TweetFollow Us on Twitter

File System Security

Volume Number: 19 (2003)
Issue Number: 11
Column Tag: Programming

Section 7

File System Security

by Rich Morin

How (not) to make OS X as secure as MS Windows...

Mac OS X inherits most of its notions of file system security from BSD. Each file system node (file, directory, ...) has sets of permission (i.e., mode) bits for its owner, its group, and everyone else. The node's owner is restricted by the first set of mode bits. Other members of the node's group are restricted by the next set. Everyone else is restricted by the final set.

Let's look at some of the top-level permissions on a Mac OS X (10.2.8) system, to see how this plays out in practice:

% ls -dl /bin /sbin
drwxr-xr-x  35 root  wheel ... /bin
drwxr-xr-x  60 root  wheel ... /sbin

The first set of mode bits (rwx) allows these directories' owner (root) full access permissions. S/he can read (e.g., look up entries), write (e.g., add or remove entries), and execute (e.g., access entries) in the directory.

The following sets (r-x, r-x) restrict other users from writing, but allow read and execute access. Note, by the way, that this does not prevent someone from writing into an existing file in one of these directories, if the permissions of the file allow this.

In summary, nobody but root is able to write (e.g., create files) in any of these directories. So, "normal" users (and the programs they may accidentally or unsuspectingly) aren't able to add, remove, or rename programs.

This is very much what we'd expect in a well-designed, BSD-based system. Allowing user errors, programming mistakes, or malware to modify the system's executable code is (as myriad Microsoft-specific viruses demonstrate) a serious design error.

Unfortunately, Apple doesn't follow BSD's example everywhere; some Mac OS X system directories are all too vulnerable to the aforementioned threats:

% ls -dl /App*s /Developer /Library
drwxrwxr-x 59 root admin ... /Applications
drwxrwxr-x 14 root admin ... /Developer
drwxrwxr-x 40 root admin ... /Library

In an effort to support "ease of use", Apple's engineers have made some critical directories far more open than they would be on a conventional Unix system. As a result, most users (and any programs they may run) can add, delete, or replace any node in these directories.

In a fine example of the "Law of Unintended Consequences", several plausible decisions work together to produce this undesirable result. Here's how it goes:

  • The first account created on a new system has "admin" privileges, by default, and few users bother to set up a separate administrative account. So, most users have admin privileges.

  • Any user who has admin privileges is put into the admin group.

  • The admin group has write permission for all three of these directories, so any member of the group can add, delete, or replace any node in these directories.

  • Any program run by a user has, by default, the same permissions as the user.

Here's a simple (and safe :-) experiment you can try. Note that the system prevents you from modifying /bin, but allows you to modify /Applications:

% groups
admin
% touch /Applications /bin
touch: /bin: Permission denied

In most cases, the system asks the user for authorization before taking any unusual or suspect action. Consider the password that sudo(8) requires and the authorization dialogs that come up on occasion (e.g., when installing software).

In this case, however, no warning is given. Any user with admin privileges is quite free to drag folders in and out of /Applications; no authorization dialog will come up. Apple is quite aware of this situation; in fact, their documentation suggests a possible workaround:

    Only admins can install software in the Applications folder. You may find that you want to set up a user account that doesn't have admin privileges and use that for day-to-day tasks. That way you won't absent-mindedly delete an application by accident.

    - http://www.apple.com/macosx/learning

I strongly suspect, however, that most machine owners will never see this advice. Even if they do, they may decide to ignore it. Logging in and out of accounts is a time-consuming hassle. Panther's "fast user switching" will improve this situation, but it will still break the user's concentration.

So, most users will run as admin, expecting the Finder (and other apps) to ask them before doing anything odd. Unfortunately, the Finder won't even be called into play if a rogue application is bent on rewriting parts of the file system (e.g., installing virus code).

In summary, Apple has opened up a major security hole that is not present in Mac OS X's forebears (Unix, FreeBSD, ...). Expecting application programmers (or worse, users!) to compensate for insecure directory permissions is simply bad design. The underlying system needs to be secure; exceptions can then be made on a carefully-controlled basis.

In this case, this means that the permissions need to be fixed. Administrative actions can then be performed using "privilege elevation", under the control of authorization dialogs, etc. Administrative users are quite used to being asked for this sort of authorization, so ease of use isn't being compromised.

Note: Because the root directory allows write permission to members of the admin group, you might think that it opens up a similar security hole. However, its permissions (drwxrwxr-t) include the use of the "sticky" bit (as indicated by a "t" in the last position). This allows admin users add items to the root directory, but prevents them from removing or renaming anything that they don't own. See sticky(8) for more details.

Third-party Apps

Third-party developers have some excuse for being unfamiliar with permissions issues (classic Mac OS wasn't real big on security :-), but by now, they should have learned the basics. So, it's disturbing to find many vendors leaving their application packages wide-open to writing by any user (or program) on the system.. Try:

% cd /Applications
% ls -ld * | grep rwxrwxrwx
drwxrwxrwx  ...  Alarm Clock S.E..app
drwxrwxrwx  ...  AutoSync.app
drwxrwxrwx  ...  Classic Toggler folder
drwxrwxrwx  ...  Cocoa Browser.app
drwxrwxrwx  ...  GraphicConverter US
drwxrwxrwx  ...  Multiple Launcher X.app
drwxrwxrwx  ...  OmniDictionary.app
drwxrwxrwx  ...  OmniGraffle.app
drwxrwxrwx  ...  PTHPasteboard
drwxrwxrwx  ...  RBrowser.app
drwxrwxrwx  ...  ShuX.app
drwxrwxrwx  ...  SliMP3 Server.app
drwxrwxrwx  ...  Text Wielder
drwxrwxrwx  ...  Tri-BACKUP Folder
drwxrwxrwx  ...  VLC.app
-rwxrwxrwx  ...  iCab

Let's say that Susie downloads a nifty-looking program and runs it (e.g., from her Downloads directory). Gee, it didn't do anything. That's no fun; let's try something else... Meanwhile, the "nifty-looking program" has infected any vulnerable third-party apps. When Susie's mom runs one of these (using an admin account), the infection can spread to the rest of the system.

Can anything be done?

Some folks at Apple are very concerned by these (and other) security holes, but they (clearly) aren't in control of Apple's overall security policy. As a result, OSX is ripe for the kind of bad publicity that MS Windows has recently received.

As a developer, you have a responsibility to set appropriate permissions on your package directories. Do that, and your app won't be part of the problem. Then, file bug reports with Apple, asking them to tighten up their own security holes and give developers automated feedback and assistance in closing holes in third-party applications.

Several possibilities spring to mind. If Interface Builder can draw helpful blue lines to indicate that a widget is too near the edge of a window, why can't Xcode (or whatever tool is used for package creation) tell the developer when a package's permissions are "too near the edge"?

For that matter, why can't the installation software check for this sort of thing? And, while Disk Utility is looking for weird permissions and ownerships, why can't it look for wide-open package directories? Like that...

More generally, when you talk to Apple, tell them that you don't want security concerns to be completely overridden by "ease of use" considerations. Both are critical; a proper solution won't ignore either one.


Rich Morin has been using computers since 1970, Unix since 1983, and Mac-based Unix since 1986 (when he helped Apple create A/UX 1.0). When he isn't writing this column, Rich runs Prime Time Freeware (www.ptf.com), a publisher of books and CD-ROMs for the Free and Open Source software community. Feel free to write to Rich at rdm@ptf.com.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Latest Forum Discussions

See All

Whitethorn Games combines two completely...
If you have ever gone fishing then you know that it is a lesson in patience, sitting around waiting for a bite that may never come. Well, that's because you have been doing it wrong, since as Whitehorn Games now demonstrates in new release Skate... | Read more »
Call of Duty Warzone is a Waiting Simula...
It's always fun when a splashy multiplayer game comes to mobile because they are few and far between, so I was excited to see the notification about Call of Duty: Warzone Mobile (finally) launching last week and wanted to try it out. As someone who... | Read more »
Albion Online introduces some massive ne...
Sandbox Interactive has announced an upcoming update to its flagship MMORPG Albion Online, containing massive updates to its existing guild Vs guild systems. Someone clearly rewatched the Helms Deep battle in Lord of the Rings and spent the next... | Read more »
Chucklefish announces launch date of the...
Chucklefish, the indie London-based team we probably all know from developing Terraria or their stint publishing Stardew Valley, has revealed the mobile release date for roguelike deck-builder Wildfrost. Developed by Gaziter and Deadpan Games, the... | Read more »
Netmarble opens pre-registration for act...
It has been close to three years since Netmarble announced they would be adapting the smash series Solo Leveling into a video game, and at last, they have announced the opening of pre-orders for Solo Leveling: Arise. [Read more] | Read more »
PUBG Mobile celebrates sixth anniversary...
For the past six years, PUBG Mobile has been one of the most popular shooters you can play in the palm of your hand, and Krafton is celebrating this milestone and many years of ups by teaming up with hit music man JVKE to create a special song for... | Read more »
ASTRA: Knights of Veda refuse to pump th...
In perhaps the most recent example of being incredibly eager, ASTRA: Knights of Veda has dropped its second collaboration with South Korean boyband Seventeen, named so as it consists of exactly thirteen members and a video collaboration with Lee... | Read more »
Collect all your cats and caterpillars a...
If you are growing tired of trying to build a town with your phone by using it as a tiny, ineffectual shover then fear no longer, as Independent Arts Software has announced the upcoming release of Construction Simulator 4, from the critically... | Read more »
Backbone complete its lineup of 2nd Gene...
With all the ports of big AAA games that have been coming to mobile, it is becoming more convenient than ever to own a good controller, and to help with this Backbone has announced the completion of their 2nd generation product lineup with their... | Read more »
Zenless Zone Zero opens entries for its...
miHoYo, aka HoYoverse, has become such a big name in mobile gaming that it's hard to believe that arguably their flagship title, Genshin Impact, is only three and a half years old. Now, they continue the road to the next title in their world, with... | Read more »

Price Scanner via MacPrices.net

B&H has Apple’s 13-inch M2 MacBook Airs o...
B&H Photo has 13″ MacBook Airs with M2 CPUs and 256GB of storage in stock and on sale for up to $150 off Apple’s new MSRP, starting at only $849. Free 1-2 day delivery is available to most US... Read more
M2 Mac minis on sale for $100-$200 off MSRP,...
B&H Photo has Apple’s M2-powered Mac minis back in stock and on sale today for $100-$200 off MSRP. Free 1-2 day shipping is available for most US addresses: – Mac mini M2/256GB SSD: $499, save $... Read more
Mac Studios with M2 Max and M2 Ultra CPUs on...
B&H Photo has standard-configuration Mac Studios with Apple’s M2 Max & Ultra CPUs in stock today and on Easter sale for $200 off MSRP. Their prices are the lowest available for these models... Read more
Deal Alert! B&H Photo has Apple’s 14-inch...
B&H Photo has new Gray and Black 14″ M3, M3 Pro, and M3 Max MacBook Pros on sale for $200-$300 off MSRP, starting at only $1399. B&H offers free 1-2 day delivery to most US addresses: – 14″ 8... Read more
Department Of Justice Sets Sights On Apple In...
NEWS – The ball has finally dropped on the big Apple. The ball (metaphorically speaking) — an antitrust lawsuit filed in the U.S. on March 21 by the Department of Justice (DOJ) — came down following... Read more
New 13-inch M3 MacBook Air on sale for $999,...
Amazon has Apple’s new 13″ M3 MacBook Air on sale for $100 off MSRP for the first time, now just $999 shipped. Shipping is free: – 13″ MacBook Air (8GB RAM/256GB SSD/Space Gray): $999 $100 off MSRP... Read more
Amazon has Apple’s 9th-generation WiFi iPads...
Amazon has Apple’s 9th generation 10.2″ WiFi iPads on sale for $80-$100 off MSRP, starting only $249. Their prices are the lowest available for new iPads anywhere: – 10″ 64GB WiFi iPad (Space Gray or... Read more
Discounted 14-inch M3 MacBook Pros with 16GB...
Apple retailer Expercom has 14″ MacBook Pros with M3 CPUs and 16GB of standard memory discounted by up to $120 off Apple’s MSRP: – 14″ M3 MacBook Pro (16GB RAM/256GB SSD): $1691.06 $108 off MSRP – 14... Read more
Clearance 15-inch M2 MacBook Airs on sale for...
B&H Photo has Apple’s 15″ MacBook Airs with M2 CPUs (8GB RAM/256GB SSD) in stock today and on clearance sale for $999 in all four colors. Free 1-2 delivery is available to most US addresses.... Read more
Clearance 13-inch M1 MacBook Airs drop to onl...
B&H has Apple’s base 13″ M1 MacBook Air (Space Gray, Silver, & Gold) in stock and on clearance sale today for $300 off MSRP, only $699. Free 1-2 day shipping is available to most addresses in... Read more

Jobs Board

Medical Assistant - Surgical Oncology- *Apple...
Medical Assistant - Surgical Oncology- Apple Hill Location: WellSpan Medical Group, York, PA Schedule: Full Time Sign-On Bonus Eligible Remote/Hybrid Regular Apply Read more
Omnichannel Associate - *Apple* Blossom Mal...
Omnichannel Associate - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Read more
Cashier - *Apple* Blossom Mall - JCPenney (...
Cashier - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Blossom Mall Read more
Operations Associate - *Apple* Blossom Mall...
Operations Associate - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Read more
Business Analyst | *Apple* Pay - Banco Popu...
Business Analyst | Apple PayApply now " Apply now + Apply Now + Start applying with LinkedIn Start + Please wait Date:Mar 19, 2024 Location: San Juan-Cupey, PR Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.