On the Constant, CONSTANT Permissions Management

[maxoakland]

I get the value of asking the user for some permissions, but MacOS has gone insane. It's not only constantly asking for permission to do things, the system isn't even that good at making it easy to deal with it. Applications constantly have to explain to users how to enable their permissions manually because they don't automatically do it. It's ridiculous

I just got asked twice in the space of 2 minutes to let applications access documents on my iCloud. Why? Why does Apple think applications need to be given explicit permission to access Documents, iCloud, Desktop, Full Disk, external disks, etc? That's too many folders to ask about.

Who is in charge of this? It's a frustrating user experience. The list of possible permissions in Privacy & Security in System Settings is so long it doesn't even fit on my screen.

There was a time when people made fun of Windows Vista for asking about too many permissions. Whats crazy is that now MacOS is worse than Vista ever was about the incredible granular choices and numbers of permissions the user is asked for. The worst part is this deluge of questions and permissions makes users take these questions less seriously.

I'm glad that we have some permissions options. I know that security is extremely important and I like the fact that I can block an app's access to things like my contacts.

What I'm not OK with is being asked so many questions every time I use a new application. And even worse, lots of the time there are permissions that don't really work. I repeatedly had to go to Full Disk Access to turn on an application's access when the application is mysteriously not working. I never get any question about that one. Why is that? Why do some permissions require you to go to System Settings to enable them and then quit and restart the application?

This is not a good user experience despite the good intentions. Something has got to give. Don't even get me started on the fact that System Integrity Protection means I can no longer move, delete, or organize system applications in my Applications folder. This is something you can do on your phone these days.

Maybe one solution would be to give power users the ability to turn off some of these questions. Or, instead of asking permissions, you could get information about the applications that accessed your "special" folders (the way it works with microphone and location)

 

[H_D]

… it makes migrating to a new computer living hell.

 

[rm5]

I absolutely CANNOT stand the constant nagging prompts, either.

"This application is from an unidentified developer"
"macOS can not verify that this app is free from malware. You should delete it."
Or the absolute WORST ONE: "The application is damaged and can't be opened. You should move it to the trash."

It's funny you mention this, because I just had one of these experiences today—in fact, I think I reached the pinnacle of stupid macOS permission stuff. I tried to run something I downloaded from GitHub, and macOS wanted me to verify each INDIVIDUAL Java library!!!! Of which there were who knows how many. Then the app would throw an error saying something about a missing library - well duh! Because macOS won't allow it to work!

Then there are the apps where when you give it permission, you have to RESTART IT! Like most video conferencing apps. Try to share your screen for the first time, and it literally will make you leave the call and rejoin...

This is why I absolutely HATE macOS sometimes...

 

[maxoakland]

Then there are the apps where when you give it permission, you have to RESTART IT! Like most video conferencing apps. Try to share your screen for the first time, and it literally will make you leave the call and rejoin...

That's all bad but this is just incredible. How did Apple think this was OK?

 

[H_D]

It has become a standing joke in video conferences that at least one person has to quit and allow Zoom/Teams/Google or whatever to use audio or video.
I get that Apple tries to make the OS safe, but this feels quite a lot like Windows Vista and is causing all kinds of headaches in using side-loaded apps from Indie developers. At the very least a 1:1 migration should not reset all of the security settings you have made over years and compress them all into one day :-D.

 

[bogdanw]

I doesn’t happen to me, I have SIP disabled ;-)

"Disabling and Enabling System Integrity Protection" https://developer.apple.com/documen...ling_and_enabling_system_integrity_protection

 

[ipaqrat]

Welcome to Zero Trust, folks. The Authentication and Authorization paradigm wherein user access permissions are maintained at the bare minimum to barely function. All other resources and actions are considered "Privileged" - blocked unless user permissions are elevated through an explicit A&A cycle (ideally including multi-factor authentication). Then, when an action is complete, or after timed session countdown, privileged access is stripped, and the user goes back in the box. It's frustrating. It's Groundhog Day. All icy puddle. No kissy-face redemption.

On the other hand, most malware and insider threats are defeated by Zero-Trust A&A coupled to a kill chain (firewall, media hygiene, behavior analysis, auditing, incident response, community action, etc.). Most consumers stop with a firewall and media hygiene, because that feels like enough punishment for shopping on-line and streaming Taylor Swift. The rest of the kill chain, admittedly, requires commitment at a business/government level.

Which circles back the OP's premise and conclusion. Confronting raw zero-trust, minute by minute, day by day, is miserable. But IT Security is just now in the "uphill both ways, through the snow, fighting bears with the three-ring binder" stage. We just have to live with it for now; it's that simple.

Disabling security subsystem in the OS is a terrible reaction, not just for your own IT (for obvz), but also for every other user. It's easy to see your PC as, well, personal, but that's not how the internet is designed; it's communal whether you like it or not. Disabling personal, localized security subsystems is what every hacker and government hopes for.

 

[maxoakland]

Disabling security subsystem in the OS is a terrible reaction, not just for your own IT (for obvz), but also for every other user. It's easy to see your PC as, well, personal, but that's not how the internet is designed; it's communal whether you like it or not. Disabling personal, localized security subsystems is what every hacker and government hopes for.

Well, then Apple should figure out how to make the experience better. Until then, I'm disabling SIP

 

[CrushRoller]

Simple! MacOS lets the user decide on permissions so if something goes wrong it is the user's fault not Apple's...

Besides MacOS i also work with Linux Mint - never had these silly permission requests with Mint...

 

[ifxf]

This is the main reason I don’t use Safari, too many prompts with websites and extensions. Even Firefox nags about updates which I would allow if they didn’t inflict new UI features on me with their updates.

 

[AlmightyKang]

As much as no one is going to want to hear this, because they are lazy and don't care, the warnings are there for a very good reason.

Programs should have specific and limited capabilities and access to only the data that they need to do those things.

In the early days of Firefox I accidentally found a buffer overflow in Firefox on Linux. I managed to write an exploit for it that would make Firefox execute arbitrary code. This leveraged the fact that Firefox could read and write the user's home directory on Linux arbitrarily. I added a line to the end of the .profile in the directory that would download and install a remote shell on the machine when the user next logged in. After that I could what the hell I wanted with your data and files. If Firefox could never read or write to anything other than its own profile and the Downloads folder this would not have been possible. So when you click "no you can't do that" you're making the decision of "do I want that program to do that"

I would post the CVE but it'll identify who I am and I do not wish to do that

Edit: oh also Linux is terrible when it comes to things like this. If any user's process is owned you've had it. It's worse than Windows.

 

[bogdanw]

Programs should have specific and limited capabilities and access to only the data that they need to do those things.

Yes, but the user experience should not turn into a nightmare as a result.
Especially when ...
"20+ Ways to Bypass Your macOS Privacy Mechanisms"
https://www.youtube.com/watch?v=W9GxnP8c8FU
"Knockout Win Against TCC - 20+ NEW Ways to Bypass Your MacOS Privacy Mechanisms"
https://www.youtube.com/watch?v=a9hsxPdRxsY
"ELECTRONizing macOS Privacy - a New Weapon in Your Red Teaming Armory"
https://www.youtube.com/watch?v=Yw8yre1W4io

I would post the CVE but it'll identify who I am and I do not wish to do that

Don’t dox yourself, we believe you

 

[AlmightyKang]

I mean the problem is that you either have a hard enforcement policy and people get pissy that you can't save .profile into your home directory on Firefox or you ask them if they want to do the stupid thing.

I'm not even sure what the problem is. I just rebuilt my Mac mini the other day and it asked me a couple of times on a few things and meh, job done.

 

[Apple_Robert]

I have been using MacOS a long time and the only time I ran into the level of requests the OP is noting is when I was running Little Snitch 3. I have no problem with the current lockdown of the OS. In fact, I want more lockdown. If I want free rein, I would go back to Linux.

 

[bogdanw]

"System Alerts won't Go Away" https://forums.macrumors.com/threads/system-alerts-wont-go-away.2398083/ and the other linked threads.

 

[AlmightyKang]

I mean I'm usually the alien overlord who breaks everything I touch, but most of the time I've got to be honest it is because I've done something stupid and occasionally something unexpected. I would love to take one of those issues to pieces and find out why it's happening.

So if the TCC database gets corrupted, I have to ask how. Cursory search suggests it's a SQLite database that has had a schema evolution done on it over time. If I had to guess it'd be a crappy upgrade/migration process somewhere. Which couldn't surprise me if Core Data is in there...

 

[ipaqrat]

Well, then Apple should figure out how to make the experience better.

Absolutely! Couldn't agree more! That's why they make the big bucks. But Apple is terrified about adverse regulatory reactions to building their garden walls ever higher.

Until then, I'm disabling SIP

Simple! MacOS lets the user decide on permissions so if something goes wrong it is the user's fault...

Yep, for the multitudes of folks without the intestinal fortitude to suck it up and compensate for engaging with half-baked IT in the first place (which is to say all of it at present day), there remains the option to operate at risk. Impatience and frustration are what keep hackers hopeful and motivated.

user's fault not Apple's...

Apple already makes us all declare that nothing is ever Apple's fault. Poor, poor Apple, so beleaguered and set upon. Maybe RAM upticks wouldn't cost $400 if they didn't have to protect themselves. Enjoy the asparagus and cuttlefish!

Besides MacOS i also work with Linux Mint - never had these silly permission requests with Mint...

Mint Schmint. I deal with all manner of linux-for-grownups, all day, professionally. Most consumer-oriented desktop distros default open for amateurs so the distributor doesn't have to confront all the whiney fail-sobbing.

The reasons Linux wouldn't produce a ton of prompts all the time is because its firewall is missing or disabled, its system integrity protection is missing, crippled or disabled, or because users run with sudo permanently set, as admins, or even as root. Seamless operation without prompts is typically a symptom of failed security, no matter what OS is in play.

Edit: oh also Linux is terrible when it comes to things like this. If any user's process is owned you've had it. It's worse than Windows.

Truth.

This is the main reason I don’t use Safari, too many prompts with websites and extensions. Even Firefox nags about updates which I would allow if they didn’t inflict new UI features on me with their updates.

Safari is not exactly the paradigm of perfection, but it does have the advantage of tighter integration with the rest of MacOS, for better or worse. Some integrations even extend to mobile devices. Of course, this reaches back to the anti-competition debate.

silly permission requests

This 👆 is the precise point of contention. In fact, the permission requests are serious bidness. Folks just need to get dey minds right. The prompts are also conformation that shields are up, for the most part. Quite simply, there is no scenario where one's welfare is improved by disabling security, however irritating it is (and will certainly remain).

warnings are there for a very good reason... So when you click "no you can't do that" you're making the decision of "do I want that program to do that"

💯 Defeating security subsystems, especially the annoying prompty ones, equates to abdicating your decisions. This gives someone else all the decisions about your data, privacy and anonymity.

 

[Lounge vibes 05]

I think another big reason for this that no one has mentioned yet is that…
The vast majority of consumers 20 years ago using windows XP or whatever had no idea how to use computers.
They might eventually learn how to do things on their computer, but security and cyber attacks were probably the last things on their mind until their computer got a virus, which seem to happen to everyone at one point or another.

Then, the iPhone and iPad happened. And the iPhone and iPad, especially at the start, were so locked down that the type of concerns that consumers had to have with windows XP we’re basically nonexistent other than in some rare, rare cases.

But the Mac has still continued to grow alongside the iPhone and iPad, and fundamentally, the Mac is less secure.
Users are still a lot more likely to download something malicious on a Mac than they are an iPhone or iPad, even today.

So really the only thing Apple can do, other than totally locking down macOS like iOS is, is to just… lock everything behind warnings and pop-ups and questions.
And given that Apple knows that most users will never think about those pop-ups again, they’ve been creating even more barriers that the pop-up has to pass. Now you have to enable it “while using application” or “allow once”.
And Apple knows the majority of customers are just going to click “allow once” because it literally has the word “allow” in it.

 

[zevrix]

I doesn’t happen to me, I have SIP disabled ;-)

"Disabling and Enabling System Integrity Protection" https://developer.apple.com/documen...ling_and_enabling_system_integrity_protection

Unless I'm missing something, disabling SIP doesn't affect any of the annoying security authorization prompts and requirements mentioned here. I always have SIP disabled in order to use certain Finder tweak utilities. All the prompts discussed here are still present. (I happen to know this for sure because as a developer I actually do need those prompts to be enabled in order to know how software would normally behave).

SIP affects more subtle aspects of system security, not general features exposed to regular users.

 

[ipaqrat]

Unless I'm missing something, disabling SIP doesn't affect any of the annoying security authorization prompts and requirements mentioned here. I always have SIP disabled in order to use certain Finder tweak utilities. All the prompts discussed here are still present. (I happen to know this for sure because as a developer I actually do need those prompts to be enabled in order to know how software would normally behave).

SIP affects more subtle aspects of system security, not general features exposed to regular users.

😎 Spot on. It helps that you split this hair so clearly! As a dev, zevrix, you are in a better position to screen code and not get punk'd by sneaky extensions and script-kiddie bull****. All devs compulsively watch vendors' potential supply chain hacks, changes of ownership to foreign nation states, changes to mutual assistance treaties that affect disclosure of user data, etc., etc. Riiiight? It's truly a wild frontier.

As it was pointed out, we still have a choice, for good or ill. SIP is not ordinarily very talkative, but it is CRUCIAL for the OS to protect itself from permission elevation hacks where the intent goes beyond simple exfiltration, to gaining persistence, which means malware keeps working after reboot, or even after purportedly "clean" OS reinstalls (Yes, that's a thing.). Persistence is the holy grail of hacking because it enables webs of ongoing disruption, surveillance and lateral movement to other connected systems, which is far worse than individual petty theft.

Ordinary USBSTSs (Users Shopping, Banking and Streaming Taylor Swift) probably wouldn't instinctively make those distinctions. Attempting to quiesce the constant barrage of "silly" prompts, we often will run wild, disabling the entire security onion. Every passing day, it's more apparent we're playing with fire every time we boot up. Better to keep messaging simple:

 

[bogdanw]

Unless I'm missing something, disabling SIP doesn't affect any of the annoying security authorization prompts and requirements mentioned here.

"Folder Permissions" https://forums.macrumors.com/threads/folder-permissions.2375011/

 

[zevrix]

"Folder Permissions" https://forums.macrumors.com/threads/folder-permissions.2375011/

Ok I see, thanks for the clarification.

Indeed I now realize that I don't seem to get requests to authorize access to certain folders. I'm not sure that all of them are disabled but I sure don't remember being asked to grant access to Documents, Desktop, iCloud and some others mentioned here.

So I stand corrected. In reality, SIP doesn't affect some of of the annoying security authorization prompts and requirements mentioned here. For example, Apple Event sandboxing (requests to authorize control of another app by scripts), access to Contacts, permission for accessive devices and some other authorization requests are not affected by disabling SIP.

 

[maxoakland]

Unless I'm missing something, disabling SIP doesn't affect any of the annoying security authorization prompts and requirements mentioned here. I always have SIP disabled in order to use certain Finder tweak utilities. All the prompts discussed here are still present. (I happen to know this for sure because as a developer I actually do need those prompts to be enabled in order to know how software would normally behave).

SIP affects more subtle aspects of system security, not general features exposed to regular users.

You're right but as far as I understand it means I can move system applications again, which is another annoyance I mentioned. I haven't done this yet because I have to restart in safe mode or whatever

Edit: Huh, we were both wrong. I guess it'll help more than I expected