Apple leads the charge: Root access is no longer root access

[wraith808]

Not if you're on a Mac, though.  System Integrity Protection has been added into OSX Capitan, making a lot of things impossible without changing the OS and turning the protection off - and not just through a setting.  You have to go to the terminal in recovery mode, and type in a command to disable it.  Rootless, as it's called, is also retroactive.  If you modified anything in one of the protected folder, it is moved to a migration folder when you install.

Now, one might thing this is a good thing.  And on the surface, I couldn't disagree with that assessment.  But remember the walled city of the Apple ecosystem.  This is a trial of that walled city extending to the desktop.  And because the ability to turn it off is in such an obscure place... they can take it out without notice.

Jailbreaking desktops, anyone?

I'm so glad I switched away from Mac.  But I'm sure that the PC market is salivating over the lock-in and how to apply it to Windows...

[eleman]

But I'm sure that the PC market is salivating over the lock-in and how to apply it to Windows...

-wraith808 (October 20, 2015, 09:29 AM)

That saliva has a name: UEFI

[wraith808]

But I'm sure that the PC market is salivating over the lock-in and how to apply it to Windows...

-wraith808 (October 20, 2015, 09:29 AM)

That saliva has a name: UEFI

-eleman (October 20, 2015, 09:33 AM)

UEFI isn't exactly the same.  Imagine if you couldn't modify anything in the windows directory.  No installing unsigned assemblies to the GAC.  No installing unsigned drivers at all.

A couple of more articles (and I used TotalFinder when I was on the Mac, so I would be livid with the first link)

http://totalfinder.b...integrity-protection

From the OSX El Capitan release notes:

System Integrity Protection

A new security policy that applies to every running process, including privileged code and code that runs out of the sandbox. The policy extends additional protections to components on disk and at run-time, only allowing system binaries to be modified by the system installer and software updates. Code injection and runtime attachments to system binaries are no longer permitted.

A really good overview of Rootless.

https://derflounder....ples-security-model/

From that article - a list of programs that Rootless disables access to that make ZERO sense.  This means it will no longer be possible to delete the applications which OS X installs, even from the command line when using root privileges.



People are complaining about the adverts when switching from Edge and other apps in Windows 10.  This is 100x worse.

[Renegade]

But it's not really *your* computer. It's Apple's.

John Deere has gone this route with "sales" merely being perpetual licenses with you not being permitted to repair or alter *their* machinery.

http://www.wired.com...wnership-john-deere/

We Can’t Let John Deere Destroy the Very Idea of Ownership

Meanwhile, they're giving tractors to universities for $1. Does anyone remember Netscape?

All these things are related on one level or another. It's about control, and taking control away from YOU.

Paging Richard Stallman...

[kfitting]

Having recently bought an Android tablet, how is this any different than not being able to change the hosts file even when I'm the admin? Sure, I can root the device, but why? Obviously the meaning of "admin" is changing. I understand (finally, it took me awhile) having separate admin and user accounts. I don't understand crippling admin, root, etc. I don't like it... for the same reasons mentioned by Renegade:

All these things are related on one level or another. It's about control, and taking control away from YOU.

-Renegade (October 20, 2015, 11:23 PM)

[wraith808]

^ Yes, I understand that it's about taking control away from you and for no other purpose.  That was what I spoke of in the OP.  This is the first step, and a lot of it makes very little sense, other than if that was the point.

[40hz]

It's not just Apple. Microsoft has a built in account (i.e. TrustedInstaller) that's a level above - or more correctly is an alternate admin level group/account -  on par security-wise what they're calling Administrator these days. If it creates a file or folder, you can't delete or modify it even if you are the admin (i.e. root) on your system. As if now you can still get around it. But it's a PITA (you need to take ownership as admin first) and for some odd reason doesn't always work the first time or two you try it. And sometimes, if you do take ownership away from TrustedInstaller,  any subsequent updates to those files and/or folders will fail. So it's not something you want to do lightly.

I think this has a lot to do with the cloud initiatives that are starting to be the norm. Any multiuser system is only as secure as the weakest vector linking into it. So nobody is going to allow the risk of some individual's machine compromising their network or service. Many company owned PCs have been "locked down" and remotely managed in a similiar fashion for the last tweny or so years. And with web-based services and cloud computing, if that means taking the "personal" out of personal computing, then that's the way it goes if people continue to tolerate it. And unfortunately, when polled, most end users say they don't see what the problem is. So it looks to be a done deal with things like OSX, Windows, and that complete perversion of FOSS that's called Android.

People in IT used to diss Stallman for being "alarmist" and "paranoid." Little did they suspect he'd turn out not only to be correct, but overly optimistic. Because our present computing and networking reality is an order of magnitude worse than Richard Stallman's worst case scenario.

So it goes. 

[Stoic Joker]

I reserve the right to fix anything that I perceive as broken..

[wraith808]

It's not just Apple. Microsoft has a built in account that's a level above Administrator now. If it creates a file or folder, you can't delete or modify it even if you are the admin (i.e. root) on your system.

-40hz (October 21, 2015, 11:17 AM)

I didn't know about that!  Do you have any links I can read up on in regards to it?

[f0dder]

UEFI isn't exactly the same.  Imagine if you couldn't modify anything in the windows directory.  No installing unsigned assemblies to the GAC.  No installing unsigned drivers at all.

-wraith808 (October 20, 2015, 10:15 AM)

You can't install unsigned drivers on (64bit) Windows unless you're running in TESTSIGNING mode.

It's not just Apple. Microsoft has a built in account that's a level above Administrator now. If it creates a file or folder, you can't delete or modify it even if you are the admin (i.e. root) on your system.

-40hz (October 21, 2015, 11:17 AM)

Hasn't NT always had the SYSTEM AUTHORITY?

IMHO it's a very good idea to not let your OS admin account run as root/SYSTEM (just like it's a good idea to user a less-privileged account for your daily work!). But of course it should still be possible to elevate to root/SYSTEM rights, and I believe having to reboot to do this is a bit overkill...

It would seem quite likely that Apple is testing the waters wrt. garden-walling desktops and laptops, and it was certainly something Microsoft wanted to test when UEFI was introduced - if there hadn't been a lot of uproar about it, that might very well have happened by now, and I'd be surprised if we don't see more attempts in the future.

[rgdot]

All a consequence of people's will full apathy and hostility towards reasonable control and regulation. Something like this would be much less likely if the landscape was dominated by more than 2 or 3 players. I won't type more because it would require Basement level discourse, and I am not going there 

[wraith808]

It's not just Apple. Microsoft has a built in account that's a level above Administrator now. If it creates a file or folder, you can't delete or modify it even if you are the admin (i.e. root) on your system.

-40hz (October 21, 2015, 11:17 AM)

Hasn't NT always had the SYSTEM AUTHORITY?

-f0dder (October 21, 2015, 11:40 AM)

I'd assumed that he was talking about something other than NT AUTHORITY\SYSTEM since that's been around for a while.  (As an aside, there's a cheat for logging in as NT AUTHORITY\SYSTEM.  Let me know if you're interested).

IMHO it's a very good idea to not let your OS admin account run as root/SYSTEM (just like it's a good idea to user a less-privileged account for your daily work!). But of course it should still be possible to elevate to root/SYSTEM rights, and I believe having to reboot to do this is a bit overkill...

-f0dder (October 21, 2015, 11:40 AM)

And when you do it, you turn it completely off until you reboot again and turn it on.  It's hard enough to get people not to run as admin when they don't have to- rebooting?  Not going to happen.

[f0dder]

(As an aside, there's a cheat for logging in as NT AUTHORITY\SYSTEM.  Let me know if you're interested).

-wraith808 (October 21, 2015, 01:23 PM)

A new one, or the usual of running cmd.exe as a scheduled job?

And when you do it, you turn it completely off until you reboot again and turn it on.  It's hard enough to get people not to run as admin when they don't have to- rebooting?  Not going to happen.

-wraith808 (October 21, 2015, 01:23 PM)

Well, while I'm not fond of the way Apple is doing this, you don't really need SYSTEM/root privileges often, neither on OSX nor Windows. And normal admin privileges don't (yet...) require this switcharoo, so it's not too bad in and by itself. It's the reason behind it that's worrying

[wraith808]

(As an aside, there's a cheat for logging in as NT AUTHORITY\SYSTEM.  Let me know if you're interested).

-wraith808 (October 21, 2015, 01:23 PM)

A new one, or the usual of running cmd.exe as a scheduled job?

-f0dder (October 21, 2015, 01:49 PM)

That's actually simpler than my method.  I didn't even realize that worked!  Seems like quite a hole... and quite obvious once you think about it.  And not much different than my method.

I use psexec sysinternal tool, and just use the -i -s switches.

And when you do it, you turn it completely off until you reboot again and turn it on.  It's hard enough to get people not to run as admin when they don't have to- rebooting?  Not going to happen.

-wraith808 (October 21, 2015, 01:23 PM)

Well, while I'm not fond of the way Apple is doing this, you don't really need SYSTEM/root privileges often, neither on OSX nor Windows. And normal admin privileges don't (yet...) require this switcharoo, so it's not too bad in and by itself. It's the reason behind it that's worrying

-f0dder (October 21, 2015, 01:49 PM)

Definitely... if you were just *using* them.  But rootless also *undoes* them.  Which is the terrifying part- especially as the reason behind them is pretty transparent.

[f0dder]

Seems like quite a hole...

-wraith808 (October 21, 2015, 02:51 PM)

Not really, since you need admin privileges to perform the trick. Not having admin have SYSTEM privileges is more about making it difficult to blow off your legs by accident