> <i>At least, that’s how it’s supposed to work, but if Alice is an admin user and gives Terminal Full Disk Access (FDA), then Alice can quite happily navigate to Bob’s Desktop and Downloads folders (and everyone else’s) regardless of what TCC settings Bob (or those other users) set... When Alice grants FDA permission to the Terminal for herself, all users now have FDA permission via the Terminal as well. The upshot is that Alice isn’t only granting herself the privilege to access others’ data, she’s granting others the privilege to access her data, too... Any application granted Full Disk Access has access to all user data, by design.</i><p>This indeed seems dangerously counterintuitive.<p>I, like most other people I'd think, always assumed the permission dialogs ("TCC") were a layer of restrictions <i>on top of</i> traditional UNIX user permissions. Not <i>overriding</i> them.<p>In other words, granting full-disk access to an app would give it access to everything <i>my user</i> can access. Not "sudo" access to other users' data as well.<p>Why would an app ever need <i>that</i> level of access? For installing files, maybe, but not while running.<p>Can anyone else confirm this is how macOS actually works? And if there's some justification I'm missing? It seems <i>so</i> crazy that I can't actually believe it without somebody else verifying it.
I think the original title would be better<p>> Bypassing macOS TCC User Privacy Protections By Accident and Design<p>Simply because 'backdoor' is especially vague - I first thought it was about Apple backdooring their users perhaps, but it's a way for malware to abuse Finder to bypass the 'Full Disk Access' permission prompt. It's also not an editorialized title.
It’s been too many years, since I had detailed professional involvement with computer and network security, so I apologize if this question is stupid and I’m not even sure, if it’s even phrased quite right by modern standards:<p>On a computer shared by multiple people and multiple applications, shouldn’t privileges be assigned at the intersection between user and app (and or groupings thereof)? And if there was some sort of privileges table, it would have a composite key consisting of app-id and user-id.<p>Is any modern OS actually set up that way and if yes, is there any way to generate a report to show the combination of user/app privileges?
> At least, that’s how it’s supposed to work, but if Alice is an admin user and gives Terminal Full Disk Access (FDA), then Alice can quite happily navigate to Bob’s Desktop and Downloads folders (and everyone else’s) regardless of what TCC settings Bob (or those other users) set.<p>How does this interact with regular Unix file permissions? Is the assumption that Alice is using sudo, or do modern macOS versions mark all user files world-readable?
I really think Apple should be clearer about what all this stuff does. They're adding a layer of what looks like security but it's not always clear how it behaves.<p>I feel Apple tries to hide complexity from the user too much. I understand they want to do this by default but there should be a way for technical users to know what's going on. I don't think that's the case well enough now.<p>Especially that thing with the full disk access cascading though the automation permission is very vague.
This shit is bananas! I had no idea, as the average user, about such glaring holes in the protection. Any app can read and write its own files in the protected folders? How on earth could that be intended?
As I understand it full disk access means the app can read the disk outside of the usual (strict) app sandbox or explicit user actions like file modals.<p>This is completely separate from the unix user permissions.
How does granting automation access to Finder allow other users to access Alice’s data? TCC doesn’t negate standard Unix file permissions, and other users couldnt read Alice’s data before TCC. And the standard user directories (such as Desktop) are not accessible by other users.