←back to thread

How Dropbox Hacks Your Mac

(applehelpwriter.com)
1037 points 8bitben | 4 comments | 09 Sep 16 15:52 UTC | HN request time: 0.001s | source
Show context
newhouseb ◴[09 Sep 16 18:15 UTC] No.12464730[source]
Hi HN — Ben from Dropbox here on the desktop client team. Wanted to clarify a few things —

- Clearly we need to do a better job communicating about Dropbox’s OS integration. We ask for permissions once but don’t describe what we’re doing or why. We’ll fix that.

- We only ask for privileges we actively use -- but unfortunately some of the permissions aren’t as granular as we would like.

- We use accessibility APIs for the Dropbox badge (Office integrations) and other integrations (finding windows & other UI interactions).

- We use elevated access for where the built-in FS APIs come up short. We've been working with Apple to eliminate this dependency and we should have what we need soon.

- We never see or store your admin password. The dialog box you see is a native OS X API (i.e. made by Apple).

- We check and set privileges on startup — the intent was to make sure Dropbox is functioning properly, works across OS updates, etc. The intent was never to frustrate people or override their choices.

We’re all jumping on this. We’ll do a better job here and we’re sorry for any anger, frustration or confusion we’ve caused.

replies(30): >>12464748 #>>12464757 #>>12464795 #>>12464842 #>>12464871 #>>12464901 #>>12464973 #>>12464992 #>>12465003 #>>12465065 #>>12465178 #>>12465579 #>>12465584 #>>12465819 #>>12465975 #>>12466068 #>>12466126 #>>12466141 #>>12466143 #>>12466315 #>>12466502 #>>12466626 #>>12466822 #>>12468525 #>>12468769 #>>12468833 #>>12469145 #>>12470515 #>>12473045 #>>12481821 #
DINKDINK ◴[09 Sep 16 20:30 UTC] No.12465819[source]
>We never see or store your admin password. The dialog box you see is a native OS X API (i.e. made by Apple).

If that's the case, How is it that the accessibility preferences are changed without root authorization?

replies(1): >>12465872 #
1. pilif ◴[09 Sep 16 20:37 UTC] No.12465872[source]
Once you type your password into the Apple dialog, you grant Dropbox root access. That's the purpose of this dialog in all cases.
replies(1): >>12466083 #
2. hughw ◴[09 Sep 16 21:11 UTC] No.12466083[source]
Per the original article, even root doesn't automatically have permission to modify the system.preferences.accessibility list.
replies(1): >>12466382 #
3. lucb1e ◴[09 Sep 16 22:06 UTC] No.12466382[source]
I think you're wrong. It's a bit vague with all the unfamiliar systems (I have no experience with OS X), but root is mentioned in a few places:

> "The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false"

So the agent does not (by default) make an exception for applications running with uid 0. It does not say anything about modifying a certain file, it's just about the agent (if I understand it correctly).

> "In other words, if allow-root isn’t explicitly set, the default is that even a process with root user privileges does not have the right to perform that operation. Since that’s not specified in the default shown above, then even root couldn’t add Dropbox to the list of apps in Accessibility preferences."

Same thing again. Agent won't allow, but file permissions are not mentioned.

> "Root wasn’t allowed to override Accessibility, and authenticate was on, so it couldn’t be this way that Dropbox was hacking my mac."

Same again.

And that's all places where root is mentioned. Later on, however, sudo is used:

> "To insert an app in the list, you grab it’s bundle identifier (in the case of Dropbox, that’s com.getdropbox.dropbox), and issue:

> sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db “REPLACE INTO access VALUES(‘kTCCServiceAccessibility’,’com.getdropbox.dropbox’,0,1,1,NULL, NULL);”"

So sudo, which makes a command run as root, can modify that database.

And as far as I know this makes sense, because at least in Linux file permissions are simply not checked when uid is 0 (root user). Darwin/BSD might differ, but my unix family tree knowledge doesn't go that far.

Also, how else could Dropbox do it? As mentioned in the article, one of the helper applications contains an SQL statement (see the part about running "strings"), so it does seem to be directly modifying that database.

replies(1): >>12467411 #
4. hughw ◴[10 Sep 16 02:46 UTC] No.12467411{3}[source]
Agree. I now see the agent it installs is suid root.