alt Hacker NewsThe problem with Mac’s sandbox system is that it’s giving me some PTSD of Windows UAC. It’s inventing a solution to a problem that might exist in small doses, but instead gives users permission fatigue.
I personally think the traditional *nix model has served us quite well, and elective sandboxing using containers (à la Docker and so on) is quite good. The Mac sandbox model is probably ok for most normal users, but for power users is infuriating at times. Multiple restarts of Mac and various processes (and when you realize not enough scopes have been granted, another subsequent restart). I think Mac forcing all users into its sandbox system has been one of my least favorite impacts since upgrading macOS, leading to the enshittification of macOS.
The craziest thing is background processes started by Terminal/iTerm (such as tmux) can inherit Terminal or iTerm’s elevated status even when Terminal or iTerm are no longer running, dead, or killed. So you’ll have a bunch of elevated processes without the elevated parent or grandparent process running—it makes me feel the whole permissions scheme is more performative than actually useful.
Replies
I think the bigger issue is that way too many devs still live in the extremely dated paradigm of “anything has access to everything all the time”, even though this model has repeatedly proven itself unworkable (particularly for anybody using proprietary software, which is notorious for sticking its fingers in places it has no business touching).
The way macOS handles permissions with user prompts might be the wrong UX, but giving every program carte blanche by default is definitely not the answer either.
It’s dangerous, particularly for those of us who are developing and publishing software that’s used by many thousands of people — we’re juicy targets and every time we disable protections in the name of convenience and carelessly run random third party software with unfettered access we’re playing with fire. I find myself consistently stunned by the flippant attitude SWEs take towards securing their systems. Our confidence that we’re too smart to fall victim is entirely misplaced.
Plus, Apple exempt their own apps from a bunch of these permissions (because it would be an unacceptable user experience for their customers)
Note that this isn't "Mac's sandbox system", it's TCC. That's an important distinction to make, because apps that have opted into the proper App Sandbox can't do this... they don't even have the ability to display a prompt for direct access to Documents/.
With the App Sandbox, sandbox extensions are issues whenever you open a file using the file picker. They only last until the app is restarted.
A caveat is that you can save "Security Scoped bookmarks" (basically a signed base64 blob [1]) and pass that around to preserve access, but that isn't very common.
[1] https://www.mothersruin.com/software/Archaeology/reverse/boo...
I feel the opposite with Mac permissions (or Linux or Windows). Hardly anything asks me, and it seems like everything has access to everything. But same conclusion here, if I don't trust something, I want to explicitly sandbox it.
I feel like I can mostly use containers on macOS. Is there a different sense that people are using containers on *nix? Or are you referring to all the macOS specific software footguns?
I would like to be able to run arbitrary code with gradual/granular privilege escalation. (e.g iOS/android with more affordances and escape hatches. macOS is getting there, but it's been a pretty bumpy/potholed road). Right now if I download a random github repo, I'd put it in a docker container and give it ports/volumes/etc.
TCC is a different thing. Sandboxed apps work differently and won't need those TCC dialogs.
> I personally think the traditional *nix model has served us quite well
It has the https://xkcd.com/1200/ problem on almost all end-user setups.
One of the worst cases happens immediately after logging into a fresh Mac, or after upgrading one. You’re instantly hit with a barrage of requests from all the installed apps and their various permissions. It makes for such a terrible initial user experience, it’s utterly baffling someone at Apple has signed it off. They used to poke fun at Windows in their ads, but UAC has never been that terrible in my experience.
performative is right. files & folders says blocked. open panel access still works. the pane only knows about one path
I don't understand why OSX needs to restart the app to grant it permissions. The most annoying is video chat apps such as Teams and Zoom, having to close everything and reconnect if you want to share the screen or such. Perhaps there's a technical reason but it just feels like a lazy implementation.
But about the unix permissions model, is it really useful? During all my years of using linux on my personal machine, I've always had everything owned by my own user. Setting up specific users for programs would be a pain, and I don't think anybody does that? Servers is a different question, because then you're not actively using the system in the same way, which makes managing user accounts and their permissions on an app-level doable.
For normal users I think what's done on iphones and such works fairly well, and there they actually seem to have implemented it properly so that it doesn't require a restart to grant permissions.
Very much agree. In fact I don't remember Vista or UAC being as unreliable as the Mac now is.
BTW - UAC is not a security boundary, so UAC-bypass is not the same as privilege escalation, and there is no bounty for it, etc, etc. It's a common misunderstanding, probably in no small part due to Microsoft's own lack of communication around it.