20 Nov 2019 - TVDB Scraper v3.2.0 is now available which reinstates scraping. TVDB are still in the process of fixing a number of bugs so there may still be further breakages. See this post. 2901570 (post)

Linux How much "malicious" can add-ons get?
#1
Yesterday I installed a 3rd party add-on (on my RaPI), but I immediately regretted it cause I felt like I compromised the security of my Raspberry Tongue

Obviously most of this thought is just me being paranoid, but I was wondering: If I delete/disable the add-on, and it was indeed malicious, could it have a way that it infected my whole system and that uninstalling it won't make a difference? I was wondering, what kind of things an add-on do? I've installed just a Subtitles addon. But can it execute arbitrary code for example? Can it use system calls and access the whole filesystem?

Thanks in advance.
Reply
#2
Addons are not sandboxed, they can potentially run code to access anything on your system and if network connected anything on your network too, this is why we repeatedly say to only install stuff from known good sources. As for uninstalling and whether that may still leave stuff behind, then yes that can be an issue, we see it with some of the piracy build wizards that alter skin files and make other changes, simply uninstalling the wizard will not always revert Kodi to how it was before, this way to be certain is to wipe all traces of the existing Kodi install and start from fresh, however if you've installed something that includes something with malicious intent, then it's possible for something to get installed to a folder outside of the Kodi folders requiring a full system to be wiped and installed from scratch.
Reply
#3
I see, thanks for clarifying.

How about if we run Kodi with a specific, contrained user (since user pi has sudo access). Does Kodi need sudo access? If not, then this could be a way to mitigate the malicious things a 3rd party addon could do.
Reply
#4
It depends on the OS.

When you run LibreELEC, there is only one user, root, with god-like powers.
When you run Raspbian OS, you can create your own user(s), but still 'anything' can happen via add-ons, I guess.
Got a Kodi problem? Provide us with a full Debug log (wiki) || Usefull pages: First time user (wiki) || Troubleshooting (wiki) || Free content (wiki) || Forum rules (wiki) || VPN policy (wiki)
Reply
#5
If you are concerned the plug-in might have installed malicious modules (ie. common development scripts malware is sometimes hidden in).You can try running. 335539 (thread)

It will compare your installed version with ones verified to be safe.
Image Lunatixz - Kodi / Beta repository
Image PseudoTV - Forum | Website | Youtube | Twitter | Help?
Reply
 
Thread Rating:
  • 0 Vote(s) - 0 Average



Logout Mark Read Team Forum Stats Members Help
How much "malicious" can add-ons get?00