Linux How much "malicious" can add-ons get?
ofkfok
Newbie
Posts: 7
#1
2019-10-21, 13:17
Yesterday I installed a 3rd party add-on (on my RaPI), but I immediately regretted it cause I felt like I compromised the security of my Raspberry Tongue

Obviously most of this thought is just me being paranoid, but I was wondering: If I delete/disable the add-on, and it was indeed malicious, could it have a way that it infected my whole system and that uninstalling it won't make a difference? I was wondering, what kind of things an add-on do? I've installed just a Subtitles addon. But can it execute arbitrary code for example? Can it use system calls and access the whole filesystem?

Thanks in advance.
Find
Reply
jjd-uk
Team-Kodi Member
Posts: 10,519
#2
2019-10-21, 13:57
Addons are not sandboxed, they can potentially run code to access anything on your system and if network connected anything on your network too, this is why we repeatedly say to only install stuff from known good sources. As for uninstalling and whether that may still leave stuff behind, then yes that can be an issue, we see it with some of the piracy build wizards that alter skin files and make other changes, simply uninstalling the wizard will not always revert Kodi to how it was before, this way to be certain is to wipe all traces of the existing Kodi install and start from fresh, however if you've installed something that includes something with malicious intent, then it's possible for something to get installed to a folder outside of the Kodi folders requiring a full system to be wiped and installed from scratch.
Find
Reply
ofkfok
Newbie
Posts: 7
#3
2019-10-21, 14:20
I see, thanks for clarifying.

How about if we run Kodi with a specific, contrained user (since user pi has sudo access). Does Kodi need sudo access? If not, then this could be a way to mitigate the malicious things a 3rd party addon could do.
Find
Reply
Klojum
Lost connection
Posts: 14,213
#4
2019-10-21, 17:05
It depends on the OS.

When you run LibreELEC, there is only one user, root, with god-like powers.
When you run Raspbian OS, you can create your own user(s), but still 'anything' can happen via add-ons, I guess.
Find
Reply
Lunatixz
Team-Kodi Member
Posts: 7,131
#5
2019-10-21, 18:52
If you are concerned the plug-in might have installed malicious modules (ie. common development scripts malware is sometimes hidden in).You can try running. https://forum.kodi.tv/showthread.php?tid=335539

It will compare your installed version with ones verified to be safe.
Image Lunatixz - Kodi / Beta repository
Image PseudoTV - Forum | Website | Youtube | Help?
Find
Reply

Home
Search
Help
Logout Mark Read Team Forum Stats Members Help
How much "malicious" can add-ons get?0