Difference between revisions of "Skype"

From ArchWiki
Jump to: navigation, search
m (pacman example removed. Capital letters.)
(Skype sound: rm "since version")
 
(133 intermediate revisions by 52 users not shown)
Line 1: Line 1:
 +
[[Category:Telephony and voice]]
 
[[bg:Skype]]
 
[[bg:Skype]]
 
[[cs:Skype]]
 
[[cs:Skype]]
 +
[[ja:Skype]]
 
[[lt:Skype]]
 
[[lt:Skype]]
 
[[ru:Skype]]
 
[[ru:Skype]]
 
[[uk:Skype]]
 
[[uk:Skype]]
[[Category:Audio/Video]]
 
[[Category:Telephony and Voice]]
 
 
== Installation ==
 
== Installation ==
  
[[pacman|Install]] {{Pkg|skype}} from the [[official repositories]]. If you have a 64-bit system, enable the [[multilib]] repository first as Skype is 32-bit only.
+
{{Note|The official Skype client for Linux has not been updated in a long time and receiving calls from the latest versions of other clients is [http://nickforall.nl/skype/ reportedly] broken.}}
 +
{{Tip|There is also a web version of Skype [https://web.skype.com available], which you might want to use if you do not trust the proprietary Skype client. You can also use it as an unofficial app: {{AUR|skype-desktop-bin}}. Audio/video is currently not supported because the required browser plugin is only available for OS X and Windows.}}
  
Running Skype is just as easy. Type {{Ic|skype}} into a terminal or double-click the Skype icon on your desktop or in your DE's application menu.
+
[[Install]] the {{Pkg|skype}} package. If you have a 64-bit system, enable the [[multilib]] repository first, since Skype is 32-bit only.
 +
 
 +
Running Skype is just as easy. Type {{ic|skype}} into a terminal or double-click the Skype icon on your desktop or in your DE's application menu.
  
 
== Skype sound ==
 
== Skype sound ==
  
Skype supports [[ALSA]] and [[PulseAudio]]. [[OSS]] is no longer supported.
+
Skype requires [[PulseAudio]] for voice communication and does not support plain [[ALSA]].
  
=== ALSA ===
+
Alternatively, if you do not want to use PulseAudio, you can install {{AUR|apulse}} (and {{AUR|lib32-apulse}} for x86_64 users) from the [[AUR]], which emulates PulseAudio. Then execute Skype with:
  
Sound should work out of the box, if not you can select a sound device to use in Skype options. If you have problems with Skype blocking your sound device, you only need to add the following to your {{ic|~/.asoundrc}}
+
  $ apulse skype
  pcm.dmixout {
+
  # Just pass this on to the system dmix
+
  type plug
+
  slave {
+
      pcm "dmix"
+
  }
+
}
+
then you can start Skype as normal, go to the audio options and select dmixout as your speaker- and ringingdevice.
+
  
=== PulseAudio ===
+
or for x86_64:
  
Sound should work out of the box, if not you can select another input using pavucontrol (you may have to install it first).
+
$ apulse32 skype
  
If you are on x86_64 and use the multilib {{Pkg|skype}} package, you also need {{Pkg|lib32-libpulse}}.
+
See [[ALSA/Troubleshooting#Setting the default microphone/capture device]] and following sections if the microphone is not working.
  
=== OSS (Pre-2.0, no longer available) ===
+
If everything is functional, modify the [[desktop entry]] in {{ic|/usr/share/applications/skype.desktop}} so that the Exec line reads:
  
Option B is preferred over other options.
+
Exec=/usr/bin/apulse32 /usr/bin/skype  %U
With option B you can use Skype AND let other programs play sound too.
+
With option C you can do that too, but option B is way easier to set up.
+
  
You can install the legacy {{Pkg|skype-oss}} from Comunity repo.
+
== Restricting Skype access ==
  
If you need 64x-86x support then download an OSS compatible version from [http://www.mediafire.com/?2ydhmj4yo3i here] and the PKGBUILD form [https://aur.archlinux.org/packages.php?ID=18312 here.] Also install {{Pkg|lib32-libxinerama}}. Finally, run
+
There are a couple of reasons you might want to restrict Skype's access to your computer:
$ makepkg -s
+
to create the pacman installable package.
+
  
==== A. With OSS or Kernel OSS emulation for ALSA ====
+
* The skype binary is disguised against decompiling, so nobody is (still) able to reproduce what it really does.
 +
* It produces encrypted traffic even when you are not actively using Skype.
  
Start Skype and make sure no other program is using your soundcard.
+
See [http://www1.cs.columbia.edu/~salman/skype/index.html] for more information.
If you want to use Skype AND let another program play sound too, look at option B instead.
+
  
==== B. Making ALSA + dMix work for Skype ====
+
Restrictions can be implemented in a number of ways, with varying ease and security. It is possible to run Skype in a container, run it as a separate user, or use the [[wikipedia:Mandatory_access_control|Mandatory Access Control]] functionality available in the Linux kernel.
  
First of all, we need to install the {{Pkg|alsa-oss}} package with [[pacman]].
+
=== systemd-nspawn ===
  
Add the following to {{ic|~/.asoundrc}}. If the file does not exist yet, just create it! (Many thanks to Lorenzo Colitti for figuring this out!)
+
{{Warning|systemd-nspawn provides the most straightforward way to run an application in a separate environment, however it is [https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html not considered] to provide a fully secure setup.}}
  
# .asoundrc to use skype at the same time as other audio apps like xmms
+
The following script will create a container in {{ic|/mnt/stor/vm/skype}} and run Skype from there on each subsequent run. Fetching the default pacman config is necessary for 64-bit systems with multilib enabled, but be careful in case you have custom repositories enabled. Note that sound and video may be broken with this method.
#
+
# Successfully tested on an IBM x40 with i810_audio using Linux 2.6.15 and
+
# Debian unstable with skype 1.2.0.18-API. No sound daemons (asound, esd, etc.)
+
# running. However, YMMV.
+
#
+
# For background, see:
+
#
+
# https://bugtrack.alsa-project.org/alsa-bug/view.php?id=1228
+
# https://bugtrack.alsa-project.org/alsa-bug/view.php?id=1224
+
#
+
# (C) 2006-06-03 Lorenzo Colitti - http://www.colitti.com/lorenzo/
+
# Licensed under the GPLv2 or later
+
+
pcm.skype {
+
    type asym
+
    playback.pcm "skypeout"
+
    capture.pcm "skypein"
+
}
+
+
pcm.skypein {
+
    # Convert from 8-bit unsigned mono (default format set by aoss when
+
    # /dev/dsp is opened) to 16-bit signed stereo (expected by dsnoop)
+
    #
+
    # We cannot just use a "plug" plugin because although the open will
+
    # succeed, the buffer sizes will be wrong and we will hear no sound at
+
    # all.
+
    type route
+
    slave {
+
      pcm "skypedsnoop"
+
      format S16_LE
+
    }
+
    ttable {
+
      0 {0 0.5}
+
      1 {0 0.5}
+
    }
+
}
+
+
pcm.skypeout {
+
    # Just pass this on to the system dmix
+
    type plug
+
    slave {
+
      pcm "dmix"
+
    }
+
}
+
+
pcm.skypedsnoop {
+
    type dsnoop
+
    ipc_key 1133
+
    slave {
+
      # "Magic" buffer values to get skype audio to work
+
      # If these are not set, opening /dev/dsp succeeds but no sound
+
      # will be heard. According to the ALSA developers this is due
+
      # to skype abusing the OSS API.
+
      pcm "hw:0,0"
+
      period_size 256
+
      periods 16
+
      buffer_size 16384
+
    }
+
    bindings {
+
      0 0
+
    }
+
}
+
  
If you get the error message :
+
{{bc|<nowiki>
 +
#!/bin/bash
 +
set -e
 +
DEST=/mnt/stor/vm/skype
 +
if [ ! -d "$DEST" ];then
 +
    sudo mkdir -p "$DEST/var/lib/pacman/";
 +
    sudo mkdir -p "$DEST/etc/"
 +
    sudo curl https://projects.archlinux.org/svntogit/packages.git/plain/trunk/pacman.conf.i686?h=packages/pacman -o "$DEST/etc/pacman.conf"
 +
    echo sudo skype | sudo pacman --arch i686 --root "$DEST" --cachedir /var/cache/pacman/pkg --config "$DEST/etc/pacman.conf" -Sy - --noconfirm
 +
    sudo systemd-nspawn -D "$DEST" groupadd skype
 +
    sudo systemd-nspawn -D "$DEST" useradd -g skype skype
 +
    sudo mkdir -p $DEST/home/skype/.config/pulse
 +
    sudo cp ~/.config/pulse/cookie $DEST/home/skype/.config/pulse/
 +
    sudo cp ~/.Xauthority $DEST/home/skype/
 +
    sudo chmod 755 -R $DEST/home/skype/
 +
    sudo chown -R 1000:1000 $DEST/home/skype/
 +
fi
 +
sudo systemd-nspawn -D "$DEST" --bind=/tmp/.X11-unix --share-system sudo -u skype env DISPLAY=:0 PULSE_SERVER=desktop skype
 +
</nowiki>}}
  
The dmix plugin supports only playback stream
+
=== Docker ===
 +
{{Warning|Running Docker has its own set of security implications and caveats. Read the main Docker article for more information.}}
  
then add the following to {{ic|.asoundrc}}:
+
Install [[Docker]] and feel free to [https://hub.docker.com/search/?q=skype&page=1&isAutomated=0&isOfficial=0&pullCount=0&starCount=0 explore Docker Hub] for Skype images prepared by users.
  
pcm.asymed {
+
A tried and tested image is [https://github.com/sameersbn/docker-skype sameersbn/skype] (hosted on Github). It uses X11 and [[PulseAudio]] unix domain sockets on the host to enable audio/video support in Skype. A wrapper script mounts the X11 and Pulseaudio sockets inside the container. The X11 socket allows for the user interface to display on the host, while Pulseaudio socket allows for the audio output to be rendered on the host. {{ic|/dev/video0}} is also mounted.
        type asym
+
        playback.pcm "dmix"
+
        capture.pcm "dsnoop"
+
}
+
+
pcm.!default {
+
        type plug
+
        slave.pcm "asymed"
+
}
+
  
 +
Container has access to {{ic|~/.Skype}} and {{ic|~/Downloads}} directories on your host system. Wrapper scripts are installed into {{ic|/usr/local/bin}}.
  
Now run Skype in this way each time you want to use it:
+
For installation use [https://github.com/sameersbn/docker-skype/blob/master/README.md upstream instructions].
ALSA_OSS_PCM_DEVICE="skype" aoss skype
+
  
Optionally you can make a script to start Skype:
+
=== Use Skype with special user ===
  
As root, create the file: {{ic|/usr/bin/askype}}
+
{{Poor writing|This section needs revising both in content and style}}
  
# Little script to run Skype correctly using the modified .asoundrc
+
{{Warning|As of version 1.16, Xorg runs as a regular user. This means a special user has no access to X. The following approach only works when enabling root for Xorg; see [[Xorg#Rootless Xorg (v1.16)]].}}
# See: https://wiki.archlinux.org/index.php/Skype for more information!
+
#
+
# Questions/Remarks: profox@debianbox.be
+
+
ALSA_OSS_PCM_DEVICE="skype" aoss skype
+
  
Now make sure every user is able to execute the file:
+
A special user can be used for running Skype within one's normal environment. Permissions will have to be set to ensure your home directory is not readable by the special Skype user (see [[File permissions and attributes]]).
# chmod a+x /usr/bin/askype
+
  
You can also fix the menu entry so you can start Skype from the your window manager's menu:
+
An AUR package, {{AUR|skype-restricted}}{{Broken package link|{{aur-mirror|skype-restricted}}}} exists that will run skype as a separate user ("_skype") cleanly. It is heavily based on the information in this section. Alternatively, one can use {{AUR|skype-secure}}, a package that works similarly to skype-restricted, but wraps around already installed Skype binary.
  
Edit the file: {{ic|/usr/share/applications/skype.desktop}}
+
Create a new group for the skype user:
 +
 
 +
# groupadd skype
 +
 
 +
Then we have to add the new user:
 +
 
 +
# useradd -m -g skype -G audio,video -s /bin/bash skype
 +
 
 +
{{Note|1=Maybe you need to add "skype" user to "pulse-access" and "pulse-rt" groups. But it works fine with "audio" and "skype" groups only.}}
 +
 
 +
Now add the following line to {{ic|/home/skype/.bashrc}}:
 +
 
 +
export DISPLAY=":0.0"
 +
 
 +
At last we define the alias (e.g. in {{ic|~/.bashrc}}):
 +
 
 +
alias skype='xhost +local: && su skype -c skype'
 +
 
 +
Now we can start Skype as the newly created user simply by running {{Ic|skype}} from the command line and entering the password of the user skype.
 +
 
 +
If you are tired of typing in the skype user's password every time, make sure you installed the [[sudo]] package, run {{Ic|visudo}} then add this line at the bottom:
 +
 
 +
%wheel ALL=(skype) NOPASSWD: /usr/bin/skype
 +
 
 +
And use this alias to launch skype:
 +
 
 +
alias skype='xhost +local: && sudo -u skype /usr/bin/skype'
 +
 
 +
{{Note|If you forget the {{ic|xhost}} command, Skype may fail with a "No protocol specified" error on stdout.}}
 +
 
 +
I noticed that the newly created user is able to read some of the files in my home directory because the permissions were a+r, so I changed them manually to a-r u+r and changed umask from 022 to 066.
 +
 
 +
In order to restrict user "skype" accessing your external drive mounted in {{ic|/media/data}} for instance, make sure first that "skype" does not belong to group "users" (if you used the default group "skype", everything should be fine), then change the accesses on the mount point:
 +
 
 +
# chown :users /media/data
 +
# chmod o-rwx /media/data
 +
 
 +
This way, it is ensured that only the owner (normally "root") and "users" can access the specified directory tree while the others, including "skype", will be forbidden.
 +
 
 +
==== Access Pulseaudio controls when using Skype as a different user ====
 +
 
 +
As the "main-user" copy /etc/pulse/default.pa to ~/.pulse/default.pa and add:
 +
 
 +
load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1
 +
 
 +
As the skype user, create ~/.pulse/client.conf and add:
 +
 
 +
default-server = 127.0.0.1
 +
 
 +
==== Open URLs in your user's browser ====
 +
 
 +
When one clicks URL in chat window, skype execute [[xdg-open]] to handle it. By default {{ic|xdg-open}} uses default web browser for skype user environment. In order to open links in your user's browser perform next setup.
 +
 
 +
{{Note|
 +
* [[Sudo]] should be installed and properly configured.
 +
* Current example uses [[firefox]] as preferred browser.
 +
* Do not forget to adjust ''your_user'' to proper value.
 +
}}
 +
 
 +
Log in as skype user:
 +
 
 +
$ sudo -u skype -i
 +
 
 +
Create local preferences dir:
 +
 
 +
$ mkdir -p ~/.local/share/applications
 +
 
 +
Create {{ic|/home/skype/.local/share/applications/firefox-sudo.desktop}} file:
  
 
  [Desktop Entry]
 
  [Desktop Entry]
  Name=Skype
+
  Name=Firefox
Comment=P2P software for high-quality voice communication
+
  Exec=/home/skype/firefox-wrapper %u
  Exec=askype
+
  Terminal=false
Icon=skype.png
+
  Terminal=0
+
 
  Type=Application
 
  Type=Application
Encoding=UTF-8
+
  Categories=Network;WebBrowser;
  Categories=Network;Application;
+
  
Sometimes it takes a while for Skype to start up but once it is loaded it should work ok!
+
Set {{ic|firefox-sudo.desktop}} to manage HTTP and HTTPS URLs:
  
==== C. Using OSS emulation with oss2jack ====
+
$ xdg-mime default firefox-sudo.desktop x-scheme-handler/http
 +
$ xdg-mime default firefox-sudo.desktop x-scheme-handler/https
  
{{AUR|oss2jack}} is another way to have OSS emulation without using ALSA directly. Instead, oss2jack creates a OSS device that forwards everything to JACK (JACK Audio Connection Kit), which in turn mixes, then outputs to the standard ALSA device.
+
(Optionally) add FTP handler:
  
== Securing Skype ==
+
$ xdg-mime default firefox-sudo.desktop x-scheme-handler/ftp
  
There are a couple of reasons you might want to restrict Skype's access to your computer:
+
Create {{ic|/home/skype/firefox-wrapper}} script (adjust ''your_user''):
* The skype binary is disguised against decompiling, so nobody is (still) able to reproduce what it really does.
+
 
* It produces encrypted traffic even when you are not actively using Skype.
+
#!/bin/bash
* ...
+
DISPLAY=:0.0 HOME=/home/''your_user'' sudo -u ''your_user'' /usr/lib/firefox/firefox -new-tab $1
See [http://www1.cs.columbia.edu/~salman/skype/index.html] for more information.
+
 
 +
Make it executable:
 +
 
 +
$ chmod +x ~/firefox-wrapper
 +
 
 +
Now as root user open {{ic|/etc/sudoers}}:
 +
 
 +
# visudo
 +
 
 +
And add permission for skype user to exec user's browser (adjust ''your_user''):
 +
 
 +
skype ALL=(''your_user'') NOPASSWD: /usr/lib/firefox/firefox -new-tab http*, /usr/lib/firefox/firefox -new-tab ftp*
 +
 
 +
==== Access received files ====
 +
 
 +
By default {{ic|skype}} stores received files with 600 permissions (only owner can access them). One may use {{Pkg|incron}} to perform automatic permission fix upon downloading.
 +
 
 +
{{Note|This example assumes that you configure skype to save received files into {{ic|/home/skype/downloads}}}}
 +
 
 +
Make skype home dir and download dir accessible:
 +
 
 +
# chmod 755 /home/skype /home/skype/downloads
 +
 
 +
Install incron with the {{Pkg|incron}} package from the [[official repositories]], and enable and start {{ic|incrond}} [[systemd#Using units|using systemd]].
 +
Open incrontab for root user:
 +
 
 +
# incrontab -e
 +
 
 +
Add incron job:
 +
 
 +
/home/skype/downloads IN_CREATE chmod 644 $@/$#
 +
 
 +
Save changes and exit incrontab editor.
 +
 
 +
To test incron in action just enter skype download dir and create test file:
 +
 
 +
# cd /home/skype/downloads
 +
# install -m 600 /dev/null test.txt
 +
# ls -l test.txt
 +
 
 +
File permissions should be 644 or -rw-r--r--
 +
 
 +
(Optionally) link skype download dir into your home dir:
 +
 
 +
$ ln -s /home/skype/downloads ~/skype_files
  
 
=== AppArmor ===
 
=== AppArmor ===
  
Follow the instructions [[AppArmor|here]] to set up AppArmor.
+
See the [[AppArmor]] page for how to set up AppArmor.
  
 
The userland tools for AppArmor come with a collection of example profiles. Skype is amongst them. Copy this to the directory where AppArmor profiles are stored.
 
The userland tools for AppArmor come with a collection of example profiles. Skype is amongst them. Copy this to the directory where AppArmor profiles are stored.
  # cp -ip /etc/apparmor/profiles/extras/usr.bin.skype /etc/apparmor.d/
+
 
 +
  # cp -ip /usr/share/apparmor/extra-profiles/usr.bin.skype /etc/apparmor.d/
  
 
For whatever reason, the profile is not complete. You may wish to modify it further. Here is an example for Skype 4:
 
For whatever reason, the profile is not complete. You may wish to modify it further. Here is an example for Skype 4:
  
 
{{bc|#include <tunables/global>
 
{{bc|#include <tunables/global>
 +
 
/usr/bin/skype {
 
/usr/bin/skype {
 
   #include <abstractions/audio>
 
   #include <abstractions/audio>
Line 207: Line 251:
 
   /usr/lib{,32}/skype/skype ixmr,
 
   /usr/lib{,32}/skype/skype ixmr,
 
   /usr/bin/xdg-open PUxmr,
 
   /usr/bin/xdg-open PUxmr,
 +
  /usr/bin/kde4-config PUxmr,
  
 
   # Configuration files
 
   # Configuration files
Line 239: Line 284:
 
   owner @{PROC}/[0-9]*/task/ r,
 
   owner @{PROC}/[0-9]*/task/ r,
 
   owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
 
   owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
 +
  owner @{PROC}/[0-9]*/fd/ r,
 
   /sys/devices/system/cpu/ r,
 
   /sys/devices/system/cpu/ r,
 
   /sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{cur_freq,max_freq} r,
 
   /sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{cur_freq,max_freq} r,
   /sys/devices/pci*/*/usb[0-9]*/*/*/*/modalias r,
+
   /sys/devices/pci*/*/usb[0-9]*/*/*/modalias r,
   /sys/devices/pci*/*/usb[0-9]*/*/*/*/video4linux/video[0-9]*/dev r,
+
   /sys/devices/pci*/*/usb[0-9]*/*/*/video4linux/video[0-9]*/dev r,
   /sys/devices/pci*/*/usb[0-9]*/*/*/{idVendor,idProduct,speed} r,
+
   /sys/devices/pci*/*/usb[0-9]*/*/{idVendor,idProduct,speed} r,
  
 
   # This probably should go to appropriate abstractions
 
   # This probably should go to appropriate abstractions
 +
  /etc/asound.conf r,
 
   owner @{HOME}/.config/fontconfig/fonts.conf r,
 
   owner @{HOME}/.config/fontconfig/fonts.conf r,
 
   owner @{HOME}/.config/gtk-3.0/bookmarks r,
 
   owner @{HOME}/.config/gtk-3.0/bookmarks r,
 +
  owner @{HOME}/.config/oxygen-gtk/argb-apps.conf rw,
 
   owner @{HOME}/.config/pulse/cookie krw,
 
   owner @{HOME}/.config/pulse/cookie krw,
 
   owner @{HOME}/.icons/** r,
 
   owner @{HOME}/.icons/** r,
   owner @{HOME}/.kde/share/config/kioslaverc r,
+
   owner @{HOME}/.kde4/share/config/kdeglobals krw,
 +
  owner @{HOME}/.kde4/share/config/gtkrc-2.0 r,
 +
  owner @{HOME}/.kde4/share/config/oxygenrc r,
 +
  /usr/share/icons/*/index.theme kr,
 +
  /usr/share/nvidia/nvidia-application-profiles-*-rc r,
  
 
   # Denials
 
   # Denials
Line 261: Line 313:
  
 
To use the profile, first be sure {{ic|securityfs}} is mounted,
 
To use the profile, first be sure {{ic|securityfs}} is mounted,
 +
 
  # mount -t securityfs securityfs /sys/kernel/security
 
  # mount -t securityfs securityfs /sys/kernel/security
  
 
Load the profile by the command,
 
Load the profile by the command,
 +
 
  # apparmor_parser -r /etc/apparmor.d/usr.bin.skype
 
  # apparmor_parser -r /etc/apparmor.d/usr.bin.skype
  
Line 270: Line 324:
 
=== TOMOYO ===
 
=== TOMOYO ===
  
Follow the instructions [[TOMOYO_Linux#TOMOYO_Linux_2.x|here]] to install TOMOYO. Please note that this section describes using TOMOYO 2.5.
+
Please note that this section describes using TOMOYO 2.5. See [[TOMOYO Linux#TOMOYO Linux 2.x]] for installation.
  
During Skype audit it was discovered that Skype reads DMI information and Mozilla profile. To give Skype minimal access to your system using TOMOYO, please follow these steps.
+
{{Note|Do not forget to populate first the {{ic|/etc/tomoyo}} directory running: {{ic|/usr/lib/tomoyo/init_policy}} }}
  
 
* Open {{ic|/etc/tomoyo/exception_policy.conf}} file and add these lines:
 
* Open {{ic|/etc/tomoyo/exception_policy.conf}} file and add these lines:
Line 280: Line 334:
 
path_group SKYPE_DIRS /home/\*/.config/Skype/\{\*\}/
 
path_group SKYPE_DIRS /home/\*/.config/Skype/\{\*\}/
 
path_group SKYPE_DIRS /usr/share/skype/\{\*\}/
 
path_group SKYPE_DIRS /usr/share/skype/\{\*\}/
path_group SKYPE_DIRS /home/pf/work/tmp/\{\*\}/
+
path_group SKYPE_DIRS /tmp/skype-\*/
 +
path_group SKYPE_DIRS /tmp/skype-\*/\{\*\}/
 +
path_group SKYPE_DIRS /home/\*/Downloads/tmp/\{\*\}/
 
path_group SKYPE_FILES /home/\*/.Skype/\{\*\}/\*
 
path_group SKYPE_FILES /home/\*/.Skype/\{\*\}/\*
 
path_group SKYPE_FILES /home/\*/.config/Skype/\{\*\}/\*
 
path_group SKYPE_FILES /home/\*/.config/Skype/\{\*\}/\*
 
path_group SKYPE_FILES /usr/share/skype/\{\*\}/\*
 
path_group SKYPE_FILES /usr/share/skype/\{\*\}/\*
path_group SKYPE_FILES /home/pf/work/tmp/\{\*\}/\*
 
 
path_group SKYPE_FILES /home/\*/.Skype/\*
 
path_group SKYPE_FILES /home/\*/.Skype/\*
 
path_group SKYPE_FILES /home/\*/.config/Skype/\*
 
path_group SKYPE_FILES /home/\*/.config/Skype/\*
 
path_group SKYPE_FILES /usr/share/skype/\*
 
path_group SKYPE_FILES /usr/share/skype/\*
path_group SKYPE_FILES /home/pf/work/tmp/\*
+
path_group SKYPE_FILES /tmp/skype-\*/\{\*\}/\*
 +
path_group SKYPE_FILES /home/\*/Downloads/tmp/\{\*\}/\*
 +
path_group SKYPE_FILES /home/\*/Downloads/tmp/\*
 
path_group ICONS_DIRS /usr/share/icons/\{\*\}/
 
path_group ICONS_DIRS /usr/share/icons/\{\*\}/
 
path_group ICONS_FILES /usr/share/icons/\{\*\}/\*
 
path_group ICONS_FILES /usr/share/icons/\{\*\}/\*
Line 295: Line 352:
 
initialize_domain /usr/lib32/skype/skype from any}}
 
initialize_domain /usr/lib32/skype/skype from any}}
  
Note that {{ic|/home/pf/work/tmp}} folder is only the folder to which Skype will be able to save received files and from which it will be able to send all files. You have to change this folder.
+
Note that {{ic|/home/*/Downloads/tmp}} folders are the only folders to which Skype will be able to save received files and from which it will be able to send all files.
  
 
* Then open {{ic|/etc/tomoyo/domain_policy.conf}} and add the following lines:
 
* Then open {{ic|/etc/tomoyo/domain_policy.conf}} and add the following lines:
  
{{bc|<kernel> /usr/bin/skype
+
{{bc|1=<kernel> /usr/bin/skype
 
use_profile 3
 
use_profile 3
 
use_group 0
 
use_group 0
Line 311: Line 368:
 
file read /usr/bin/skype
 
file read /usr/bin/skype
 
file read /usr/lib32/skype/skype
 
file read /usr/lib32/skype/skype
file execute /usr/lib32/skype/skype exec.realpath&#61;"/usr/lib32/skype/skype" exec.argv[0]&#61;"/usr/lib32/skype/skype"
+
file execute /usr/lib32/skype/skype exec.realpath="/usr/lib32/skype/skype" exec.argv[0]="/usr/lib32/skype/skype"
  
 
<kernel> /usr/lib32/skype/skype
 
<kernel> /usr/lib32/skype/skype
Line 322: Line 379:
 
file create /tmp/qtsingleapp-\*-lockfile 0600-0666
 
file create /tmp/qtsingleapp-\*-lockfile 0600-0666
 
file create @SKYPE_FILES 0600-0666
 
file create @SKYPE_FILES 0600-0666
 +
file create /dev/shm/pulse-shm-\* 0700-0777
 
file execute /usr/bin/firefox
 
file execute /usr/bin/firefox
 
file execute /usr/bin/gnome-open
 
file execute /usr/bin/gnome-open
Line 330: Line 388:
 
file ioctl /dev/video0 0-0xFFFFFFFFFFFFFFFF
 
file ioctl /dev/video0 0-0xFFFFFFFFFFFFFFFF
 
file ioctl anon_inode:inotify 0x541B
 
file ioctl anon_inode:inotify 0x541B
file ioctl socket:[family&#61;1:type&#61;2:protocol&#61;0] 0x8910
+
file ioctl socket:[family=1:type=2:protocol=0] 0x8910
file ioctl socket:[family&#61;1:type&#61;2:protocol&#61;0] 0x8933
+
file ioctl socket:[family=1:type=2:protocol=0] 0x8933
file ioctl socket:[family&#61;2:type&#61;1:protocol&#61;6] 0x541B
+
file ioctl socket:[family=2:type=1:protocol=6] 0x541B
file ioctl socket:[family&#61;2:type&#61;2:protocol&#61;17] 0x541B
+
file ioctl socket:[family=2:type=2:protocol=17] 0x541B
file ioctl socket:[family&#61;2:type&#61;2:protocol&#61;17] 0x8912
+
file ioctl socket:[family=2:type=2:protocol=17] 0x8912
file ioctl socket:[family&#61;2:type&#61;2:protocol&#61;17] 0x8927
+
file ioctl socket:[family=2:type=2:protocol=17] 0x8927
file ioctl socket:[family&#61;2:type&#61;2:protocol&#61;17] 0x8B01
+
file ioctl socket:[family=2:type=2:protocol=17] 0x8B01
file link /home/\*/.cache/fontconfig/\* /home/\*/.cache/fontconfig/\*
+
file ioctl socket:[family=2:type=2:protocol=17] 0x8B1B
 +
file ioctl socket:[family=2:type=2:protocol=17] 0x8B15
 +
file ioctl socket:[family=2:type=2:protocol=17] 0x8B05
 +
file link/rename /home/\*/.cache/fontconfig/\* /home/\*/.cache/fontconfig/\*
 
file mkdir /home/\*/.cache/fontconfig/\* 0600
 
file mkdir /home/\*/.cache/fontconfig/\* 0600
 
file mkdir @SKYPE_DIRS 0700-0777
 
file mkdir @SKYPE_DIRS 0700-0777
 
file mksock /tmp/qtsingleapp-\* 0755
 
file mksock /tmp/qtsingleapp-\* 0755
 
file read /dev/urandom
 
file read /dev/urandom
 +
file read/write/unlink/truncate /dev/shm/pulse-shm-\*
 
file read /etc/fonts/conf.avail/\*.conf
 
file read /etc/fonts/conf.avail/\*.conf
 
file read /etc/fonts/conf.d/\*.conf
 
file read /etc/fonts/conf.d/\*.conf
Line 350: Line 412:
 
file read /etc/machine-id
 
file read /etc/machine-id
 
file read /etc/nsswitch.conf
 
file read /etc/nsswitch.conf
file read /etc/passwd
 
 
file read /etc/resolv.conf
 
file read /etc/resolv.conf
 
file read /home/\*/.ICEauthority
 
file read /home/\*/.ICEauthority
Line 358: Line 419:
 
file read /home/\*/.fontconfig/\*
 
file read /home/\*/.fontconfig/\*
 
file read /home/\*/.config/fontconfig/\*
 
file read /home/\*/.config/fontconfig/\*
 +
file read /home/\*/.config/pulse/cookie
 
file read /usr/lib/locale/locale-archive
 
file read /usr/lib/locale/locale-archive
 
file read /usr/lib32/gconv/UTF-16.so
 
file read /usr/lib32/gconv/UTF-16.so
 
file read /usr/lib32/gconv/gconv-modules
 
file read /usr/lib32/gconv/gconv-modules
 
file read /usr/lib32/libv4l/v4l2convert.so
 
file read /usr/lib32/libv4l/v4l2convert.so
 +
file read /usr/lib32/libv4l/plugins/libv4l-mplane.so
 +
file read /usr/lib32/pulseaudio/libpulsecommon-5.0.so
 
file read /usr/lib32/qt/plugins/bearer/libq\*bearer.so
 
file read /usr/lib32/qt/plugins/bearer/libq\*bearer.so
 
file read /usr/lib32/qt/plugins/iconengines/libqsvgicon.so
 
file read /usr/lib32/qt/plugins/iconengines/libqsvgicon.so
Line 376: Line 440:
 
file read /usr/share/alsa/pcm/\*.conf
 
file read /usr/share/alsa/pcm/\*.conf
 
file read /usr/share/fonts/\*/\*/\*
 
file read /usr/share/fonts/\*/\*/\*
 +
file read /usr/share/locale/\*/LC_MESSAGES/\*.mo
 +
file read /usr/share/ca-certificates/mozilla/\*.crt
 +
file read /var/cache/fontconfig/\*.cache-4
 
file read @ICONS_FILES
 
file read @ICONS_FILES
file read proc:/cpuinfo
+
file read proc:/sys/vm/overcommit_memory
file read proc:/stat
+
file read /sys/devices/\*/\*/\*/\*/\*/modalias
file read proc:/sys/kernel/osrelease
+
file read /sys/devices/\*/\*/\*/\*/\*/video4linux/video0/dev
file read proc:/sys/kernel/ostype
+
file read /sys/devices/\*/\*/\*/\*/idProduct
file read sysfs:/devices/\*/\*/\*/\*/\*/\*/modalias
+
file read /sys/devices/\*/\*/\*/\*/idVendor
file read sysfs:/devices/\*/\*/\*/\*/\*/\*/video4linux/video0/dev
+
file read /sys/devices/\*/\*/\*/\*/speed
file read sysfs:/devices/\*/\*/\*/\*/\*/idProduct
+
file read /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq
file read sysfs:/devices/\*/\*/\*/\*/\*/idVendor
+
file read /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
file read sysfs:/devices/\*/\*/\*/\*/\*/speed
+
file read /sys/devices/system/cpu/online
file read sysfs:/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq
+
file read sysfs:/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
+
file read sysfs:/devices/system/cpu/online
+
 
file read/write /dev/snd/\*
 
file read/write /dev/snd/\*
 
file read/write /dev/video0
 
file read/write /dev/video0
Line 395: Line 459:
 
file read/write/unlink /tmp/qtsingleapp-\*
 
file read/write/unlink /tmp/qtsingleapp-\*
 
file read/write/unlink/truncate @SKYPE_FILES
 
file read/write/unlink/truncate @SKYPE_FILES
file rename /home/\*/.cache/fontconfig/\* /home/\*/.cache/fontconfig/\*
 
 
file rename @SKYPE_DIRS @SKYPE_DIRS
 
file rename @SKYPE_DIRS @SKYPE_DIRS
 
file rename @SKYPE_FILES @SKYPE_FILES
 
file rename @SKYPE_FILES @SKYPE_FILES
Line 405: Line 468:
 
network inet stream bind/listen 0.0.0.0 0-65535
 
network inet stream bind/listen 0.0.0.0 0-65535
 
network inet stream connect 0.0.0.0-255.255.255.255 0-65535
 
network inet stream connect 0.0.0.0-255.255.255.255 0-65535
network unix stream bind/listen /tmp/qtsingleapp-\*
+
network unix stream bind/listen/connect /tmp/qtsingleapp-\*
 
network unix stream connect /tmp/.ICE-unix/\*
 
network unix stream connect /tmp/.ICE-unix/\*
network unix stream connect /tmp/qtsingleapp-\*
 
 
network unix stream connect /var/run/dbus/system_bus_socket
 
network unix stream connect /var/run/dbus/system_bus_socket
 
network unix stream connect /var/run/nscd/socket
 
network unix stream connect /var/run/nscd/socket
Line 413: Line 475:
 
network unix stream connect \000/tmp/.X11-unix/X0
 
network unix stream connect \000/tmp/.X11-unix/X0
 
network unix stream connect \000/tmp/dbus-\*
 
network unix stream connect \000/tmp/dbus-\*
 +
network unix stream connect /run/user/1000/pulse/native
  
 
<kernel> /usr/lib32/skype/skype /usr/bin/xdg-open
 
<kernel> /usr/lib32/skype/skype /usr/bin/xdg-open
 
use_profile 0
 
use_profile 0
 
use_group 0
 
use_group 0
 
  
 
<kernel> /usr/lib32/skype/skype /usr/bin/gnome-open
 
<kernel> /usr/lib32/skype/skype /usr/bin/gnome-open
Line 429: Line 491:
 
* After finishing editing reload TOMOYO config files by executing these commands:
 
* After finishing editing reload TOMOYO config files by executing these commands:
  
{{bc|# tomoyo-loadpolicy -df </etc/tomoyo/domain_policy.conf
+
{{bc|# tomoyo-loadpolicy -df < /etc/tomoyo/domain_policy.conf
# tomoyo-loadpolicy -ef </etc/tomoyo/exception_policy.conf}}
+
# tomoyo-loadpolicy -ef < /etc/tomoyo/exception_policy.conf}}
  
Voilà — your Skype is sandboxed now.
+
Skype is now sandboxed.
  
Please note that this config is generated on 64-bit Arch system, and some of your ioctls and library paths may differ from mentioned above. So in order to fine-tune TOMOYO config for your Skype load {{ic|tomoyo-auditd}} daemon:
+
Please note that this config is generated on 64-bit Arch system, and some of your ioctls and library paths may differ from mentioned above. So in order to fine-tune TOMOYO config for your Skype [[start]] {{ic|tomoyo-auditd.service}}.
 
+
# systemctl start tomoyo-auditd
+
  
 
Then go to {{ic|/var/log/tomoyo}} folder and start watching {{ic|reject_003.log}}:
 
Then go to {{ic|/var/log/tomoyo}} folder and start watching {{ic|reject_003.log}}:
  
  tail -f reject_003.log
+
  $ tail -f reject_003.log
  
The output of this command will show you rejected actions for Skype, so you'll be able to add them to {{ic|domain_policy.conf}} file if needed.
+
The output of this command will show you rejected actions for Skype, so you will be able to add them to {{ic|domain_policy.conf}} file if needed.
  
Detailed guide about TOMOYO configuring can be found [http://tomoyo.sourceforge.jp/2.5/index.html.en here].
+
See [http://tomoyo.sourceforge.jp/2.5/index.html.en] for a detailed guide to TOMOYO configuration.
 
+
=== Use Skype with special user ===
+
 
+
Instead of using AppArmor or TOMOYO which require the installation of extra packages, one may prefer to add a special user. This user is only used for running Skype within one's normal environment. This approach restricts Skype to reading only the data of this particular user instead of one's main user. (The new user should not be used for any other thing. Skype only.)
+
 
+
An AUR package, [https://aur.archlinux.org/packages/skype-restricted/ skype-restricted] exists that will run skype as a separate user ("_skype") cleanly. It's heavily based on the information in this section.
+
 
+
Optionally, we first add a default group for the skype user. I will call the new user and its default group "skype". The security advantage in keeping the "skype" user in its separate group is that it can be restricted from accessing some places other users are allowed in.
+
# groupadd skype
+
Then we have to add the new user:
+
# useradd
+
Enter the details for the new user (assumed login name: "skype"). If you created the default "skype" group and want to keep "skype" outside the "users" group, enter "skype" when the wizard asks for the initial group. As additional groups we need "audio,video,pulse-access,pulse-rt".
+
 
+
Now add the following line to {{ic|/home/skype/.bashrc}}:
+
export DISPLAY=":0.0"
+
 
+
At last we define the alias (e.g. in {{ic|~/.bashrc}}):
+
alias skype='xhost +local: && su skype -c skype'
+
Now we can start Skype as the newly created user simply by running {{Ic|skype}} from the command line and entering the password of the user skype.
+
 
+
If you are tired of typing in the skype user's password every time, make sure you installed the [[sudo]] package, run {{Ic|visudo}} then add this line at the bottom:
+
%wheel ALL=(skype) NOPASSWD: /usr/bin/skype
+
 
+
And use this alias to launch skype:
+
alias skype='xhost +local: && sudo -u skype /usr/bin/skype'
+
 
+
{{Note|If you forget the {{ic|xhost}} command, Skype may fail with a "No protocol specified" error on stdout.}}
+
 
+
I noticed that the newly created user is able to read some of the files in my home directory because the permissions were a+r, so I changed them manually to a-r u+r and changed umask from 022 to 066.
+
 
+
In order to restrict user "skype" accessing your external drive mounted in {{ic|/media/data}} for instance, make sure first that "skype" does not belong to group "users" (if you used the default group "skype", everything should be fine), then change the accesses on the mount point:
+
# chown :users /media/data
+
# chmod o-rwx /media/data
+
This way, it is ensured that only the owner (normally "root") and "users" can access the specified directory tree while the others, including "skype", will be forbidden.
+
 
+
==== Open URLs in your user's browser ====
+
 
+
When one clicks URL in chat window, skype execute [[xdg-open]] to handle it. By default {{ic|xdg-open}} uses default web browser for skype user environment. In order to open links in your user's browser perform next setup.
+
 
+
{{Note|
+
* [[Sudo]] should be installed and properly configured.
+
* Current example uses [[firefox]] as preferred browser.
+
* Do not forget to adjust ''your_user'' to proper value.
+
}}
+
 
+
Log in as skype user:
+
$ sudo su - skype
+
 
+
Create local preferences dir:
+
$ mkdir -p ~/.local/share/applications
+
 
+
Create {{ic|/home/skype/.local/share/applications/firefox-sudo.desktop}} file:
+
[Desktop Entry]
+
Name=Firefox
+
Exec=/home/skype/firefox-wrapper %u
+
Terminal=false
+
Type=Application
+
Categories=Network;WebBrowser;
+
 
+
Set {{ic|firefox-sudo.desktop}} to manage HTTP and HTTPS URLs:
+
$ xdg-mime default firefox-sudo.desktop x-scheme-handler/http
+
$ xdg-mime default firefox-sudo.desktop x-scheme-handler/https
+
 
+
(Optionally) add FTP handler:
+
$ xdg-mime default firefox-sudo.desktop x-scheme-handler/ftp
+
 
+
Create {{ic|/home/skype/firefox-wrapper}} script (adjust ''your_user''):
+
#!/bin/bash
+
DISPLAY=:0.0 HOME=/home/''your_user'' sudo -u ''your_user'' /usr/lib/firefox/firefox -new-tab $1
+
 
+
Make it executable:
+
$ chmod +x ~/firefox-wrapper
+
 
+
Now as root user open {{ic|/etc/sudoers}}:
+
# visudo
+
 
+
And add permission for skype user to exec user's browser (adjust ''your_user''):
+
skype ALL=(''your_user'') NOPASSWD: /usr/lib/firefox/firefox -new-tab http*, /usr/lib/firefox/firefox -new-tab ftp*
+
 
+
==== Access received files ====
+
 
+
By default {{ic|skype}} stores received files with 600 permissions (only owner can access them). One may use [https://www.archlinux.org/packages/?sort=&q=incron incron] to perform automatic permission fix upon downloading.
+
 
+
{{Note|This example assumes that you configure skype to save received files into {{ic|/home/skype/downloads}}}}
+
 
+
Make skype home dir and download dir accessible:
+
# chmod 755 /home/skype /home/skype/downloads
+
 
+
Install incron with the {{Pkg|incron}} package from the [[official repositories]], and enable and start {{ic|incrond}} [[systemd#Using units|using systemd]].
+
Open incrontab for root user:
+
# incrontab -e
+
 
+
Add incron job:
+
/home/skype/downloads IN_CREATE chmod 644 $@/$#
+
 
+
Save changes and exit incrontab editor.
+
 
+
To test incron in action just enter skype donwload dir and create test file:
+
# cd /home/skype/downloads
+
# install -m 600 /dev/null test.txt
+
# ls -l test.txt
+
 
+
File permissions should be 644 or -rw-r--r--
+
 
+
(Optionally) link skype download dir into your home dir:
+
$ ln -s /home/skype/downloads ~/skype_files
+
  
 
== Skype plugin for Pidgin ==
 
== Skype plugin for Pidgin ==
Line 558: Line 512:
 
== Troubleshooting ==
 
== Troubleshooting ==
  
=== Skype crashes immediately ===
+
=== GUI does not match GTK Theme ===
  
Try creating the directory {{ic|~/.Skype/Logs}}.
+
See [[Uniform look for Qt and GTK applications]] for information about theming Qt based applications like [[VirtualBox]] or Skype. Also, you may need to install the {{aur|lib32-gtk-engines}} package.
  
=== Skype crashes shortly after login ===
+
=== Test call fails ===
  
If Skype crashes shortly after logging in, changing the rights for {{ic|libpulse.so.0.12.4}} (minor version might differ) and {{ic|libpulse-simple.so.0.0.3}} might fix the issue.[https://bugs.launchpad.net/ubuntu/+source/ia32-libs/+bug/646862/comments/14]
+
Call to Echo Test Service can fail with error "call failed" when the user profiles are usually corrupt. Solution is to remove the profile and file and re-add your account in Skype as seen in Ubuntu Forums.
 +
 
 +
  # rm ~/.Skype/ -rf
  
# cd /usr/lib
+
=== No video with GSPCA webcams ===
# chmod ugo-r libpulse.so.0.12.*
+
# chmod ugo-r libpulse-simple.so.0.0.3
+
  
64bit users might have to cd to {{ic|/usr/lib32}} instead.
+
Firstly, remove the Skype configuration directory. Otherwise preloading V4L libraries (see below) will not help, because old settings will override preloaded libraries. Note that all personal account settings will be lost.
  
=== I can receive multiple audio streams, but I can only send one ===
+
rm -rf ~/.Skype
 
+
Skype can send and receive audio and I still hear other sounds playing from other applications, but I cannot record my microphone with other applications. That is because Skype or aoss blocks the audio input for itself.
+
 
+
=== No video with GSPCA webcams ===
+
  
 
For i686, install {{Pkg|v4l-utils}}, userspace tools and conversion library for Video 4 Linux, and run Skype with
 
For i686, install {{Pkg|v4l-utils}}, userspace tools and conversion library for Video 4 Linux, and run Skype with
Line 600: Line 550:
 
  $ XLIB_SKIP_ARGB_VISUALS=1 skype
 
  $ XLIB_SKIP_ARGB_VISUALS=1 skype
  
=== Skype does not use my GTK+ theme, even though other Qt apps do ===
+
===Skype does not use a GTK+ theme, even though other Qt apps do===
  
 
Recent versions of Skype allow you to change the theme via the Options menu. However, selecting the GTK+ option may not work properly. This is probably because you do not have a 32-bit theme engine installed. Try to find the engine your theme uses in the multilib repository or the [[AUR]]. If you have no idea which engine your theme is using, the easiest fix is to install {{AUR|lib32-gtk-engines}}. This does however contain quite a lot of packages, so the best would be to find and install only the needed package.
 
Recent versions of Skype allow you to change the theme via the Options menu. However, selecting the GTK+ option may not work properly. This is probably because you do not have a 32-bit theme engine installed. Try to find the engine your theme uses in the multilib repository or the [[AUR]]. If you have no idea which engine your theme is using, the easiest fix is to install {{AUR|lib32-gtk-engines}}. This does however contain quite a lot of packages, so the best would be to find and install only the needed package.
  
{{Note|You may not have to install ''lib32-gtk-engines''. First try if the following steps work for you if you only install ''lib32-gtk2'' and a GTK+2 theme respectively. See also the [https://bbs.archlinux.org/viewtopic.php?pid&#61;1200975#p1200975 forums].}}
+
{{Note|You may not have to install {{AUR|lib32-gtk-engines}}. First try if the following steps work for you if you only install ''lib32-gtk2'' and a GTK+2 theme respectively. See also the [https://bbs.archlinux.org/viewtopic.php?pid&#61;1200975#p1200975 forums].}}
  
 
Once installed, it will still not work unless you have a 32-bit version of GConf installed. You could build and install {{AUR|lib32-gconf}} if desired, but there is an easier workaround. First, create or edit {{ic|~/.gtkrc-2.0}} so that it contains the following line:
 
Once installed, it will still not work unless you have a 32-bit version of GConf installed. You could build and install {{AUR|lib32-gconf}} if desired, but there is an easier workaround. First, create or edit {{ic|~/.gtkrc-2.0}} so that it contains the following line:
Line 626: Line 576:
  
 
Similarly if you have set Skype to autostart then modify {{ic|~/.config/autostart/skype.desktop}} in the same way.
 
Similarly if you have set Skype to autostart then modify {{ic|~/.config/autostart/skype.desktop}} in the same way.
 
=== The microphone does not work ===
 
 
Run amixer:
 
 
$ amixer
 
 
and check if you have an output for '''Capture''' similar to the one below.
 
 
Simple mixer control 'Capture',0
 
  Capabilities: cvolume cswitch penum
 
  Capture channels: Front Left - Front Right
 
  Limits: Capture 0 - 15
 
  Front Left: Capture 8 [53%] [12.00dB] [on]
 
  Front Right: Capture 8 [53%] [12.00dB] [on]
 
 
If your output is similar, your microphone is working just fine, and the issue is either hardware related (broken microphone) or your volume needs to be checked. If you do not have an output similar to the one above or, more specifically, if both '''Front Left''' and '''Front Right''' are 0% or show an '''[off]''' tag at the end, then your microphone settings need to be rectified.
 
 
In either case, try to run:
 
 
$ alsamixer
 
 
and press {{ic|F5}} to show all channels. Using the arrow keys navigate all the way to the end and increase '''Capture'''. If you do not see a left and right channel for '''Capture''', press the space bar. Doing this turns the left and right channels on. Check that '''Input Source''' is set to the correct value (e.g. ''[Front Mic]''): navigate through the values with up and down arrow keys. If your microphone is an array built into your monitor, or you have a similar setup, make sure to increase the volume for the '''Digital''' column too. If you have multiple microphones, you may have to play around with the '''Mic Jack''' channel to get your desired setting.
 
 
You may want to save your mixer settings with:
 
 
# alsactl -f /var/lib/alsa/asound.state store
 
  
 
=== No incoming video stream ===
 
=== No incoming video stream ===
Line 664: Line 587:
 
  LD_PRELOAD=/usr/lib/libv4l/v4l1compat.so skype
 
  LD_PRELOAD=/usr/lib/libv4l/v4l1compat.so skype
  
=== Low sound in Skype, but works everywhere else ===
+
A further alternative is:
  
If you are sure your microphone is configured correctly in ALSA (try recording with a 3rd-party-utility to determine whether it is an ALSA or Skype problem), it is most likely because Skype is controlling your volume levels. Simply disable this feature in the voice settings page in the Skype configuration window.
+
cd /usr/lib/lib32/libv4l &&  LD_PRELOAD=v4l1compat.so skype;
 
+
This may also help if your microphone input is automatically lowered until 0.
+
  
 
=== Monster/low-octave "growling" distortion over mic ===
 
=== Monster/low-octave "growling" distortion over mic ===
Line 674: Line 595:
 
Some users with newer kernels are experiencing a monster-like growling distortion of their sound stream on the other end of Skype. This can be fixed by creating a dummy ALSA device or by removing {{ic|~/.Skype/shared.xml}}. See https://bbs.archlinux.org/viewtopic.php?pid=819500#p819500 for more information.
 
Some users with newer kernels are experiencing a monster-like growling distortion of their sound stream on the other end of Skype. This can be fixed by creating a dummy ALSA device or by removing {{ic|~/.Skype/shared.xml}}. See https://bbs.archlinux.org/viewtopic.php?pid=819500#p819500 for more information.
  
=== Skype can only see PulseAudio, but not ALSA devices ===
+
=== Crackling/noisy sound (mainly using 64-bit OS) ===
  
Turn PulseAudio autospawn off and kill PulseAudio:
+
====Solution 1====
$ echo "autospawn = no" > ~/.pulse/client.conf
+
$ killall pulseaudio
+
And restart Skype.
+
  
=== Crackling/noisy sound (mainly using 64-bit OS) ===
+
With root privileges, edit the {{ic|/usr/bin/skype}} script to add the {{ic|PULSE_LATENCY_MSEC}} variable, changing this line:
 +
 
 +
exec "$LIBDIR/skype/skype" "$@"
 +
 
 +
to this:
 +
 
 +
PULSE_LATENCY_MSEC=60 exec "$LIBDIR/skype/skype" "$@"
 +
 
 +
====Solution 2====
  
 
Edit {{ic|/etc/pulse/default.pa}} and change the following line
 
Edit {{ic|/etc/pulse/default.pa}} and change the following line
Line 691: Line 617:
 
  load-module module-udev-detect tsched=0
 
  load-module module-udev-detect tsched=0
  
See also: [[PulseAudio#Glitches, skips or crackling]].
+
See also: [[PulseAudio/Troubleshooting#Glitches, skips or crackling]].
  
=== Problem with Audio Playback on x86_64 ===
+
=== Skype sounds stops media player or other sound sources ===
  
See [[Pulseaudio#Skype (x86_64 only)]], even if you are not using PulseAudio.
+
You can try commenting out the following modules in {{ic|/etc/pulse/default.pa}}
 +
#load-module module-role-cork
  
=== Skype sounds stops media player or other sound sources ===
+
Finally you have to restart pulseaudio:
  
You can try commenting out the following modules in {{ic|/etc/pulse/default.pa}}
+
  $ pulseaudio --kill
  #module-cork-music-on-phone
+
  $ pulseaudio --start
  #module-role-cork
+
 
 +
If restarting does not solve the sound problem try to log out and log in again.
  
 
If that does not help, you can try changing flat-volumes to no in {{ic|/etc/pulse/daemon.conf}}.
 
If that does not help, you can try changing flat-volumes to no in {{ic|/etc/pulse/daemon.conf}}.
 
  flat-volumes = no
 
  flat-volumes = no
 +
 +
If that still does not work, you can manually unload the module:
 +
 +
$ pactl unload-module module-role-cork
 +
 +
=== Skype does not start after upgrade to 4.3. ===
 +
 +
After upgrading Skype, you may see the welcome screen and contact list appear very briefly (or not at all), followed by Skype crashing. Should you run it from the terminal, the behaviour will be the same, except the message 'Aborted' will be displayed after it crashes.
 +
 +
This issue affects users that upgrade from versions prior to 4.3, and is related to database changes which are incompatible with the old version of the database.
 +
 +
Make sure Skype is not running, and run:
 +
 +
$ cd ~/.Skype/yourskypeusername
 +
$ cp main.db main.db.backup
 +
$ sqlite3 main.db
 +
update Messages
 +
set body_xml=substr(body_xml,instr(body_xml,'<files'),12)||
 +
              substr(body_xml,0,instr(body_xml,'<files'))||
 +
              substr(body_xml,instr(body_xml,'alt=')+5)
 +
where type=68 and body_xml not like '<file%';
 +
.quit
 +
 +
Now you can upgrade Skype. [http://community.skype.com/t5/Linux/Skype-4-3-crashes-with-old-chat-history/td-p/3220410/page/2]
 +
 +
Note that Skype 4.3 requires a processor with SSE2 support. Otherwise Skype will crash with an 'Aborted' message. In that case use {{AUR|skype42}}{{Broken package link|{{aur-mirror|skype42}}}} instead.
 +
 +
=== You are already signed in on this computer ===
 +
 +
If Skype is closed without the dc.lock file being deleted, it will fail to log back in.
 +
 +
To fix this, close Skype and run:
 +
 +
$ rm ~/.Skype/shared_dynco/dc.lock
 +
 +
=== Empty white screen window ===
 +
 +
If you get a white empty window when launching skype, try to autologin like this instead:
 +
 +
$ echo ''username'' ''password'' | skype --pipelogin

Latest revision as of 19:56, 21 May 2016

Installation

Note: The official Skype client for Linux has not been updated in a long time and receiving calls from the latest versions of other clients is reportedly broken.
Tip: There is also a web version of Skype available, which you might want to use if you do not trust the proprietary Skype client. You can also use it as an unofficial app: skype-desktop-binAUR. Audio/video is currently not supported because the required browser plugin is only available for OS X and Windows.

Install the skype package. If you have a 64-bit system, enable the multilib repository first, since Skype is 32-bit only.

Running Skype is just as easy. Type skype into a terminal or double-click the Skype icon on your desktop or in your DE's application menu.

Skype sound

Skype requires PulseAudio for voice communication and does not support plain ALSA.

Alternatively, if you do not want to use PulseAudio, you can install apulseAUR (and lib32-apulseAUR for x86_64 users) from the AUR, which emulates PulseAudio. Then execute Skype with:

$ apulse skype

or for x86_64:

$ apulse32 skype

See ALSA/Troubleshooting#Setting the default microphone/capture device and following sections if the microphone is not working.

If everything is functional, modify the desktop entry in /usr/share/applications/skype.desktop so that the Exec line reads:

Exec=/usr/bin/apulse32 /usr/bin/skype  %U

Restricting Skype access

There are a couple of reasons you might want to restrict Skype's access to your computer:

  • The skype binary is disguised against decompiling, so nobody is (still) able to reproduce what it really does.
  • It produces encrypted traffic even when you are not actively using Skype.

See [1] for more information.

Restrictions can be implemented in a number of ways, with varying ease and security. It is possible to run Skype in a container, run it as a separate user, or use the Mandatory Access Control functionality available in the Linux kernel.

systemd-nspawn

Warning: systemd-nspawn provides the most straightforward way to run an application in a separate environment, however it is not considered to provide a fully secure setup.

The following script will create a container in /mnt/stor/vm/skype and run Skype from there on each subsequent run. Fetching the default pacman config is necessary for 64-bit systems with multilib enabled, but be careful in case you have custom repositories enabled. Note that sound and video may be broken with this method.

 #!/bin/bash
 set -e
 DEST=/mnt/stor/vm/skype
 if [ ! -d "$DEST" ];then
     sudo mkdir -p "$DEST/var/lib/pacman/";
     sudo mkdir -p "$DEST/etc/"
     sudo curl https://projects.archlinux.org/svntogit/packages.git/plain/trunk/pacman.conf.i686?h=packages/pacman -o "$DEST/etc/pacman.conf"
     echo sudo skype | sudo pacman --arch i686 --root "$DEST" --cachedir /var/cache/pacman/pkg --config "$DEST/etc/pacman.conf" -Sy - --noconfirm
     sudo systemd-nspawn -D "$DEST" groupadd skype
     sudo systemd-nspawn -D "$DEST" useradd -g skype skype
     sudo mkdir -p $DEST/home/skype/.config/pulse
     sudo cp ~/.config/pulse/cookie $DEST/home/skype/.config/pulse/
     sudo cp ~/.Xauthority $DEST/home/skype/
     sudo chmod 755 -R $DEST/home/skype/
     sudo chown -R 1000:1000 $DEST/home/skype/
 fi
 sudo systemd-nspawn -D "$DEST" --bind=/tmp/.X11-unix --share-system sudo -u skype env DISPLAY=:0 PULSE_SERVER=desktop skype

Docker

Warning: Running Docker has its own set of security implications and caveats. Read the main Docker article for more information.

Install Docker and feel free to explore Docker Hub for Skype images prepared by users.

A tried and tested image is sameersbn/skype (hosted on Github). It uses X11 and PulseAudio unix domain sockets on the host to enable audio/video support in Skype. A wrapper script mounts the X11 and Pulseaudio sockets inside the container. The X11 socket allows for the user interface to display on the host, while Pulseaudio socket allows for the audio output to be rendered on the host. /dev/video0 is also mounted.

Container has access to ~/.Skype and ~/Downloads directories on your host system. Wrapper scripts are installed into /usr/local/bin.

For installation use upstream instructions.

Use Skype with special user

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: This section needs revising both in content and style (Discuss in Talk:Skype#)
Warning: As of version 1.16, Xorg runs as a regular user. This means a special user has no access to X. The following approach only works when enabling root for Xorg; see Xorg#Rootless Xorg (v1.16).

A special user can be used for running Skype within one's normal environment. Permissions will have to be set to ensure your home directory is not readable by the special Skype user (see File permissions and attributes).

An AUR package, skype-restrictedAUR[broken link: archived in aur-mirror] exists that will run skype as a separate user ("_skype") cleanly. It is heavily based on the information in this section. Alternatively, one can use skype-secureAUR, a package that works similarly to skype-restricted, but wraps around already installed Skype binary.

Create a new group for the skype user:

# groupadd skype

Then we have to add the new user:

# useradd -m -g skype -G audio,video -s /bin/bash skype
Note: Maybe you need to add "skype" user to "pulse-access" and "pulse-rt" groups. But it works fine with "audio" and "skype" groups only.

Now add the following line to /home/skype/.bashrc:

export DISPLAY=":0.0"

At last we define the alias (e.g. in ~/.bashrc):

alias skype='xhost +local: && su skype -c skype'

Now we can start Skype as the newly created user simply by running skype from the command line and entering the password of the user skype.

If you are tired of typing in the skype user's password every time, make sure you installed the sudo package, run visudo then add this line at the bottom:

%wheel ALL=(skype) NOPASSWD: /usr/bin/skype

And use this alias to launch skype:

alias skype='xhost +local: && sudo -u skype /usr/bin/skype'
Note: If you forget the xhost command, Skype may fail with a "No protocol specified" error on stdout.

I noticed that the newly created user is able to read some of the files in my home directory because the permissions were a+r, so I changed them manually to a-r u+r and changed umask from 022 to 066.

In order to restrict user "skype" accessing your external drive mounted in /media/data for instance, make sure first that "skype" does not belong to group "users" (if you used the default group "skype", everything should be fine), then change the accesses on the mount point:

# chown :users /media/data
# chmod o-rwx /media/data

This way, it is ensured that only the owner (normally "root") and "users" can access the specified directory tree while the others, including "skype", will be forbidden.

Access Pulseaudio controls when using Skype as a different user

As the "main-user" copy /etc/pulse/default.pa to ~/.pulse/default.pa and add:

load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1

As the skype user, create ~/.pulse/client.conf and add:

default-server = 127.0.0.1

Open URLs in your user's browser

When one clicks URL in chat window, skype execute xdg-open to handle it. By default xdg-open uses default web browser for skype user environment. In order to open links in your user's browser perform next setup.

Note:
  • Sudo should be installed and properly configured.
  • Current example uses firefox as preferred browser.
  • Do not forget to adjust your_user to proper value.

Log in as skype user:

$ sudo -u skype -i

Create local preferences dir:

$ mkdir -p ~/.local/share/applications

Create /home/skype/.local/share/applications/firefox-sudo.desktop file:

[Desktop Entry]
Name=Firefox
Exec=/home/skype/firefox-wrapper %u
Terminal=false
Type=Application
Categories=Network;WebBrowser;

Set firefox-sudo.desktop to manage HTTP and HTTPS URLs:

$ xdg-mime default firefox-sudo.desktop x-scheme-handler/http
$ xdg-mime default firefox-sudo.desktop x-scheme-handler/https

(Optionally) add FTP handler:

$ xdg-mime default firefox-sudo.desktop x-scheme-handler/ftp

Create /home/skype/firefox-wrapper script (adjust your_user):

#!/bin/bash
DISPLAY=:0.0 HOME=/home/your_user sudo -u your_user /usr/lib/firefox/firefox -new-tab $1

Make it executable:

$ chmod +x ~/firefox-wrapper

Now as root user open /etc/sudoers:

# visudo

And add permission for skype user to exec user's browser (adjust your_user):

skype ALL=(your_user) NOPASSWD: /usr/lib/firefox/firefox -new-tab http*, /usr/lib/firefox/firefox -new-tab ftp*

Access received files

By default skype stores received files with 600 permissions (only owner can access them). One may use incron to perform automatic permission fix upon downloading.

Note: This example assumes that you configure skype to save received files into /home/skype/downloads

Make skype home dir and download dir accessible:

# chmod 755 /home/skype /home/skype/downloads

Install incron with the incron package from the official repositories, and enable and start incrond using systemd. Open incrontab for root user:

# incrontab -e

Add incron job:

/home/skype/downloads IN_CREATE chmod 644 $@/$#

Save changes and exit incrontab editor.

To test incron in action just enter skype download dir and create test file:

# cd /home/skype/downloads
# install -m 600 /dev/null test.txt
# ls -l test.txt

File permissions should be 644 or -rw-r--r--

(Optionally) link skype download dir into your home dir:

$ ln -s /home/skype/downloads ~/skype_files

AppArmor

See the AppArmor page for how to set up AppArmor.

The userland tools for AppArmor come with a collection of example profiles. Skype is amongst them. Copy this to the directory where AppArmor profiles are stored.

# cp -ip /usr/share/apparmor/extra-profiles/usr.bin.skype /etc/apparmor.d/

For whatever reason, the profile is not complete. You may wish to modify it further. Here is an example for Skype 4:

#include <tunables/global>

/usr/bin/skype {
  #include <abstractions/audio>
  #include <abstractions/consoles>
  #include <abstractions/dbus-session>
  #include <abstractions/gnome>
  #include <abstractions/kde>
  #include <abstractions/nameservice>
  #include <abstractions/video>

  # Executables
  /usr/bin/skype ixmr,
  /usr/lib{,32}/skype/skype ixmr,
  /usr/bin/xdg-open PUxmr,
  /usr/bin/kde4-config PUxmr,

  # Configuration files
  owner @{HOME}/.Skype/ rw,
  owner @{HOME}/.Skype/** krw,
  owner @{HOME}/.config/Skype/ rw,
  owner @{HOME}/.config/Skype/** krw,

  # Downloads/uploads directory
  owner @{HOME}/Public/ rw,
  owner @{HOME}/Public/** krw,

  # Libraries
  /usr/lib{,32}/libv4l/v4l2convert.so mr,
  /usr/share/skype/lib/libQtWebKit.so.4 mr,

  # Shared data
  /usr/share/skype/ r,
  /usr/share/skype/** r,

  # Devices
  /dev/ r,
  /dev/video[0-9]* mrw,

  # System information
  /etc/machine-id r,
  @{PROC}/sys/kernel/{ostype,osrelease} r,
  @{PROC}/sys/vm/overcommit_memory r,
  @{PROC}/[0-9]*/net/arp r,
  owner @{PROC}/[0-9]*/cmdline r,
  owner @{PROC}/[0-9]*/status r,
  owner @{PROC}/[0-9]*/task/ r,
  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
  owner @{PROC}/[0-9]*/fd/ r,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{cur_freq,max_freq} r,
  /sys/devices/pci*/*/usb[0-9]*/*/*/modalias r,
  /sys/devices/pci*/*/usb[0-9]*/*/*/video4linux/video[0-9]*/dev r,
  /sys/devices/pci*/*/usb[0-9]*/*/{idVendor,idProduct,speed} r,

  # This probably should go to appropriate abstractions
  /etc/asound.conf r,
  owner @{HOME}/.config/fontconfig/fonts.conf r,
  owner @{HOME}/.config/gtk-3.0/bookmarks r,
  owner @{HOME}/.config/oxygen-gtk/argb-apps.conf rw,
  owner @{HOME}/.config/pulse/cookie krw,
  owner @{HOME}/.icons/** r,
  owner @{HOME}/.kde4/share/config/kdeglobals krw,
  owner @{HOME}/.kde4/share/config/gtkrc-2.0 r,
  owner @{HOME}/.kde4/share/config/oxygenrc r,
  /usr/share/icons/*/index.theme kr,
  /usr/share/nvidia/nvidia-application-profiles-*-rc r,

  # Denials
  deny owner @{HOME}/.mozilla/ r,
  deny owner @{HOME}/.mozilla/** r,
  deny /sys/devices/virtual/dmi/** r,
}
Note: This example assumes that Skype is configured to save received files into ~/Public. Feel free to change it to any folder you like.

To use the profile, first be sure securityfs is mounted,

# mount -t securityfs securityfs /sys/kernel/security

Load the profile by the command,

# apparmor_parser -r /etc/apparmor.d/usr.bin.skype

Now you can run Skype restricted but as your own user. Denials are logged in messages.log.

TOMOYO

Please note that this section describes using TOMOYO 2.5. See TOMOYO Linux#TOMOYO Linux 2.x for installation.

Note: Do not forget to populate first the /etc/tomoyo directory running: /usr/lib/tomoyo/init_policy
  • Open /etc/tomoyo/exception_policy.conf file and add these lines:
path_group SKYPE_DIRS /home/\*/.Skype/
path_group SKYPE_DIRS /home/\*/.Skype/\{\*\}/
path_group SKYPE_DIRS /home/\*/.config/Skype/\{\*\}/
path_group SKYPE_DIRS /usr/share/skype/\{\*\}/
path_group SKYPE_DIRS /tmp/skype-\*/
path_group SKYPE_DIRS /tmp/skype-\*/\{\*\}/
path_group SKYPE_DIRS /home/\*/Downloads/tmp/\{\*\}/
path_group SKYPE_FILES /home/\*/.Skype/\{\*\}/\*
path_group SKYPE_FILES /home/\*/.config/Skype/\{\*\}/\*
path_group SKYPE_FILES /usr/share/skype/\{\*\}/\*
path_group SKYPE_FILES /home/\*/.Skype/\*
path_group SKYPE_FILES /home/\*/.config/Skype/\*
path_group SKYPE_FILES /usr/share/skype/\*
path_group SKYPE_FILES /tmp/skype-\*/\{\*\}/\*
path_group SKYPE_FILES /home/\*/Downloads/tmp/\{\*\}/\*
path_group SKYPE_FILES /home/\*/Downloads/tmp/\*
path_group ICONS_DIRS /usr/share/icons/\{\*\}/
path_group ICONS_FILES /usr/share/icons/\{\*\}/\*
path_group ICONS_FILES /usr/share/icons/\*
initialize_domain /usr/bin/skype from any
initialize_domain /usr/lib32/skype/skype from any

Note that /home/*/Downloads/tmp folders are the only folders to which Skype will be able to save received files and from which it will be able to send all files.

  • Then open /etc/tomoyo/domain_policy.conf and add the following lines:
<kernel> /usr/bin/skype
use_profile 3
use_group 0

misc env \*
file read /bin/bash
file read /usr/bin/bash
file read/write /dev/tty
file read /usr/lib/locale/locale-archive
file read /usr/lib/gconv/gconv-modules
file read /usr/bin/skype
file read /usr/lib32/skype/skype
file execute /usr/lib32/skype/skype exec.realpath="/usr/lib32/skype/skype" exec.argv[0]="/usr/lib32/skype/skype"

<kernel> /usr/lib32/skype/skype
use_profile 3
use_group 0

file append /dev/snd/pcm\*
file chmod /home/\*/.Skype/ 0700
file create /home/\*/.cache/fontconfig/\* 0600-0666
file create /tmp/qtsingleapp-\*-lockfile 0600-0666
file create @SKYPE_FILES 0600-0666
file create /dev/shm/pulse-shm-\* 0700-0777
file execute /usr/bin/firefox
file execute /usr/bin/gnome-open
file execute /usr/bin/notify-send
file execute /usr/bin/opera
file execute /usr/bin/xdg-open
file ioctl /dev/snd/\* 0-0xFFFFFFFFFFFFFFFF
file ioctl /dev/video0 0-0xFFFFFFFFFFFFFFFF
file ioctl anon_inode:inotify 0x541B
file ioctl socket:[family=1:type=2:protocol=0] 0x8910
file ioctl socket:[family=1:type=2:protocol=0] 0x8933
file ioctl socket:[family=2:type=1:protocol=6] 0x541B
file ioctl socket:[family=2:type=2:protocol=17] 0x541B
file ioctl socket:[family=2:type=2:protocol=17] 0x8912
file ioctl socket:[family=2:type=2:protocol=17] 0x8927
file ioctl socket:[family=2:type=2:protocol=17] 0x8B01
file ioctl socket:[family=2:type=2:protocol=17] 0x8B1B
file ioctl socket:[family=2:type=2:protocol=17] 0x8B15
file ioctl socket:[family=2:type=2:protocol=17] 0x8B05
file link/rename /home/\*/.cache/fontconfig/\* /home/\*/.cache/fontconfig/\*
file mkdir /home/\*/.cache/fontconfig/\* 0600
file mkdir @SKYPE_DIRS 0700-0777
file mksock /tmp/qtsingleapp-\* 0755
file read /dev/urandom
file read/write/unlink/truncate /dev/shm/pulse-shm-\*
file read /etc/fonts/conf.avail/\*.conf
file read /etc/fonts/conf.d/\*.conf
file read /etc/fonts/fonts.conf
file read /etc/group
file read /etc/host.conf
file read /etc/hosts
file read /etc/machine-id
file read /etc/nsswitch.conf
file read /etc/resolv.conf
file read /home/\*/.ICEauthority
file read /home/\*/.XCompose
file read /home/\*/.Xauthority
file read /home/\*/.Xdefaults
file read /home/\*/.fontconfig/\*
file read /home/\*/.config/fontconfig/\*
file read /home/\*/.config/pulse/cookie
file read /usr/lib/locale/locale-archive
file read /usr/lib32/gconv/UTF-16.so
file read /usr/lib32/gconv/gconv-modules
file read /usr/lib32/libv4l/v4l2convert.so
file read /usr/lib32/libv4l/plugins/libv4l-mplane.so
file read /usr/lib32/pulseaudio/libpulsecommon-5.0.so
file read /usr/lib32/qt/plugins/bearer/libq\*bearer.so
file read /usr/lib32/qt/plugins/iconengines/libqsvgicon.so
file read /usr/lib32/qt/plugins/imageformats/libq\*.so
file read /usr/lib32/qt/plugins/inputmethods/libqimsw-multi.so
file read /usr/lib32/skype/skype
file read /usr/share/X11/locale/\*/Compose
file read /usr/share/X11/locale/\*/XLC_LOCALE
file read /usr/share/X11/locale/compose.dir
file read /usr/share/X11/locale/locale.alias
file read /usr/share/X11/locale/locale.dir
file read /usr/share/alsa/alsa.conf
file read /usr/share/alsa/cards/\*.conf
file read /usr/share/alsa/pcm/\*.conf
file read /usr/share/fonts/\*/\*/\*
file read /usr/share/locale/\*/LC_MESSAGES/\*.mo
file read /usr/share/ca-certificates/mozilla/\*.crt
file read /var/cache/fontconfig/\*.cache-4
file read @ICONS_FILES
file read proc:/sys/vm/overcommit_memory
file read /sys/devices/\*/\*/\*/\*/\*/modalias
file read /sys/devices/\*/\*/\*/\*/\*/video4linux/video0/dev
file read /sys/devices/\*/\*/\*/\*/idProduct
file read /sys/devices/\*/\*/\*/\*/idVendor
file read /sys/devices/\*/\*/\*/\*/speed
file read /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq
file read /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
file read /sys/devices/system/cpu/online
file read/write /dev/snd/\*
file read/write /dev/video0
file read/write/truncate /home/\*/.config/Trolltech.conf
file read/write/unlink /home/\*/.cache/fontconfig/\*
file read/write/unlink /tmp/qtsingleapp-\*
file read/write/unlink/truncate @SKYPE_FILES
file rename @SKYPE_DIRS @SKYPE_DIRS
file rename @SKYPE_FILES @SKYPE_FILES
file rmdir @SKYPE_DIRS
misc env \*
network inet dgram bind 0.0.0.0 0-65535
network inet dgram bind 127.0.0.1 0
network inet dgram bind/send 0.0.0.0-255.255.255.255 0-65535
network inet stream bind/listen 0.0.0.0 0-65535
network inet stream connect 0.0.0.0-255.255.255.255 0-65535
network unix stream bind/listen/connect /tmp/qtsingleapp-\*
network unix stream connect /tmp/.ICE-unix/\*
network unix stream connect /var/run/dbus/system_bus_socket
network unix stream connect /var/run/nscd/socket
network unix stream connect \000/tmp/.ICE-unix/\*
network unix stream connect \000/tmp/.X11-unix/X0
network unix stream connect \000/tmp/dbus-\*
network unix stream connect /run/user/1000/pulse/native

<kernel> /usr/lib32/skype/skype /usr/bin/xdg-open
use_profile 0
use_group 0

<kernel> /usr/lib32/skype/skype /usr/bin/gnome-open
use_profile 0
use_group 0

<kernel> /usr/lib32/skype/skype /usr/bin/notify-send
use_profile 0
use_group 0
  • After finishing editing reload TOMOYO config files by executing these commands:
# tomoyo-loadpolicy -df < /etc/tomoyo/domain_policy.conf
# tomoyo-loadpolicy -ef < /etc/tomoyo/exception_policy.conf

Skype is now sandboxed.

Please note that this config is generated on 64-bit Arch system, and some of your ioctls and library paths may differ from mentioned above. So in order to fine-tune TOMOYO config for your Skype start tomoyo-auditd.service.

Then go to /var/log/tomoyo folder and start watching reject_003.log:

$ tail -f reject_003.log

The output of this command will show you rejected actions for Skype, so you will be able to add them to domain_policy.conf file if needed.

See [2] for a detailed guide to TOMOYO configuration.

Skype plugin for Pidgin

See Pidgin#Skype plugin.

Troubleshooting

GUI does not match GTK Theme

See Uniform look for Qt and GTK applications for information about theming Qt based applications like VirtualBox or Skype. Also, you may need to install the lib32-gtk-enginesAUR package.

Test call fails

Call to Echo Test Service can fail with error "call failed" when the user profiles are usually corrupt. Solution is to remove the profile and file and re-add your account in Skype as seen in Ubuntu Forums.

 # rm ~/.Skype/ -rf

No video with GSPCA webcams

Firstly, remove the Skype configuration directory. Otherwise preloading V4L libraries (see below) will not help, because old settings will override preloaded libraries. Note that all personal account settings will be lost.

rm -rf ~/.Skype

For i686, install v4l-utils, userspace tools and conversion library for Video 4 Linux, and run Skype with

LD_PRELOAD=/usr/lib/libv4l/v4l1compat.so skype

to start Skype with v4l1 compatibility.

For x86_64, install lib32-v4l-utils from [multilib] repository and run Skype with

LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so skype

To make it running from DE menus and independent of Skype updates, you can add alias (e.g. in ~/.bashrc):

alias skype='LD_PRELOAD=/usr/libxx/libv4l/v4l1compat.so skype'

where libxx should be edited as appropriate.

No video with Compiz

Try launching Skype setting an environment variable like this:

$ XLIB_SKIP_ARGB_VISUALS=1 skype

Skype does not use a GTK+ theme, even though other Qt apps do

Recent versions of Skype allow you to change the theme via the Options menu. However, selecting the GTK+ option may not work properly. This is probably because you do not have a 32-bit theme engine installed. Try to find the engine your theme uses in the multilib repository or the AUR. If you have no idea which engine your theme is using, the easiest fix is to install lib32-gtk-enginesAUR. This does however contain quite a lot of packages, so the best would be to find and install only the needed package.

Note: You may not have to install lib32-gtk-enginesAUR. First try if the following steps work for you if you only install lib32-gtk2 and a GTK+2 theme respectively. See also the forums.

Once installed, it will still not work unless you have a 32-bit version of GConf installed. You could build and install lib32-gconfAUR if desired, but there is an easier workaround. First, create or edit ~/.gtkrc-2.0 so that it contains the following line:

$ gtk-theme-name = "My theme"

Replace My theme by the name of your theme, but leave the quotes. Second, run Skype like this:

$ export GTK2_RC_FILES="/etc/gtk-2.0/gtkrc:$HOME/.gtkrc-2.0"
$ skype

The GTK+ theme should now appear correctly. You can make this permanent either by running Skype from a script containing the above 2 lines, or by exporting GTK2_RC_FILES in ~/.xprofile or ~/.xinitrc, depending on how you start X.

If you cannot change the theme in the Options menu, run Skype using the following command:

$ /usr/bin/skype --disable-cleanlooks -style GTK

If you wish menus within desktop environments to load Skype with a GTK+ theme by default then modify the 'Exec' line of /usr/share/applications/skype.desktop so that it reads:

$ Exec=/usr/bin/skype --disable-cleanlooks -style GTK

Similarly if you have set Skype to autostart then modify ~/.config/autostart/skype.desktop in the same way.

No incoming video stream

If skype shows a black square for the video preview, but something else (like xawtv -c /dev/video0) shows video correctly, you might need to start Skype with:

export XLIB_SKIP_ARGB_VISUALS=1 && skype

Another possible workaround is to preload v4l1compat.so:

LD_PRELOAD=/usr/lib/libv4l/v4l1compat.so skype

A further alternative is:

cd /usr/lib/lib32/libv4l &&  LD_PRELOAD=v4l1compat.so skype;

Monster/low-octave "growling" distortion over mic

Some users with newer kernels are experiencing a monster-like growling distortion of their sound stream on the other end of Skype. This can be fixed by creating a dummy ALSA device or by removing ~/.Skype/shared.xml. See https://bbs.archlinux.org/viewtopic.php?pid=819500#p819500 for more information.

Crackling/noisy sound (mainly using 64-bit OS)

Solution 1

With root privileges, edit the /usr/bin/skype script to add the PULSE_LATENCY_MSEC variable, changing this line:

exec "$LIBDIR/skype/skype" "$@"

to this:

PULSE_LATENCY_MSEC=60 exec "$LIBDIR/skype/skype" "$@"

Solution 2

Edit /etc/pulse/default.pa and change the following line

load-module module-udev-detect

to

load-module module-udev-detect tsched=0

See also: PulseAudio/Troubleshooting#Glitches, skips or crackling.

Skype sounds stops media player or other sound sources

You can try commenting out the following modules in /etc/pulse/default.pa

#load-module module-role-cork

Finally you have to restart pulseaudio:

$ pulseaudio --kill
$ pulseaudio --start

If restarting does not solve the sound problem try to log out and log in again.

If that does not help, you can try changing flat-volumes to no in /etc/pulse/daemon.conf.

flat-volumes = no

If that still does not work, you can manually unload the module:

$ pactl unload-module module-role-cork

Skype does not start after upgrade to 4.3.

After upgrading Skype, you may see the welcome screen and contact list appear very briefly (or not at all), followed by Skype crashing. Should you run it from the terminal, the behaviour will be the same, except the message 'Aborted' will be displayed after it crashes.

This issue affects users that upgrade from versions prior to 4.3, and is related to database changes which are incompatible with the old version of the database.

Make sure Skype is not running, and run:

$ cd ~/.Skype/yourskypeusername
$ cp main.db main.db.backup
$ sqlite3 main.db
update Messages 
set body_xml=substr(body_xml,instr(body_xml,'<files'),12)||
             substr(body_xml,0,instr(body_xml,'<files'))||
             substr(body_xml,instr(body_xml,'alt=')+5) 
where type=68 and body_xml not like '<file%';
.quit

Now you can upgrade Skype. [3]

Note that Skype 4.3 requires a processor with SSE2 support. Otherwise Skype will crash with an 'Aborted' message. In that case use skype42AUR[broken link: archived in aur-mirror] instead.

You are already signed in on this computer

If Skype is closed without the dc.lock file being deleted, it will fail to log back in.

To fix this, close Skype and run:

$ rm ~/.Skype/shared_dynco/dc.lock

Empty white screen window

If you get a white empty window when launching skype, try to autologin like this instead:

$ echo username password | skype --pipelogin