Arch Linux User Repository

There is a problem with Skype being stuck on the login screen on first launch. That happens when your org.freedesktop.secrets provider doesn't have a keyring configured, i.e. also first launch.

I don't know if this is a quirk of libsecret or Skype itself, but we can't do pretty much anything about it anyway.

Solutions are simple though:

1. Despite the login screen being stuck, the login itself is actually successful. So just kill it and run Skype again, it should be fine after that.

2. Configure your default keyring manually (using seahorse, kwalletmanager etc.) before running Skype.

To get automatic login, install a package that provides org.freedesktop.secrets, e.g. gnome-keyring.

To get a systray icon, install libappindicator-gtk3. On GNOME, then install the appindicator extension.

@bulletmark the problem is that userns (user namespaces) is not enabled, and won't be enabled in forseeable future on linux-hardened, as well as it can be manually disabled by the user. The reason for that is that there were many CVE-s regarding it throughout history, and conceptually, userns exposes a lot of old code to a situation where it was never designed to run (assumed root, but only inside the namespace). I'm not a kernel developer though, so this is only what I've read, and personally, I follow with the conclusion.

For skype, this situation is problematic though. Nobody ever wants SUID for skype (except for Microsoft). While the chromium binary remains SUID, it can be "worked-around" with a symlink. But we can't make it the default because not all people have chromium installed, and there's no package saying "just give me chromium-s SUID, but not the whole browser".

To resolve the current situation. Maybe we should create an INSTALL script that queries userns state from the kernel, and if it is set to true, warns user about the situation and suggests a work-around for them?

@bulletmark Upgraded the kernel to 5.2.8 and it works. Thanks!

@h-pixako Look in your journal or perhaps run from the command line to see the error. Did you read the discussion below? You appear to be running an old kernel. You can try working around this with sudo sysctl kernel.unprivileged_userns_clone=1. This is the default since 5.1.8 (Arch is currently on 5.2.9) so should be fine on up to date systems.

Silently terminates after the last update: Remove setuid permission on chrome-sandbox.

Had to checkout the last working commit: 577cb2259ace

OS: 4.19.66-1-MANJARO x86_64 GNU/Linux

@bulletmark Oh okay, that's great. Thanks for doing your research :p

@vasya @zeroxfourc, See https://github.com/electron/electron/issues/17972. I will simply remove the setuid change it seems to me that anybody running a recent Arch kernel should not require it. Note work-around 1 commented here https://github.com/electron/electron/issues/17972#issuecomment-516957971 and see https://bbs.archlinux.org/viewtopic.php?id=247016.

@vasya That's definitely a much better solution. I'd suggest to use a bit more intuitive names though, like skypeforlinux-sandbox for the dependency and skypeforlinux-sandbox-default and skypeforlinux-sandbox-chromium for the packages providing it.

In fact, one would probably have to make separate packages for the stable and preview versions' sandboxes and then have skypeforlinux-sandbox-chromium provide them both in case there's some incompatibility.

@zeroxfourc one other alternative that I can think:

• make skype depend on skype-suid.
• create package skype-use-chromium-suid which provides skype-suid, depends on chromium and installs just a symlink.
• create a package skype-native-suid which provides skype-suid and takes the suid from skype binaries themselves.

This requires creating 2 more packages though (maybe one if skype-native-suid would be made a split package). But it'll remain valid even when packages are installed/removed, presuming dependencies are still satisfied.

By the way, shameless plug: AUR helper named "rua" can detect SUID for you, so you have more trust/understanding of what you install. https://github.com/vn971/rua once the PR-s get merged, there is support for upstream diffs and split package support as well. Feel free to comment/ask on corresponding package.

@bulletmark @vasya I had a go at making a .install file:

post_install() {
    if [[ -e /usr/lib/chromium/chrome-sandbox ]]; then
        mv /usr/share/skypeforlinux/chrome-sandbox /usr/share/skypeforlinux/.chrome-sandbox
        ln -s /usr/lib/chromium/chrome-sandbox /usr/share/skypeforlinux/chrome-sandbox
        echo
        echo "==> The Skype-provided chrome-sandbox binary has been replaced"
        echo "==> with the one from the chromium package, as it is a potential"
        echo "==> security risk. To restore the original chrome-sandbox binary,"
        echo "==> run the following commands as root:"
        echo "==>"
        echo "==> cd /usr/share/skypeforlinux"
        echo "==> mv .chrome-sandbox chrome-sandbox"
        echo "==> chmod 4755 chrome-sandbox"
        echo
    else
        chmod 4755 /usr/share/skypeforlinux/chrome-sandbox
        echo
        echo "==> The Skype-provided chrome-sandbox binary is a potential security"
        echo "==> risk. It's possible to replace it with the one from the chromium"
        echo "==> package, to do this install the chromium package and run the"
        echo "==> following commands as root:"
        echo "==>"
        echo "==> cd /usr/share/skypeforlinux"
        echo "==> mv chrome-sandbox .chrome-sandbox"
        echo "==> ln -s /usr/lib/chromium/chrome-sandbox chrome-sandbox"
        echo
    fi
}

post_upgrade() {
    post_install
}

@vasya @bulletmark I just tried launching Skype with Chromium's sandbox and it worked. Maybe the package should have Chromium as an optdepend and a .install file that symlinks its sandbox into place if it exists and prints instructions on how to undo that if it would stop working? It would be really hacky but I'm really not comfortable giving Microsoft-compiled binaries root access on my machine.