Jeremy’s Little Corner Of The Web…

Dave Hyatt has posted again on Dashboard, giving us a bit more info about how it works and what technologies are used.

What I found interesting was this:

"A Dashboard widget is a bundle that contains a principal HTML file and any supporting code that the widget requires (be it CSS, JS, images, or native code). A widget can add an optional interface to native code, written in Objective-C, that can be bound into JavaScript and made accessible from the HTML document's JS window object."

So that means we can write Obj-C code to be used by the widget. Nice!

But… one thing that worried me a bit was this:

"Anyway, some points about this model.
(1) The native plugin code must be owned by root. This means that in order for a Dashboard widget that contains one of these special types of plugins to execute that code, you have to enter a root account password (to chown the plugin code). This plugin code cannot execute, therefore, without the widget being "blessed" just as an application that you might install on your system must be."

Firstly, I'm guessing you meant you had to enter in the admin/sudo password, instead of the root account password, as it isn't enabled by default (and therefore has no password).

Secondly, if I'm understanding this correctly, you're saying these widgets need to be executed by root or a sudo'ed user? Or that they have been 'blessed' by giving it a setuid root permission (allowing it to run as root, when not executed by the root user)?

Either way, that sounds like it could be exploited fairly easily. What happens if someone installs a widget that is designed to give you a pretty interface once it has been authenticated, but deletes your home directory in the background? Is there anything to stop this sort of malicious behaviour? It just sounds like a security risk.

If I've interpreted this wrong, though, feel free to correct me, Dave.