josephg|16day ago

> These experiences have been why I’ve not a big fan of “capabilities” as a concept. The UX around them is awful, and almost has to be.

I don't think the UX has to be awful. The problem is just that they're kinda half baked on macos, and bolted on, and not really a first class citizen. There's no reason you couldn't have:

- A preferences dialog showing which long-lived capabilities you've granted to which application. (Which is almost exactly what the accessibility preferences pane already is.) Ideally this UI could have a log of ways in which the application has used that capability recently and the ability to revoke it. Maybe even the ability to review the app's use of the capability. Show the review score to other users when the app asks for the permission.

- A little blob of text saying why the application is asking for the specified permission. iOS requires this from all 3rd party apps. So its kinda weird that MacOS is missing explanatory text entirely on these popups.

- Clear indication of what would happen if you said no.

- Interdiction. In a good capability systems (eg SeL4), a capability object doesn't tell you what you can do with it. Eg, you can't ask a file handle which file its actually associated with. This means you can craft your own "virtual" capability which fakes the expected behaviour and pass that to an app instead. Any calls made using the capability come to you. Whenever phone apps ask for access to my contact address book, I'd love to be able to say yes, but give them access to like 100mb of fake entries instead.

- And on top of interdiction: logging, call whitelisting, "Little snitch", etc.

- More fine grained capabilities. I don't want to give any app a "root my computer" capability. I don't want that to be a thing applications ever need or get access to.

I think macos's problem is that its trying to bolt on capabilities after the fact. POSIX isn't built around capabilities. As a result, app developers don't think in terms of capabilities, and they expect their apps (new and old) to work without them. In a real capability based OS, fopen() should probably take a capability as a parameter. But making that change would require changing just about every program ever written for the platform. And modifying the standard library of all programming languages.

Groxx|16day ago

Capabilities are what lets you open a file picker from an app that cannot read your files, giving you a seamless and secure interaction with no extra UI.

They are definitely not always awful.

spoonsort|15day ago

Yes, this is the whole issue with these kinds of systems. The message gets lost in translation to the user. An OG java applet would say "this app is signed, do you want to continue", and the engineer at the bottom is the only one that knows what that even really means, which is that the applet gets to run outside the sandbox if the user runs it. Windows UAC is similar, as are most Linux desktop security mechanisms.

nmgycombinator|16day ago

Yeah, to be perfectly honest, I understand. I think TCC is meant to be the primary consent system, but there are others (such as the Authorization system, and the Service Management framework).

LexGray|15day ago

I think Apple took a step in this direction when they started forcing you to navigate to Security & Privacy to enable the modal the first time when launching an untrusted app.

They could probably add an opt-out step two for consumer level use where that step is also required for all root permissions requests. I would add a fast blink of the webcam light to prove trusted modal is open.

Currently it is incredibly clunky (they should put a notification at the top of the settings like for software updates), but you have some indication what app is triggering it and the dialogue could be hidden until it is time to review updates. Showing all entitlements and privacy settings should also be required any time a root password is requested with changes being noted as unusual, including changes in developer accounts.

nmgycombinator|15day ago

Damn, that really puts things into perspective. Granted, attached modals presuppose there's a window to attach to. But I think that would probably be true 9 times out of 10.

saagarjha|15day ago

This is pretty straightforward for a malicious application to simulate.

WA|15day ago

Thanks for posting. I’ve had this vividly in my mind for years, but didn’t remember the source. Makes so much sense.

sureIy|16day ago

What's the problem here? Javascript popups can't read your fingerprint so what would be the endgame of a fake passkey popup?

aequitas|16day ago

Apple also sells a wireless keyboard with touchid integrated. Works great. Especially if you also set pam to use touchid for sudo. They’re not cheap though.

matthewfcarlson|16day ago

Just realized that it asked for your system password if you don't have Touch ID.

DowsingSpoon|16day ago

Please provide evidence for a claim that logging into iCloud necessarily sends your plaintext local password to the server.

    - login
    - iCloud

Klonoar|15day ago

Apple themselves have a quirk in some cases where apps that aren’t in an Applications folder get mounted as read-only.

Granted I haven’t seen the bug in awhile, but I also never saw acknowledgement of it being fixed so…

xp84|16day ago

No comment on the overall topic, but I have long made a practice of installing into $HOME/Applications instead[1], and it's rare for me to encounter software that cares. A few apps have added popups to explain to beginners "Hey, you're running me from the Downloads folder, uhh, want me to properly move myself to /Applications/?" but that's about it.

The only apps I run from /Applications that aren't part of the OS are the ones that still use "Installers" like Adobe apps, because I assume they spew crap all over anyway. I haven't tried moving those, but I wouldn't be surprised if they deeply cared.

[1] The idea being that I could then migrate more easily by copying the whole home directory, and thus all my apps that didn't require "installation" would come over.

mike_hearn|15day ago

Nope, that was fixed several releases back. macOS doesn't use the concept of a root user for years. It's there in the APIs for backwards compatibility but the actual enforced permission model is nothing like UNIX.

1. Apps can't tamper with each others files. Try writing an app that writes to another app's bundle, even if it's in $HOME, and you'll find you can't. One way to test this quickly is to ensure that your terminal app doesn't have "Manage applications" privilege in the settings app, restart it, then use vim to open a file in a bundle that appears to have user write permissions. You'll find it is read only.

2. root can't make arbitrary changes to the system unless you disable SIP (requires messing around in recovery mode terminals).

pbhjpbhj|15day ago

Which is madly insecure, right?

p_ing|16day ago

You need to manually create it.

mschnell|16day ago

In the Finder it is translated to your system language. For example, „Programme“ in German. It is still Applications in the terminal.

mulmen|16day ago

You can still choose to install apps to ~/Applications if you are an admin.