[crazygringo]

> At least, that’s how it’s supposed to work, but if Alice is an admin user and gives Terminal Full Disk Access (FDA), then Alice can quite happily navigate to Bob’s Desktop and Downloads folders (and everyone else’s) regardless of what TCC settings Bob (or those other users) set... When Alice grants FDA permission to the Terminal for herself, all users now have FDA permission via the Terminal as well. The upshot is that Alice isn’t only granting herself the privilege to access others’ data, she’s granting others the privilege to access her data, too... Any application granted Full Disk Access has access to all user data, by design.

This indeed seems dangerously counterintuitive.

I, like most other people I'd think, always assumed the permission dialogs ("TCC") were a layer of restrictions on top of traditional UNIX user permissions. Not overriding them.

In other words, granting full-disk access to an app would give it access to everything my user can access. Not "sudo" access to other users' data as well.

Why would an app ever need that level of access? For installing files, maybe, but not while running.

Can anyone else confirm this is how macOS actually works? And if there's some justification I'm missing? It seems so crazy that I can't actually believe it without somebody else verifying it.

[xenadu02]

TCC does not bypass Unix file permissions. I don't know where that idea is coming from but it is incorrect.

An admin has always been able to sudo to bypass normal Unix permission checks. That's true on all Unix systems.

[kmeisthax]

The problem isn't that TCC grants a Unix file permission bypass - because it doesn't, at least not on it's own. The problem is that ordinary users can create APFS snapshots via Time Machine, and then mount them with Unix permissions disabled (noowners). When Apple was told about this they decided to gate the snapshot mounting stuff... behind Full Disk Access, not being an admin. And Finder has FDA, because of course it does, otherwise users wouldn't be able to use their own filesystem rights at all.

All of this smacks of different parts of the macOS core team not understanding their security model. One half seems to think Full Disk Access just means "has the user's file system permissions instead of sandboxed access" (hence why Finder has it), while the other thinks it means "access the whole disk, regardless of other permissions". Both interpretations are reasonable but become unreasonable when combined into a single system.

[crazygringo]

So is the article just plain wrong then?

Can an app given full-disk permissions not access data in other user folders other than the user who started it?

This is why I'm so confused.

[brigade]

To an extent neither are wrong - full disk access doesn't directly bypass the live filesystem's Unix permissions. But it does explicitly grant full access to Time Machine backup images regardless of admin/superuser privileges, including the ability to create new up-to-date snapshots, which is equivalent to full read-only access ignoring Unix permissions (on a short time delay.)

[adib]

... in this case it _does_, albeit in a roundabout way via Time Machine local snapshots. In short, the attacker can bypass Unix file permissions by mounting a local backup with owners disabled.

[wtmt]

> In other words, granting full-disk access to an app would give it access to everything my user can access. Not "sudo" access to other users' data as well.

> Why would an app ever need that level of access? For installing files, maybe, but not while running.

Though bootable full disk backups aren’t possible anymore with the recent releases of macOS, there are applications such as Carbon Copy Cloner and SuperDuper! that need full disk access to create a backup of the entire volume. This is a limited case, but there are many people who use these (instead of or in addition to Time Machine).

[my123]

https://filebin.net/uwboypi04o23yzj8/Screenshot_2021-07-05_a...

It is explicitly detailed as such. Full disk access actually means full disk access under that system.

> Time Machine backups [...] for all users on this Mac

[wtallis]

That seems like the less likely parsing of the actual text. The more plausible reading would have the "for all users" apply only to the bit about "certain administrative settings", which may by their nature need to apply to all users instead of per-user.

A less ambiguous warning is needed if this is truly meant to be such a powerful setting that overrides regular user-based permissions.

[GekkePrutser]

True but the other point mentioned in the article: - giving automatic access to Finder automatically leading to that app getting FDA access without appearing in the list - is very counterintuitive I think.

[easton]

Intuitive to a end-user, perhaps not (but why are they modifying those settings anyway? Well behaved apps don’t ask for FDA), but for a developer or power user it should be. If I allow Terminal.app FDA it means that any executables it hatches have FDA, or else it would be super confusing if you give it FDA and then wonder why nothing seems to have changed.

[GekkePrutser]

> but why are they modifying those settings anyway?

This is exactly the Apple attitude that bothers me. The idea that a user shouldn't be messing with settings. This is why they remove them as much as they can.

But sometimes there's a good reason to want to change something. Apple's vision isn't always right for everyone. And some users just have more complex needs. Imagine telling an Arch Linux user 'why would you want to change settings anyway?' :) It would break the entire idea behinds the that distribution.

In this case they do even offer the setting (so even Apple see the need for it) but it's not very transparent what it does.

PS: I'm not saying the arch method would work for Apple of course ;) But I am saying that what is configurable should be well documented, and that Apple should probably have a bit more configurability in my opinion.