Most active commenters
  • giancarlostoro(3)

←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 11 comments | 20 Oct 20 15:51 UTC | HN request time: 2.226s | source | bottom
1. giancarlostoro ◴[20 Oct 20 17:16 UTC] No.24839945[source]
I mean I already knew something was weird when I couldnt su into root and do... root things without a bios hack on a Mac. Thats just not how Unix works at all... The whole concept of root is you are root no exceptions.
replies(5): >>24840051 #>>24840130 #>>24840255 #>>24840451 #>>24848099 #
2. Wowfunhappy ◴[20 Oct 20 17:25 UTC] No.24840051[source]
You don't need to hack anything, you just need to use the officially-supported mechanisms Apple provides to grant yourself more permissions (namely, disabling SIP and remounting the root filesystem).
3. jlgaddis ◴[20 Oct 20 17:32 UTC] No.24840130[source]
> The whole concept of root is you are root no exceptions.

Wait until you learn about mandatory access control [0] ...

--

[0]: https://en.wikipedia.org/wiki/Mandatory_access_control

4. kstrauser ◴[20 Oct 20 17:42 UTC] No.24840255[source]
That's absolutely not true. For instance, the BSDs have the notion of securelevels (https://man.openbsd.org/securelevel.7) which severely limits what even the root user can do. SELinux can do a lot of the same things.
replies(2): >>24840480 #>>24840984 #
5. beervirus ◴[20 Oct 20 17:59 UTC] No.24840451[source]
SELinux doesn’t let root just do whatever it wants.
replies(1): >>24840962 #
6. m463 ◴[20 Oct 20 18:02 UTC] No.24840480[source]
I don't know about bsd, but there's lots of documentation on how selinux works (including source code) and information on how to alter its behavior in a fine-grained fashion. and selinux doesn't leave itself a backdoor (as far as the nsa has told us)
replies(1): >>24840561 #
7. kstrauser ◴[20 Oct 20 18:09 UTC] No.24840561{3}[source]
That's a different issue, though. Today, booting into macOS is similar to booting into a BSD with securelevel=1 enabled, or into Linux with SELinux set up not to allow modifying files in /bin or such.
8. giancarlostoro ◴[20 Oct 20 18:47 UTC] No.24840962[source]
It's typically not enabled by default though, but I suppose that's a fair point.
replies(1): >>24841399 #
9. giancarlostoro ◴[20 Oct 20 18:49 UTC] No.24840984[source]
Ah I'm more familiar with Linux so that's my bad, it was still a shocking and annoying observation I had. It doesn't fully bother me cause I never even need full on root on a Mac but this one time I did and having to tell my wife (girlfriend at the time) how to do all of that over the phone was just suspect, just so she could root a tablet that had a kill switch (Nvidia Shield Tablet).
10. acdha ◴[20 Oct 20 19:26 UTC] No.24841399{3}[source]
That very much depends on what distribution you use. The Fedora/CentOS/RHEL world has had SELinux enabled by default for years. The Debian world has not but AppArmor is pretty popular there and while that's a fairly different system it hits many of the same sandboxing points. Beyond the default configuration, anyone who is following a hardening standard like CIS is going to have SELinux enabled, too.
11. cma ◴[21 Oct 20 14:18 UTC] No.24848099[source]
You can't even remove their new bloated system-installed wallpapers (>2GB, with about 3 of them taking almost 300MB each) without rebooting into safe mode and following tons of steps. But they will sell you an SSD upgrade to help hold them for 3X the market price.

https://apple.stackexchange.com/questions/375519/how-to-dele...