[jasonjei]

The problem with Mac’s sandbox system is that it’s giving me some PTSD of Windows UAC. It’s inventing a solution to a problem that might exist in small doses, but instead gives users permission fatigue.

I personally think the traditional *nix model has served us quite well, and elective sandboxing using containers (à la Docker and so on) is quite good. The Mac sandbox model is probably ok for most normal users, but for power users is infuriating at times. Multiple restarts of Mac and various processes (and when you realize not enough scopes have been granted, another subsequent restart). I think Mac forcing all users into its sandbox system has been one of my least favorite impacts since upgrading macOS, leading to the enshittification of macOS.

The craziest thing is background processes started by Terminal/iTerm (such as tmux) can inherit Terminal or iTerm’s elevated status even when Terminal or iTerm are no longer running, dead, or killed. So you’ll have a bunch of elevated processes without the elevated parent or grandparent process running—it makes me feel the whole permissions scheme is more performative than actually useful.

[al_borland]

Someone at Apple should watch some of their old ads.

https://www.youtube.com/watch?v=8CwoluNRSSc

[halapro]

The best part is that this kind of popups have been introduced with OS X Lion in 2011, which only came 4 years after Vista.

[streetfighter64]

I don't understand why OSX needs to restart the app to grant it permissions. The most annoying is video chat apps such as Teams and Zoom, having to close everything and reconnect if you want to share the screen or such. Perhaps there's a technical reason but it just feels like a lazy implementation.

But about the unix permissions model, is it really useful? During all my years of using linux on my personal machine, I've always had everything owned by my own user. Setting up specific users for programs would be a pain, and I don't think anybody does that? Servers is a different question, because then you're not actively using the system in the same way, which makes managing user accounts and their permissions on an app-level doable.

For normal users I think what's done on iphones and such works fairly well, and there they actually seem to have implemented it properly so that it doesn't require a restart to grant permissions.

[iamcalledrob]

Plus, Apple exempt their own apps from a bunch of these permissions (because it would be an unacceptable user experience for their customers)

[cosmic_cheese]

I think the bigger issue is that way too many devs still live in the extremely dated paradigm of “anything has access to everything all the time”, even though this model has repeatedly proven itself unworkable (particularly for anybody using proprietary software, which is notorious for sticking its fingers in places it has no business touching).

The way macOS handles permissions with user prompts might be the wrong UX, but giving every program carte blanche by default is definitely not the answer either.

It’s dangerous, particularly for those of us who are developing and publishing software that’s used by many thousands of people — we’re juicy targets and every time we disable protections in the name of convenience and carelessly run random third party software with unfettered access we’re playing with fire. I find myself consistently stunned by the flippant attitude SWEs take towards securing their systems. Our confidence that we’re too smart to fall victim is entirely misplaced.

[jjtech]

Note that this isn't "Mac's sandbox system", it's TCC. That's an important distinction to make, because apps that have opted into the proper App Sandbox can't do this... they don't even have the ability to display a prompt for direct access to Documents/.

With the App Sandbox, sandbox extensions are issues whenever you open a file using the file picker. They only last until the app is restarted.

A caveat is that you can save "Security Scoped bookmarks" (basically a signed base64 blob [1]) and pass that around to preserve access, but that isn't very common.

[1] https://www.mothersruin.com/software/Archaeology/reverse/boo...

[jasonjei]

Yes, TCC is what I meant, but my understanding is TCC is a platform wide sandboxing system?

[galad87]

TCC is a leaky shoot at limiting non-sandboxed apps permissions. The actual macOS sandbox is a different thing.

I would say that TCC is working as intended, unfortunately, with many obscure behaviors to avoid breaking existing apps.

It's even more unfortunate that a lot of apps that could be easily sandboxed aren't.

[traderj0e]

I feel the opposite with Mac permissions (or Linux or Windows). Hardly anything asks me, and it seems like everything has access to everything. But same conclusion here, if I don't trust something, I want to explicitly sandbox it.

[big_toast]

I feel like I can mostly use containers on macOS. Is there a different sense that people are using containers on *nix? Or are you referring to all the macOS specific software footguns?

I would like to be able to run arbitrary code with gradual/granular privilege escalation. (e.g iOS/android with more affordances and escape hatches. macOS is getting there, but it's been a pretty bumpy/potholed road). Right now if I download a random github repo, I'd put it in a docker container and give it ports/volumes/etc.

[jasonjei]

I was building a lightweight imitation of OpenClaw. Just a Claude.md and iMessage watcher. I had to play around with Privacy a lot to be able to read my iMessages database, and do a lot of iTerm restarting.

[big_toast]

I remember it being worse a while ago. But most of the time I can drag a binary into Settings->Privacy & Security->Full Disk Access or other things (Accessibility API). Maybe other issues come up.

I feel like it should still be much easier, but the general sandboxing model seems directionally functional. (My understanding is containerization isn't a silver bullet security-wise, still requires fiddling, and would be a resource hog ram-wise if not CPU?)

I wish I could pick a parent folder/file and get a box to control everything (network/disk/folders/peripherals/accessibility).

[liquid_thyme]

BTW - UAC is not a security boundary, so UAC-bypass is not the same as privilege escalation, and there is no bounty for it, etc, etc. It's a common misunderstanding, probably in no small part due to Microsoft's own lack of communication around it.

[galad87]

TCC is a different thing. Sandboxed apps work differently and won't need those TCC dialogs.

[shantara]

One of the worst cases happens immediately after logging into a fresh Mac, or after upgrading one. You’re instantly hit with a barrage of requests from all the installed apps and their various permissions. It makes for such a terrible initial user experience, it’s utterly baffling someone at Apple has signed it off. They used to poke fun at Windows in their ads, but UAC has never been that terrible in my experience.

[josephcsible]

> I personally think the traditional *nix model has served us quite well

It has the https://xkcd.com/1200/ problem on almost all end-user setups.

[p_stuart82]

performative is right. files & folders says blocked. open panel access still works. the pane only knows about one path

[jmount]

Very much agree. In fact I don't remember Vista or UAC being as unreliable as the Mac now is.