running skype in a schroot

If I don't trust a stranger to wonder inside my house, why should I allow a closed source program to access my home directory ? Apart from the paranoia and conspiracy implications I decided to spend some time learning how to chroot skype (and iceweasel for that matter, since I don't really trust javascript, flash and the mozilla plugin model) in a chroot.

I started from this article :
http://www.debian-administration.org/articles/566

This recipe didn't work out of the box. This is mine:

Now step by step:
First we install the software. I'm working on a debian unstable...

apt-get install schroot debootstrap

Then we create the chroot with debootstrap, we install skype and let apt-get do the rest. Installing skype will cause a lot of broken dependencies. apt-get -f install will fix them all. Quick and dirty.
Note: you have to copy the package inside the chroot!


sudo debootstrap --variant=minbase --arch i386 sid /home/chroot/sid http://ftp.fr.debian.org/debian

sudo schroot -d / -c sid -p -- dpkg -i /skype-debian_2.0.0.68-1_i386.deb

sudo schroot -d / -c sid -p -- apt-get -f install

At this point the chroot is ready. To run an application, we still need to convince the xserver to accept xsessions from the chroot to be displayed. Since but default my xserver doesn't accept tcp connections (--nolisten tcp), we need to bind-mount the tmp directory inside the chroot.

See also : http://www.gelato.unsw.edu.au/IA64wiki/XinChroot

Notice that this is not the safest solutions. We could re-start the xserver to listen to tcp connections and avoid this step. I've chosen to go this way at the moment.


mount --bind /tmp /home/chroot/sid/tmp

Then we need to authorize the client using xauth and run you command using this little wrapper

xauth extract - $DISPLAY | xauth -f /home/chroot/sid$HOME/chhome/.Xauthority merge -

schroot -- "$@"

rm -f /home/chroot/sid$HOME/chhome/.Xauthority

Depending from your settings you might want to fix the display variable. Running schroot with the -p option let you pass your env variables to the application in the chroot. I suggest you don't do that but add a .bashrc in your chroot home to set only selected variables.

We are ready to skype away in our chroot:

./wrapper skype

Installing iceweasel is just a matter of apt-get in the chroot.

Maybe now they won't be able to tap in your computer so easily, but they will still be able to record you conversations and messages !!!

Average: 1.4 (59 votes)

Comments

I think that this does not

I think that this does not give us enough security. Because of X's design, applications have a great control on the X server. I think that even in a schroot it is still easy for an application to act as a keylogger of what you write in OTHER windows. So, for example, if you are using pidgin+otr for your "secure" conversation and skype for your "unsecure" ones (sometimes you are forced to use skype), you're doing it wrong.