10/31/2023 0 Comments Apple sandbox system files![]() ![]() I don’t understand why Apple thinks there are no “actual security implications” (and thus won’t pay the bug bounty). The app can save an arbitrary shell script, launder it through TextEdit, and then tell the system to open it, which will make it run outside of the sandbox. I tried the sample project, and this seems to be legit. This should appear very innocuous to the user, because nobody thinks that TextEdit is dangerous, so one would think it’s not much of a risk to allow TextEdit to be controlled. My sample app opens a shell script in TextEdit, and then it uses the Apple Events permission to tell TextEdit to save the file, thus removing the quarantine and allowing the script to be executed outside the app’s sandbox. However, when an app such as TextEdit with the “.user-selected.executable” entitlement saves a file, it removes the quarantine extended attribute! If the file is a shell script, then the quarantine extended attribute would prevent the script from running. That’s perhaps a little obscure, but it ensures sandbox folder names are unique.Normally, when a sandboxed app writes to a file, the file is quarantined. For example: Nisus Writer Pro’s sandbox folder name is. Not only does it increase security, but it also makes apps easier to uninstall: just delete the app and its sandbox.Įach sandbox folder’s name corresponds to the app’s internal identifier. If you don’t ever give a sandboxed app access to additional files or folders (eg: by choosing extra locations in file handling dialogs), then you can be sure that everything the app stores on your Mac is kept in its sandbox. This folder holds all local information for the app, like your app preferences. There is also another little change to what you see in the Finder when you browse sandbox folders.Īs you may know, every app that adopts macOS sandboxing is given its own sandbox folder. The big underlying change is the new cryptographically signed system volume that prevents tampering with system data (for better and worse). ![]() ![]() Apple made some changes to the file system for macOS Big Sur. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |