Mac OS Security Failure – Apple’s “fix” is of no use

security researcher Csaba Fitzl on Offensive Security has detected a vulnerability in Mac OS that allows standard accounts to read all files on the hard disk, including files belonging to other user accounts and files protected by Catalina’s privacy protection.

Apple claims have been clogged with the error, but for the “fix” to work must Full disk access be off for Terminal (and any other terminal programs like Iterm). But the vast majority of Mac users who regularly use a terminal have Full Disk Access turned on because they actually want to access the entire hard drive themselves.

What these users probably do not want is that anyone else using the computer with a standard account should be able to read all their files. But that’s exactly what Apple has done for them. And since Full Disk Access is a system setting for your entire computer, you can’t enable it for your admin account alone.

The error is in command mount_apfs used to mount volumes with Apple’s new file system apfs, in combination with the apfs feature snapshots which is mainly used to streamline Time Machine.

Namely, any user can create a new snapshot and mount it with the ‘noowners’ flag, which overrides the entire Unix privilege system. Then just read other users’ files. If Filevault is enabled, this will not work through guest accounts but only standard accounts.

Before Apple’s “fix”, Full disk access didn’t even have to be turned on for the terminal, so it was not at all possible to protect itself.

Apple has written to Csaba Fitzl that no further action will be taken, and believes that users should turn off Full Disk Access for all terminal applications, but it is hardly a secure solution since so many users use that setting with diligence and hardly expect it to open for other accounts to read all their files.

In addition, it means that a program that you give Full disk access to for any other reason can suddenly read all other users’ files, regardless of which user is logged in and without requesting the admin solution.

A safer and more sensible solution would be that mount_apfs either completely requires root privileges (via the sudo command) or requires it to enable the noowners flag. Accounts that do not have sudo rights should simply never access any files belonging to other users, it fundamentally violates the entire Unix model.

Hopefully, Apple’s developers are catching their minds and fixing this properly. Until then, we can only recommend that a multi-user Mac turns off Full Disk Access for Terminal, Iterm, and other terminal applications, and only temporarily activates it when needed.