Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 11, 2016, 12:00:36 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Apple leads the charge: Root access is no longer root access  (Read 2145 times)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,408
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Apple leads the charge: Root access is no longer root access
« on: October 20, 2015, 09:29:20 AM »


Not if you're on a Mac, though.  System Integrity Protection has been added into OSX Capitan, making a lot of things impossible without changing the OS and turning the protection off - and not just through a setting.  You have to go to the terminal in recovery mode, and type in a command to disable it.  Rootless, as it's called, is also retroactive.  If you modified anything in one of the protected folder, it is moved to a migration folder when you install.

Now, one might thing this is a good thing.  And on the surface, I couldn't disagree with that assessment.  But remember the walled city of the Apple ecosystem.  This is a trial of that walled city extending to the desktop.  And because the ability to turn it off is in such an obscure place... they can take it out without notice.

Jailbreaking desktops, anyone?

I'm so glad I switched away from Mac.  But I'm sure that the PC market is salivating over the lock-in and how to apply it to Windows...

eleman

  • Spam Killer
  • Supporting Member
  • Joined in 2009
  • **
  • default avatar
  • Posts: 393
    • View Profile
    • Donate to Member
Re: Apple leads the charge: Root access is no longer root access
« Reply #1 on: October 20, 2015, 09:33:47 AM »
But I'm sure that the PC market is salivating over the lock-in and how to apply it to Windows...

That saliva has a name: UEFI

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,408
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: Apple leads the charge: Root access is no longer root access
« Reply #2 on: October 20, 2015, 10:15:17 AM »
But I'm sure that the PC market is salivating over the lock-in and how to apply it to Windows...

That saliva has a name: UEFI


UEFI isn't exactly the same.  Imagine if you couldn't modify anything in the windows directory.  No installing unsigned assemblies to the GAC.  No installing unsigned drivers at all.

A couple of more articles (and I used TotalFinder when I was on the Mac, so I would be livid with the first link)

http://totalfinder.b...integrity-protection

From the OSX El Capitan release notes:

Quote
System Integrity Protection

A new security policy that applies to every running process, including privileged code and code that runs out of the sandbox. The policy extends additional protections to components on disk and at run-time, only allowing system binaries to be modified by the system installer and software updates. Code injection and runtime attachments to system binaries are no longer permitted.

A really good overview of Rootless.

https://derflounder....ples-security-model/

From that article - a list of programs that Rootless disables access to that make ZERO sense.  This means it will no longer be possible to delete the applications which OS X installs, even from the command line when using root privileges.

rootless_applications.png

People are complaining about the adverts when switching from Edge and other apps in Windows 10.  This is 100x worse.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,220
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Apple leads the charge: Root access is no longer root access
« Reply #3 on: October 20, 2015, 11:23:05 PM »
But it's not really *your* computer. It's Apple's. ;)

John Deere has gone this route with "sales" merely being perpetual licenses with you not being permitted to repair or alter *their* machinery.

http://www.wired.com...wnership-john-deere/

Quote
We Can’t Let John Deere Destroy the Very Idea of Ownership

Meanwhile, they're giving tractors to universities for $1. Does anyone remember Netscape?

All these things are related on one level or another. It's about control, and taking control away from YOU.

Paging Richard Stallman... ;) :P
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

kfitting

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 578
    • View Profile
    • Donate to Member
Re: Apple leads the charge: Root access is no longer root access
« Reply #4 on: October 21, 2015, 05:32:39 AM »
Having recently bought an Android tablet, how is this any different than not being able to change the hosts file even when I'm the admin? Sure, I can root the device, but why? Obviously the meaning of "admin" is changing. I understand (finally, it took me awhile) having separate admin and user accounts. I don't understand crippling admin, root, etc. I don't like it... for the same reasons mentioned by Renegade:
All these things are related on one level or another. It's about control, and taking control away from YOU.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,408
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: Apple leads the charge: Root access is no longer root access
« Reply #5 on: October 21, 2015, 07:57:00 AM »
^ Yes, I understand that it's about taking control away from you and for no other purpose.  That was what I spoke of in the OP.  This is the first step, and a lot of it makes very little sense, other than if that was the point.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,768
    • View Profile
    • Donate to Member
Re: Apple leads the charge: Root access is no longer root access
« Reply #6 on: October 21, 2015, 11:17:52 AM »
It's not just Apple. Microsoft has a built in account (i.e. TrustedInstaller) that's a level above - or more correctly is an alternate admin level group/account -  on par security-wise what they're calling Administrator these days. If it creates a file or folder, you can't delete or modify it even if you are the admin (i.e. root) on your system. As if now you can still get around it. But it's a PITA (you need to take ownership as admin first) and for some odd reason doesn't always work the first time or two you try it. And sometimes, if you do take ownership away from TrustedInstaller,  any subsequent updates to those files and/or folders will fail. So it's not something you want to do lightly.

I think this has a lot to do with the cloud initiatives that are starting to be the norm. Any multiuser system is only as secure as the weakest vector linking into it. So nobody is going to allow the risk of some individual's machine compromising their network or service. Many company owned PCs have been "locked down" and remotely managed in a similiar fashion for the last tweny or so years. And with web-based services and cloud computing, if that means taking the "personal" out of personal computing, then that's the way it goes if people continue to tolerate it. And unfortunately, when polled, most end users say they don't see what the problem is. So it looks to be a done deal with things like OSX, Windows, and that complete perversion of FOSS that's called Android.

People in IT used to diss Stallman for being "alarmist" and "paranoid." Little did they suspect he'd turn out not only to be correct, but overly optimistic. Because our present computing and networking reality is an order of magnitude worse than Richard Stallman's worst case scenario.

So it goes.  :(
« Last Edit: October 21, 2015, 11:41:25 AM by 40hz »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,296
    • View Profile
    • www.StoicJoker.com
    • Donate to Member
Re: Apple leads the charge: Root access is no longer root access
« Reply #7 on: October 21, 2015, 11:25:40 AM »
I reserve the right to fix anything that I perceive as broken..

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,408
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: Apple leads the charge: Root access is no longer root access
« Reply #8 on: October 21, 2015, 11:27:01 AM »
It's not just Apple. Microsoft has a built in account that's a level above Administrator now. If it creates a file or folder, you can't delete or modify it even if you are the admin (i.e. root) on your system.

I didn't know about that!  Do you have any links I can read up on in regards to it?

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Apple leads the charge: Root access is no longer root access
« Reply #9 on: October 21, 2015, 11:40:49 AM »
UEFI isn't exactly the same.  Imagine if you couldn't modify anything in the windows directory.  No installing unsigned assemblies to the GAC.  No installing unsigned drivers at all.
You can't install unsigned drivers on (64bit) Windows unless you're running in TESTSIGNING mode.

It's not just Apple. Microsoft has a built in account that's a level above Administrator now. If it creates a file or folder, you can't delete or modify it even if you are the admin (i.e. root) on your system.
Hasn't NT always had the SYSTEM AUTHORITY?

IMHO it's a very good idea to not let your OS admin account run as root/SYSTEM (just like it's a good idea to user a less-privileged account for your daily work!). But of course it should still be possible to elevate to root/SYSTEM rights, and I believe having to reboot to do this is a bit overkill...

It would seem quite likely that Apple is testing the waters wrt. garden-walling desktops and laptops, and it was certainly something Microsoft wanted to test when UEFI was introduced - if there hadn't been a lot of uproar about it, that might very well have happened by now, and I'd be surprised if we don't see more attempts in the future.
- carpe noctem

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 1,882
    • View Profile
    • Donate to Member
Re: Apple leads the charge: Root access is no longer root access
« Reply #10 on: October 21, 2015, 11:57:38 AM »
All a consequence of people's will full apathy and hostility towards reasonable control and regulation. Something like this would be much less likely if the landscape was dominated by more than 2 or 3 players. I won't type more because it would require Basement level discourse, and I am not going there  ;)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,408
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: Apple leads the charge: Root access is no longer root access
« Reply #11 on: October 21, 2015, 01:23:48 PM »
It's not just Apple. Microsoft has a built in account that's a level above Administrator now. If it creates a file or folder, you can't delete or modify it even if you are the admin (i.e. root) on your system.
Hasn't NT always had the SYSTEM AUTHORITY?

I'd assumed that he was talking about something other than NT AUTHORITY\SYSTEM since that's been around for a while.  (As an aside, there's a cheat for logging in as NT AUTHORITY\SYSTEM.  Let me know if you're interested).

IMHO it's a very good idea to not let your OS admin account run as root/SYSTEM (just like it's a good idea to user a less-privileged account for your daily work!). But of course it should still be possible to elevate to root/SYSTEM rights, and I believe having to reboot to do this is a bit overkill...

And when you do it, you turn it completely off until you reboot again and turn it on.  It's hard enough to get people not to run as admin when they don't have to- rebooting?  Not going to happen.
« Last Edit: October 21, 2015, 01:29:34 PM by wraith808 »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Apple leads the charge: Root access is no longer root access
« Reply #12 on: October 21, 2015, 01:49:04 PM »
(As an aside, there's a cheat for logging in as NT AUTHORITY\SYSTEM.  Let me know if you're interested).
A new one, or the usual of running cmd.exe as a scheduled job? :)

And when you do it, you turn it completely off until you reboot again and turn it on.  It's hard enough to get people not to run as admin when they don't have to- rebooting?  Not going to happen.
Well, while I'm not fond of the way Apple is doing this, you don't really need SYSTEM/root privileges often, neither on OSX nor Windows. And normal admin privileges don't (yet...) require this switcharoo, so it's not too bad in and by itself. It's the reason behind it that's worrying :)
- carpe noctem

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 8,408
  • "In my dreams, I always do it right."
    • View Profile
    • Donate to Member
Re: Apple leads the charge: Root access is no longer root access
« Reply #13 on: October 21, 2015, 02:51:39 PM »
(As an aside, there's a cheat for logging in as NT AUTHORITY\SYSTEM.  Let me know if you're interested).
A new one, or the usual of running cmd.exe as a scheduled job? :)
That's actually simpler than my method.  I didn't even realize that worked!  Seems like quite a hole... and quite obvious once you think about it.  And not much different than my method.

I use psexec sysinternal tool, and just use the -i -s switches.

And when you do it, you turn it completely off until you reboot again and turn it on.  It's hard enough to get people not to run as admin when they don't have to- rebooting?  Not going to happen.
Well, while I'm not fond of the way Apple is doing this, you don't really need SYSTEM/root privileges often, neither on OSX nor Windows. And normal admin privileges don't (yet...) require this switcharoo, so it's not too bad in and by itself. It's the reason behind it that's worrying :)

Definitely... if you were just *using* them.  But rootless also *undoes* them.  Which is the terrifying part- especially as the reason behind them is pretty transparent.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Apple leads the charge: Root access is no longer root access
« Reply #14 on: October 24, 2015, 09:13:35 AM »
Seems like quite a hole...
Not really, since you need admin privileges to perform the trick. Not having admin have SYSTEM privileges is more about making it difficult to blow off your legs by accident :)
- carpe noctem