Sandboxing Skype

= Sandboxing Skype =

Skype is a closed-source, proprietary application that should not be trusted. The following sections describe how to run it in a sandbox in order to reduce the risk. Note that you will probably be installing the Skype package as root, and you will be auto-updating it as root too, so if Microsoft really wants to spy on you (or allow somebody else to do it), they can.

The instructions below have been tested with Skype version 8.xx for Linux from Skype's website, and seem to work on Xubuntu 18.04.2 upgraded to the latest LTS Enablement Stack as of june 2019. See further below for problems on the older Ubuntu 16.04.

System Configuration (to do only once per computer)

 * Add a separate user account for Skype with the following commands:     sudo groupadd skypegroup      sudo useradd  --create-home   --gid skypegroup   --groups audio,video   -s /bin/bash   skypeuser Notes about the commands above are:
 * Membership of the video group is necessary in order to access the webcam. I am not sure whether this is actually true, since my main user is not actually a member of this group.
 * Membership of the audio group is necessary in order to access the local hardware sound devices over PulseAudio. Otherwise, if you open PulseAudio's volume control applet (pavucontrol) under the skypeuser account in a window on your main user account's session, you will notice that skyperuser only has access to the "Dummy Output" sound device. There are lots of advice on the Internet that no user should be member of the audio group, and indeed your normal user account is not a member, so I do not quite understand this. I guess on Ubuntu membership of the audio group overrides the standard audio permissions based on the currently-logged on user.
 * The new user has no password yet, so you cannot logon with this account in any way other than with sudo.
 * Make sure that the skypeuser account cannot access your home directory. By default on many systems, all accounts can access other user's home directories. You can test the new account like this:     sudo   --user=skypeuser   --set-home   bash -c "cd \$HOME && bash"      Now try to access some other user's home directory. It is probably a good idea that nodoby else can access skypeuser's home directory either. The following commands restrict such permissive home directory permissions:      chmod 0700 "$HOME"      sudo chmod 0700 ~skypeuser

Starting Skype

 * Authorise the Skype user account to access the X server:     xhost +SI:localuser:skypeuser "SI" means "Server Interpreted", and localuser:username instructs the X server to authorise user username. Adding an authorised user is not persistent, after logging off all other users lose their authorisation. Issue command "xhost" to see all authorised users. See also commands "xauth info" and "xauth list".
 * Remove from the X11 root window the information that PulseAudio publishes on start-up. The command is:     pax11publish -r When you start your normal user's session, PulseAudio publishes some access credentials to its services in the X11 root window, see start-pulseaudio-x11 for more information. If you do not clear them with "pax11publish -r", then "pulseaudio --start" will fail under the skypeuser account. I do not know what negative consequences clearing PulseAudio's configuration data from the X11 root window would have on other sound applications. On my system, everything keeps running as usual. I guess the system defaults work so well, that this specific information is not actually necessary. Because of X11's lax security, you can run "pax11publish -r" beforehand on your normal user account, or afterwards on the skypeuser account.
 * Beware that, because of X11's lax security, the sandboxing method below is not watertight. Skype can still run a keylogger or access other X applications. A safer method would be to switch to another user and run Skype there, but that is very inconvenient.
 * Start Skype like this:     sudo  --user=skypeuser  --set-home  bash -c  "cd \$HOME  &amp;&amp;  pulseaudio --start  &amp;&amp;  { nohup firejail skypeforlinux >\$HOME/SkypeLog.txt 2>&1 & }" Remarks about this are:
 * The first time you start Skype under a new user account, it will take several seconds to open up.
 * [Apparently no longer available on Skype version 8.xx] You can open PulseAudio's volume control applet (pavucontrol) within Skype like this: Menu "Options", "Sound Devices", button "Open PulseAudio Volume Control".
 * firejail does not let Skype automatically start the pulseaudio daemon, so we need to manually start it beforehand. If pulseaudio does not start, then Skype will not offer a button to open PulseAudio's volume control applet (pavucontrol). All of Skype's sound devices (microphone, speakers, ringing) will be limited to the "Virtual Device", which means that sound will not work at all.
 * firejail comes with a configuration file for Skype. If you run the command in a console, you should see the following message: Reading profile /etc/firejail/skype.profile On recent Skype versions, the executable (and related profile filename) is called skypeforlinux instead of just skype.
 * If the microphone does not work, beware that it is disabled (muted) by default. You can enable it with the volume control applet (pavucontrol).
 * If headset audio does not work, beware that it is often disabled (muted) by default, and it gets disabled again when you disconnect and reconnect your headset. Just unmute audio with the usual audio controls to get sound working again.
 * Use the following scripts to automate the steps above. The scripts do additional error checking. https://github.com/rdiez/Tools/tree/master/SandboxingSkype

Some other notes I have kept

 * Firejail's website mentions a workaround for older PulseAudio versions. It may be worth investigating those. Search for option --fix-sound. But I do not think it is necessary with PulseAudio version 11.1 that comes with Ubuntu 18.04.2.
 * PulseAudio's enable-memfd = yes option in /etc/pulse/daemon.conf will probably help in multi-user environments. Only available from PulseAudio version 9.0.
 * I am having trouble with PulseAudio when I connect USB headphones, but only from the Skype user account, at least on one laptop I have tried. The headphones just stops working after a few seconds. I have not tested again on an updated Ubuntu 18.04.2 yet.


 * Notes kept for the older Ubuntu 16.04


 * Unfortunately, audio does not work well on Xubuntu 16.04 as of january 2017, so this method is actually not usable in practice. This is probably a PulseAudio issue. The instructions on this page work sometimes, but often enough, Skype does not get access to the audio hardware. I tried to debug this problem to no avail. And then I saw the following article:

Maintainers for desktop "critical infrastructure" https://lwn.net/Articles/711337/ Look for user comment "The multi-user system setup described is certainly something PulseAudio promised to provide".


 * It has certainly been a pain to try to get PulseAudio to work with more than one user account. It is true that the documentation is lacking. If you know the solution, please drop me a line.


 * The Arch Wiki has information about sandboxing with systemd-nspawn.
 * You could use Xephyr to sandbox Skype so that it cannot access other user applications over the insecure X server environment. Unfortunately, Xephyr did not work on my Xubuntu LTS 16.04 with the following suggested commands, Skype just did not start.     Xephyr -ac -br  -noreset -screen 1280x800 :1 &      DISPLAY=:1 firejail skype
 * I have seen advice about letting PulseAudio connect over TCP/IP, but it does not seem necessary. Notes kept:
 * Install package paprefs and start applet paprefs on your normal user account. Under "Network Server", tick option "Enable network access to local sound devices". The server will use port 4317/tcp. Restart the audio server with "pulseaudio --kill" (or log out and log in again). Check whether the server is listening with "netstat --listen --tcp --programs | grep 4713".
 * Change the Skype start script like this: pulseaudio --load \"module-native-protocol-tcp auth-ip-acl=127.0.0.1\" . pulseaudio's option auth-ip-acl does not take a hostname like localhost, only IP addresses.