Update on Dashboard and security risk: why should Dashboard code have root privileges?
Just to return to this topic briefly… back in July, Dave Hyatt (head developer for Safari/Webkit, the HTML rendering engine on OSX) wrote about what a Dashboard widget in Tiger will need: A Dashboard widget is a bundle that contains a principal HTML file and any supporting code that the widget requires (be it CSS, JS, images, or native code). A widget can add an optional interface to native code, written in Objective-C, that can be bound into JavaScript and made accessible from the HTML document’s JS window object.
(Bear with me. We’ll get there.)
Anyway, some points about this model.
(1) The native plugin code must be owned by root. This means that in order for a Dashboard widget that contains one of these special types of plugins to execute that code, you have to enter a root account password (to chown the plugin code). This plugin code cannot execute, therefore, without the widget being ‘blessed’ just as an application that you might install on your system must be.
That’s the bit which worries me: the Javascript being owned by root, the super-super-user on an OSX (or any *nix) machine. I really hope wiser heads have since prevailed and that in the finished product there’s a special user called , say, “dashboard” (just as there are special invisible users called “mysql” and “www” and “postfix” on OSX machines already, for the open-source database and the web server and mail program) which has not unlimited authority to do things on your machine. Else this could get ugly.
- These posts might be related (the database thinks..):
- My Tiger report: Spotlight and Dashboard are amazingly sloooooooow (31 May 2005; score: 112.14%)
- Get it while it's late: my exclusive review of Tiger (you know.. that new software thing) (2 May 2005; score: 109.07%)
- Widgets: an avenue for Apple malware? (9 May 2005; score: 102.31%)
![[Valid RSS]](wp-includes/images/valid-rss.png "Validate my RSS feed"){kind=small}
December 18th, 2004 at 4:08 am
The quote says that the plugin must be owned byroot, not that it is run as root. I bet it also checks that the plugin is not writable. The code would be run as the currently logged in user.
Checking that the code is owned by root before running it provides good security. In order for someone to install a trojan horse, they have to become root first. And if they can do that, then there’s no point installing a trojan because they can do anything the trojan could do anyway.
This is similar to the way the kernel refuses to load kernel extensions unless they are owned by root with the correct permissions.
Absolutely nothing to worry about!
December 19th, 2004 at 11:40 pm
I concur to previous poster:
if the app “belonged” (was owned) to the user who installed it, it could only be run by her.
Check any app that OS X came with. And the ones you installed.
They “belong to root”, and the group “admin” and “world” (all) have execution rights on them.
So what happen when installing an app? (And WHY do we have to use an installer most of the time?)
Well, most of the time, an installer does one and only one thing: get permission from an admin user (you, or the one you sign in as when authenticating on install) to change the owner of the app to “root” AND give “all” execution permissions. (and to the “admin” group too)
=> as seen in a ls -al:
drwxrwxr-x 3 root admin
If you install apps by drag and dropping them (Office install for example),
they can get execute permission for all though. But they are owned by you.
But if you create a widget and want to use it and let others do, you have to give it execute permission for all. And to make it clean don’t let it be owned by you. But by root. So any admin user can play with it without having to own it, just by belonging to the “admin” group.
December 20th, 2004 at 10:49 pm
Okay! I’ll accept that this won’t have root permissions. I understand! However.. I still suspect that Widgets are going to be prime hunting territory for people seeking to put Trojans on Macs.
July 15th, 2005 at 4:51 pm
Widgets are awesome! I want to create one myself, but my knowledge is limited. How does a highly creative person make a simply widget?
thanks,
Dwayne< ! spaminator saw this >
July 15th, 2005 at 10:21 pm
Check out Apple’s developer website http://www.developer.apple.com tons of stuff there. If you’ve got Tiger (and I guess you do) then the developer tools are on the install DVD, and you ought to install them. Plenty of free info around.< ! spaminator saw this >