OS X add-on access to system
#1
Wink 
Hey there,

I have a major question about add-ons in XBMC. I have been asked how much access an add-on has to a system that XBMC is running on. Here the scenario. XBMC is running on Mac OS X which is a productive system and stores important data on it. Are add-ons prevented from any major access to the system XBMC is running on or do all add-ons have access to any part of the OS the user has access to with its current user privileges? Which in case of an admin user running XBMC would be pretty much everything. (I know users should not be granted admin rights but we all know most users are admins on their pcs.)

I personally hope that add-ons are limited in its access to the system. Add-ons should be able to access any part of XBMC itself but I hope they are forbidden any access of resources outside XBMC.

I hope someone can clarify this. In my opinion this is a very important security aspect.

thanks to everyone reading this
Reply
#2
in short: all access
they are pure python and can use the python libs to access all files.

all add-ons in our repo have been checked on what they actually do on your system.
all add-ons outside our repo....HuhHuh
Read/follow the forum rules.
For troubleshooting and bug reporting, read this first
Interested in seeing some YouTube videos about Kodi? Go here and subscribe
Reply
#3
alright that helps to know ... not the answer I was hoping for but sounds fair enough ... I had a user running mash up which is not part of your repo and therefore not safe ...

thanks a million
Reply
#4
You don't need to let's your users run as admin though do you?
If I have helped you or increased your knowledge, click the 'thumbs up' button to give thanks :) (People with less than 20 posts won't see the "thumbs up" button.)
Reply
#5
I'd advise you to be carefull regarding what you install on your system. Despite being opensource, anything not in the xbmc.org repository has its risks and chances the code is reviewed are near 0 (even opensource). Even if it is here on the forum, if it is on a third party repo...it has its risks.

My addon (p2p-streams) is a clear example of what can be done and the freedom addons have to harm your system if I want to. I'm shipping closed-source executables (they are exactly the same files you download from sopcast or acestream websites) but yet...they are closed source. Windows users have to run the addon as administrators the first time to configure sopcast (to create and configure a windows service) I could easily take advantage of this fact to escalate as admin on your systems. I could easily modify one executable to be blended with a trojan for example.
Most of the passwords you store in your addons are not encrypted, any addon can access them.
That being said, xbmc is insecure by design. In my opinion this is not exactly a fault...it is a software intended to be running on a dedicated htpc. You should not store any personal/sensitive data on a htpc or if you do, you should be carefully about what you install.


Regarding mashup (I know this can't be discussed here so sorry for that), I recall I had that installed on a computer a long time ago for testing only. A few time after that loads of ads started to pop up everywhere in xbmc. I can't say it messed with my system or just with my xbmc configuration but the simple fact this happened was a clear sign of risk.
Two days ago I tried to look at their repo to check which addons they had (or xfinity I don't remember) and I found some full of code obfuscation everywhere.
At the first glance it seemed they were not doing anything harmfull (just protecting ilegal sources from being easily spoted) but will you look at 1000 lines of obfuscated code?
I mean for example any variable was stored as 0o0o0o01o0o02o0 = "plugin.video.blablabla", xbmcplayer=020230sdsa3d, and so on...
At line 30 or something the code was looking something as url.open(o020202o202).o110o0o0o1.o010ao001o10.replace(30ddfd0e03","3fsdfsdf9").

Moral of the story,
As with anything tech related be carefull and try to review anything you install. For your safety and for other's safety.
Reply
#6
Thanks for the reply.

Yes I made sure XBMC is deleted from any system that is not a HTPC. You never know what kind of add-ons are loaded.

I got rid of all XBMC files in the Application folder in Mac OS and also found a XBMC directory under /User/Userxyz/Library/ApplicationSupport and a file under /var/ .... and a .XMBC in the home directory.

Hope that's been all.

The system runs Sophos Anti Virus Software and the Scan last night finished without any negative results so my spirits are high that no harm has been done.

Any other recommendations?

I just ordered a Raspberry Pie. Has anyone a tip or advice which is better OpenELEC or RaspBMC?
Reply

Logout Mark Read Team Forum Stats Members Help
add-on access to system0