Hacker News new | ask | show | jobs
by nyellin 5302 days ago
On a tangential note, apps like HandsOff and LittleSnitch aren't effective at sandboxing malicious software. (This should be obvious, but it apparently requires saying.)

The easiest way to bypass HandsOff/LittleSnitch is by temporarily replacing a trusted executable with another binary - there is no mechanism in place to verify that the binary itself hasn't changed since it was granted permissions.

http://natanyellin.com/2011/11/03/bypassing-little-snitch/
1 comments
WiseWeasel 5302 days ago
If you're running as a non-administrator, like you should be, that would prompt an admin login request.
link
nyellin 5302 days ago
Nope. OS X binaries are usually installed by dragging them to the /Applications/ folder. They are user-owned.
link
polo 5302 days ago
That's why I prefer Hands Off! I agree that neither is fool proof but HO allows me to control disk access as well as network access.

If I've just downloaded a new app, I'll have it ask for permissions for every disk access it needs. After a few runs I'll start giving it permanent access to the dirs I'm OK with it using. No app gets to write to /Applications.

It's a little painful to deal with the pop-ups but I like to know what my apps are up to :-)

link
WiseWeasel 5302 days ago
That's incorrect. Maybe you don't notice it if you're running as an admin, but the /Applications directory is admin-owned; since I'm running as a regular user, I need admin credentials to move items to that directory. I also get asked for admin credentials to perform any file operation in the /Applications directory, including those affecting apps I put there under my non-admin account (with admin credentials). You can make a ~/Applications directory for user-owned apps, and you won't need admin privileges to change that, but it would be less secure.
link
nyellin 5301 days ago
Sorry, but that's another common misconception.

As non-admin, you have authenticate to create or delete items in /Applications/. However, all items you move to /Applications/ remain under the ownership of your user.

You can confirm this without even opening the terminal: move the directory Foo/ to /Applications/Foo and notice that /Applications/Foo/bar is user-writable.

(Furthermore, admin on OS X (and many modern Linuxes) isn't equivalent to the traditional root account. Using a non-admin account doesn't make the difference you think it does.)

link
WiseWeasel 5301 days ago
OK, it seems to ask me to authenticate to move a folder to certain directories in /Applications, apparently those created by installers running with admin privileges, but I am able to move a folder to a folder that I've moved to the /Applications directory under my regular user account with authentication without needing to re-authenticate. But since the majority of my apps are not in their own directories, I am still asked for admin privileges to modify them. I am aware that the admin account is not in the root wheel, but the /Applications directory is owned solely by the 'admin' account; just not necessarily all sub-directories apparently.
link
nyellin 5301 days ago
Every app is its own directory!

Look at blog post I referenced above. It has an example for modifying the binaries inside Firefox.

link