scripting proposal draft 3
Mark Kretschmann
kretschmann at kde.org
Wed Apr 9 06:26:23 UTC 2008
On 4/9/08, K Robinson <zwokkqxpozgc+nznebxrznvyyvfg1 at gmail.com> wrote:
> So...about the "how" of security in amarok scripts...how is protection even
> really feasible against a script running on the system? I sort of doubt
> there are sandbox options for each (or any) of the available scripting
> languages.
Ruby implements four different "safe levels", which pose increasingly
harder restrictions on the runtime. Such as no direct filesystem
access allowed, etc. It's explained here:
http://phrogz.net/programmingruby/taint.html
Perhaps SELinux and AppArmor policies should ship with the amarok
> package, where available? (SELinux is a headache to even understand though).
That's unthinkable. No way.
> Aside from security goals, the user ought to stay in control of their
> interface despite idiotic scripts. Users may need to see, prevent, approve
> or stop certain script actions while trying out new scripts ("no, I do not
> want you to 'correct' these track titles and genres en masse, or reset my
> ratings and scores.").
> Malicious scripts: What happens if a script redirects you from magnature to a
> malicious site, by replacing or duplicating the magnature tab? Or tags all
> your music as "erotic"?
>
> Should one assume that in 16 months, secure sandbox frameworks for perl,
> python, ruby, etc will be available, making amarok the weakest link? Maybe
> not. Perhaps the thing that makes most sense is what Henry Valence said:
> users should be warned and educated about the risks of running scripts.
> Perhaps a cursory and unofficial code audit could be done on the most popular
> scripts?
Apart from possible sandboxing like explained above, we will simply
rely on the public auditing in the open source way, like we did with
Amarok 1. That is, we rely on the fact that malicious scripts usually
get removed rather quickly from kde-apps.org. So far there hasn't been
any known malicious script attacks.
As for auditing done by Amarok developers, that's completely out of
the question. I wouldn't take responsibility for the safety of a
script in any way, and also I'm lacking the time. The same is probably
true for the other devs.
--
Mark
More information about the Amarok
mailing list