Hi, there is the good, old and functional: Unix style to do it, and it will make it impossible to execute News.app or any other executable you may wish to block.
Changing hidden flags is somehow an workaround which will not always work. The app can still be executed if the user is an advanced user.
There is the right way to do it, the Unix way:
Change the "execution" flag of the executable. If the executable is protected on ReadOnly Catalina partition, use the Recovery mode to change it, otherwise, change it using admin account, and protect the file from the user permission to change it. And it will be done, App will never execute anymore, even by command-line or even by root user! (unless the execution flag is re-enabled again)
Considering the News.app for the example:
Every MacOS app is a directory, or package as they reference it.
So, inside each app, there is an structure of directories, and one of them contains the "
real" executable file.
That directory i
s always inside: "appname.app
/Contents/Macos/app_executable"
Following the OP example,
The real executable file of
News.app is located at:
/Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News
Here is how to prevent/disable/block it from executing:
On Terminal, we change the Unix Executable Flag of it:
sudo chmod -x /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News
The command above will remove the executable flag of the binary executable file, making it impossible even for the root (or any other kind of user or external loader) to execute that file.
And it is done, guaranteed, to never execute again.
To revert it, if needed, just put the "x" flag back again, and it will be executable again.
sudo chmod +x /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News
You can also protect it from changes, accidental changes, or by intention, by locking that file (once locked, even an MacOS SystemUpdate will not be able to change it, or revert it to executable, nor overwrite it with some newer version).. nobody can.. unless you un-protected it before trying to change.
to do it, execute:
sudo chflags schg /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News
"
schg" means:
set the system immutable flag (super-user only)
To verify it, use
ls command on terminal, with option
-leahO
ls -lea@O /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News
the output will show the flag is active, and file is imuttable
-rw-r--r-- 1 prado staff schg 1135163 Dec 16 04:53
Notice the flag on bold below:
-rw-r--r-- 1 prado staff
schg 1135163 Dec 16 04:53
------
To unprotect the file, if needed, (to make it possible to change the executable flag again, to make the file executable [as it originally was]),
1) remove the imuttable flag:
sudo chflags noschg /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News
2) and set the executable flag again:
sudo chmod +x /Volumes/Macintosh\ HD/System/Applications/News.app/Contents/MacOS/News
Verify using the ls command:
ls -lea@O
278 -rwxr-xr-x 1 prado staff - 1135163 Dec 16 04:53:30
Notice that the "schg" flag has gone, meaning the file is not immutable anymore (it is normal again [changeable, editable, etc] )
and also notice the "x" flags on the begining of the line re-appeared, meaning the file is now executable:
278 -rwxr-xr-x 1 prado staff - 1135163 Dec 16 04:53:30
-rwxr-xr-x containing the "x" flag, the executable flags.
The instructions above is sufficient to make a full file protection.
but more details about the immutable flag can be found on terminal manual:
man chflags
This is valid for any Unix, Linux, Solaris, BSD and MacOS systems.
It is the right way to do it, and you don't have to worry about some expert-user trying to hack/bypass it.. Because the kernel will never execute that executable file without the executable flag, never.
-----
Additional techincal info, about executable permission levels/groups/users:
There exists 3 executable flags on every file, as can be seen above on bold output of the ls command.
They mean 3 types of execution level permission:
- The file owner execution permission to execute the file
- The group execution permission of which the owner belongs to, to execute the file
- The other users permissions (not the owner/creator of the file) nor the users of another system group
This way you could even explorer more that options, for example:
- By allowing only admin users to execute the News.app (or any other app/executable) and disable executions for normal users.
- Or by allowing only the file creator (or the user who downloaded it, or has explicit permission to execute) and block/ prevent every other user to execute the app.
- Or create different groups on System Preferences and put users on them, considering some group allows users belonging to it to have execution permission to execute, and other group on which users on that other group cannot execute the same app, or any other app, etc..
Creativity is the limit, and MacOS System give us this plenty of flexible options.
Although rarely used by most of the Mac users, they are rock-solid option and strong tied to the kernel since long time ago. Also they are a Unix Standard, which is a proven way to do what you need.
More information/instructions about how to change
each individual "x" [creator/group/others] executable flags can be read on terminal manual:
man chmod
I will not extend the answer here because it is already long. Lol.. But if needed, just reply and ask for more details or questions, and I can provide and help anyone here.
----
I hope you like my technical topic contribution here, and I hope it can extend your options, to choose among them, the one which better fits your needs.
Regards!
Prado
