "quotas are not enabled for $VOLUME:" 64 quotaon -p "$VOLUME" 65 echo aborted 66 exit 5 67 fi 68 69 RQUOTA=$($DCMD "quota --show-mntpoint" | 70 grep -A1 "$VOLUME" | sed 1d | awk '{print $3}' | tr -dc '0-9\n') 71 72 # http://stackoverflow.com/a/806923 73 re='^[0-9]+$' 74 if ! [[ $RQUOTA =~ $re ]] 75 then 76 echo "could not understand quota for skype" 77 $DCMD "quota --show-mntpoint" 78 echo aborted 79 exit 6 80 fi 81 82 if [ ! "$RQUOTA" -gt 0 ] 83 then 84 echo "no quota for skype seems set" 85 $DCMD "quota --show-mntpoint" 86 echo aborted 87 exit 6 88 fi 89 90 if [ ! "$RQUOTA" -le "$QUOTA" ] 91 then 92 echo "quota limit for skype is $RQUOTA which is >$QUOTA" 93 $DCMD "quota --show-mntpoint" 94 echo aborted 95 exit 6 96 fi 97 98 if ! ($DCMD "cat /proc/\$\$/cgroup" | 99 grep 'memory:/skype' >/dev/null) 100 then 101 echo "skype processes are not in the skype cgroup for memory:" 102 $DCMD "cat /proc/\$\$/cgroup" 103 echo aborted 104 exit 7 105 fi 106 107 if $DCMD "curl portquiz.net:80 2>/dev/null >/dev/null" 108 then 109 if $DCMD "curl portquiz.net:$PRIVPORT 2>/dev/null >/dev/null" 110 then 111 echo "skype port $PRIVPORT is not filtered" 112 echo aborted 113 exit 8 114 fi 115 else 116 echo "skype cannot access portquiz.net:80, are you connected?" 117 echo aborted 118 exit 9 119 fi 120 121 # now everything is in order 122 123 # check that skype has access to the pulse socket 124 # and complain otherwise 125 # TODO can we do better than this? 126 SOCKET=$(pacmd info | grep 'socket=' | cut -d'=' -f2 | cut -d'>' -f1) 127 if [ "x$SOCKET" = "x" ]; 128 then 129 echo "WARNING: unable to determine pulseaudio socket location" 130 echo "Continuing nevertheless" 131 else 132 $DCMD "ls $SOCKET > /dev/null" || { 133 echo "WARNING: skype user cannot access the socket $SOCKET" 134 echo "this may result in sound issues" 135 echo "continuing nevertheless" 136 } 137 fi 138 139 LISTCMD="pgrep -u skype" 140 # don't hang looking for .Xauthority at the wrong place 141 export XAUTHORITY="/home/skype/.Xauthority" 142 DISPLAYNUM=213 # X display number for skype 143 LOG="/home/skype/xpra/:${DISPLAYNUM}.log" 144 145 case "$1" in 146 start) 147 echo "starting skype..." 148 $DCMD "xpra --no-pulseaudio --encoding=rgb24 \ 149 --mmap-group --socket-dir=/home/skype/xpra \ 150 start :$DISPLAYNUM 2>&1" 151 # ugly, can we do better? 152 echo "waiting for session to be ready..." 153 $DCMD "tail -f $LOG" | while read l 154 do 155 echo "xpra> $l" 156 if echo "$l" | grep "xpra is ready" > /dev/null 157 then 158 echo "done waiting" 159 $DCMD "pkill -u skype tail" 160 break 161 fi 162 done 163 echo "session is ready" 164 # give me access to the server 165 USER=$(whoami) 166 $DCMD "DISPLAY=:$DISPLAYNUM xhost +si:localuser:$USER" 167 # give access to the pulseaudio credentials 168 pax11publish -D :$DISPLAYNUM -e 169 echo "running skype" 170 # run skype 171 $DCMD "DISPLAY=:$DISPLAYNUM /home/skype/skype/skype" & 172 ;& 173 attach) 174 echo "attaching" 175 xpra --socket-dir=~skype/xpra attach :$DISPLAYNUM 176 ;& 177 detach) 178 echo "detaching" 179 xpra --socket-dir=~skype/xpra detach :$DISPLAYNUM 180 ;& 181 stop) 182 if $LISTCMD > /dev/null 183 then 184 echo "stopping skype..." 185 $LISTCMD | $DCMD "xargs kill" 186 sleep 2 187 if $LISTCMD > /dev/null 188 then 189 echo 'remaining processes:' 190 ps -u skype 191 echo 'will kill -9 in 2s' 192 sleep 2 193 $LISTCMD | $DCMD "xargs kill -9" 194 fi 195 fi 196 ;& 197 *) 198 if $LISTCMD > /dev/null 199 then 200 echo "skype is running:" 201 ps -u skype 202 else 203 echo "skype is not running" 204 fi 205 ;; 206 esac 207