Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

cspence002

macrumors newbie
Original poster
Aug 19, 2022
18
2
I'm looking for a comparison to determine whether my user / group settings have been tampered with. I'm the only user on this computer.
Running the following command:
Code:
sudo dscl . -list /Groups GroupMembership
Screenshot 2023-02-14 at 4.55.04 PM.png


If anyone has a source of descriptions for the default User / GroupMemberships I would appreciate it.
 
For that command:
On my Mac, other than different items because, of course, the user account names are different on my Mac, so entries with user account names are different. Other than those obvious differences, the list is identical on my Mac.
 
For that command:
On my Mac, other than different items because, of course, the user account names are different on my Mac, so entries with user account names are different. Other than those obvious differences, the list is identical on my Mac.
Well What do you mean by different items exactly? I'm the only user on this system. ( under the username me in the image) I have not added any other users or groups. Do the group-user pairings match?
 
Well What do you mean by different items exactly? I'm the only user on this system. ( under the username me in the image) I have not added any other users or groups. Do the group-user pairings match?
Nothing looks out of the normal here. It’s very unlikely your Mac has been tampered with.
 
Well What do you mean by different items exactly? I'm the only user on this system. ( under the username me in the image) I have not added any other users or groups. Do the group-user pairings match?
Yes, the pairings match exactly - other than the fact that I have different user names. The listings that say "me" on your list are the user names that are on my Mac system - with no extra or missing items.

What is happening that makes you suspect that your system has been, somehow, compromised?
 
Yes, the pairings match exactly - other than the fact that I have different user names. The listings that say "me" on your list are the user names that are on my Mac system - with no extra or missing items.

What is happening that makes you suspect that your system has been, somehow, compromised?
I run my mac with partial SIP disabled, and install 3rd party tools, beta/experimental builds. One of the builds is a webkit browser that looks like it's getting in-depth system access but I can't say what it's affecting for sure if anything. They make the claim of 0% telemetry so I try to test these out because I suspect it also makes connections through system level daemons. If the 0% telemetry claim is true however I'm wondering why certain daemons, such cloudd, nsurlsession, networkserviceproxy, etc. attempt connections at the same time. At startup I notice _rmd user processes running in activity monitor but this is a personal coomputer that shouldn't be running any sort of mdm processes.
 
That's all you have?
No VPN in use?
I mean I use the built-in firewall in stealth mode blocking all incoming connections but I don't think it does sh*t, a pfctl disabling pretty much any connection on my local network besides DHCP and DNS, a mobileconfig profile (sans mdm-related configurations) that disables pretty much any icloud services which I haven't signed into through at least the last 10 system wipes, but by the looks of it all of this can be overridden. I use LittleSnitch for monitoring.
In theory I can't get around the idea of paying for a VPN in system that should be secure, and how much would it matter if I've installed some 3rd party binary in beta development with what looks to be system level access already? I really don't care if my ISP sees my traffic, it's a regionally-based cable provider. What I do care about is the integrity of a product sticking to the truths of what they claim, especially if that claim is privacy. And when most applications are now averting your set system level DNS over TLS now for their own DoH, how much is the VPN doing at that point besides possibly randomizing your IP address when it establishes connections to the remote servers who have 50 other ways of identifying you. Is there something I'm missing here?
 
Last edited:
Thanks bro. It's simple things like this I'd like to easily find in formal documentation from apple. Defaults for various Launch System Services and their Entitlements, default settings of .plist files for easy comparison, ways to identify which application processes are calling system daemons to access my keychains every gd 10 minutes...

Instead it's every man for himself unless your an iOS app developer, my theory is they keep their own forums just so people can fall for that EtreCheck scan and Apple can wipe their hands of anything being their fault.
 
Last edited:
  • Love
Reactions: WilliApple
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.