Apple OSX Leopard (10.5+), inadequate ACL insight can create vuln

Subject: Apple OSX Leopard (10.5+), inadequate ACL insight can create vuln

OSX 10.5 "Leopard" has activated ACL use and gives ACLs preference over standard POSIX permission bits.  Apple's "Get Info" GUI sets and displays an odd and confusing mix of POSIX and ACL settings, leaving plenty of room for confused security.

Unfortunately, there are not yet adequate tools to detect ACL changes.  Tools like open-source Tripwire only check POSIX permission bits (a feature request has been submitted for ACL support in open-source Tripwire).  Apple's proprietary Disk Utility appears to only check what Apple wants to check (it probably leaves areas like user files vulnerable).

Historically, a number of legitimate and less-than-legitimate software installers have altered the POSIX permission settings for key system files and directories.  Those alterations could easily be extended to ACLs, and would be more difficult to detect, since there are almost no tools to find them.

Users should carefully consider if the risks of using ACLs in OSX outweigh the benefits.  For many systems with a small number of users, ACLs are massive overkill, and should probably be disabled.  The following command disables ACLs on the root volume (the command only operates on each volume):

# fsaclctl -p / -d

Copyright © 1995-2021 All rights reserved.