digg

Facebook Connect Join Digg About

Key Isolation Features in Mac OS X

switchtoamac.com Apple built OS X with security in mind. As part of that central security theme, OS X has been designed using three key isolation features: System Isolation, User Isolation, Memory and Application Isolation

Who dugg this? Made popular May 11, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

77 Comments

show profanity settings
expand all
  • Ireland, on 10/12/2007, -5/+27Oh so that's the reason why I have no viruses or spyware ;-)

    That's what's good about Apple's OS, you don't need to know how it works, it just does.
  • youareretarded, on 10/12/2007, -7/+27Apple built this or the developers of BSD built this?...
  • TheShrike, on 10/12/2007, -6/+22"That's what's good about Apple's OS, you don't need to know how it works, it just does."

    Not to mention that if you're interested in the innards, you can have your cake and eat it, too.
  • inactive, on 10/12/2007, -13/+25I feel so alone.
  • Juvenall, on 10/12/2007, -10/+22"I don't think it matters right now... I'm just glad it's here!"

    Well, it actually does. Apple and OSX owe a lot of what it is to BSD. I think Mac fans would be well served by making sure they're putting the medal on the right lapel.
  • drbroccoli, on 10/12/2007, -0/+7But the registry is the cause of almost every problem on Windows...
  • Mac2492, on 10/12/2007, -11/+17I don't think it matters right now... I'm just glad it's here!
  • funkytaco, on 10/12/2007, -1/+7@misteRR: The article is about features in OS X itself, so the article is accurate. On top of that, you go out of the way to be a Linux snob, since Linux is irrelevant to this article.

    I agree that the underlying BSD architecture is a big part of the security infrastructure, but are we sure Steve Job's NeXT OS didn't have some underlying security or this wasn't on Job's mind?

    Edit:
    Interesting article on how the underlying BSD was chosen:
    http://www.mactech.com/articles/mactech/Vol.13/13.03/OpenStepOverview/index.html

  • willistg, on 10/12/2007, -8/+13yep bsd yep
  • node3, on 10/12/2007, -6/+11The NeXT developers did. They're the ones that *chose* to use BSD. They could have started any number of ways, and they deliberately went with the Unix model.
  • bulbvivid, on 10/12/2007, -1/+6FTA:
    "On a Mac, all installed software on a Mac ends up in the "Applications" directory (folder). This "one place for all" implementation keeps OS X more secure, stable (crash resistant), organized, and helps the system run optimally."

    This really isn't true. You can put the applications pretty much anywhere you want. With drag-and-drop installations, you just drag the app to any directory you choose provided you have permission (you can't put it in a system folder if you're not an admin user, though you probably wouldn't want to put it there anyway). Apps with installers (mostly bigger ones like the Creative Suite or Office) usually ask where you want to put them. You can run them off disk images (not necessarily the easiest or best way) or external drives. Fink likes to install stuff in in its own dedicated directory. The biggest problem arises when Apple apps (and some others) are updated; the update installers look in the main application directory, so if the app isn't in there, it might not get updated.

    I didn't make it through the article (I've had enough OS X 101), but with statements like the one above, it's hard to give the rest any credibility. The writer seems to have just pulled that one out of the Kool-Aid fumes. I'm sure it's not an intentional mistake, but it's a glaring error in what is supposed to be a technically informative article.

    And though it's hard not to compare OS X to XP, an article about OS X should stick to the subject, unless it's some kind of flat-out comparison between the two, in which case the writer just needs to stop and find a better subject. I'd like to see a different dead horse flogged, please.
  • l0ne, on 10/12/2007, -1/+6This article is full of inaccuracies (not to say worse) :(

    The so-called "System isolation" is a simple UNIX permission-based lock combined with the escalation features of the Security Server (that most OS X users know as the "You need an administrator name and password" dialog, although the API is much more powerful).
    Also, the System folder cannot be read and written to, but the systemwide Library can by administrators (the System folder is root:wheel, the Library is root:admin), although the system will not run daemons and agents automatically unless the user gives them root:wheel permissions himself (known to Mac users as "The startup agent 'NameOfAgent' was disabled as it was unsafe. Do you want to use it?" "Fix permissions" / "Do not fix" / "Fix later"). This can be the source of much grief.

    Applications folder: wrong again. .apps are made so that they can be dragged anywhere, just like OS 9 applications. I place common, useful apps in /Applications (and root:wheel -rwxr-xr-x them, so that they cannot be modified without an administrator password), then I keep all the quirky apps I'm evaluating on the desktop, ready to be AppZapped (http://www.appzapper.com).

    "User isolation": Any UNIX does this. What the author forgets is that all users have a ~/Shared folder, that can be read by anyone, and a Drop Box at ~/Shared/Drop Box that is a write-only folder for everyone except its owner -- THAT is a thing other UNIXes don't have by default, although it's easy to make with a simple chmods. It's also integrated with network sharing (the ~/Shared folder is the only one that gets shared).

    "Memory isolation": I believe that DOS is the only mainstream OS that doesn't have protected memory. And we're talking ten+ years ago. The domino effect was true with Windows 3.1, but isn't there any longer with Windows 95+ (Win has many other sources of instability and slowdown-over-time issues, with lousy third-party drivers and OS bugs as the two main ones. But application crashes are no longer the problem.)

    The only original things of OS X mentioned in the article are .app bundles, Archive & Install, the Migration Assistant, and the Security Server escalation capabilities. The rest is simple, mindless propaganda.
    And mind you, I'm writing this on an iBook and I have several Apple stickers on my schoolbag :)

    No digg.
  • l0ne, on 10/12/2007, -1/+6The Unix underpinnings are FreeBSD's, but Apple added much of their own (such as the Security Server and Mach security contexts).
  • ElBob, on 10/12/2007, -1/+5And I could respond on how the registry is a bloated piece of ***** that seems to stick its head up its own ass on a regular basis, but this is not the point of the article.

    Please note the intent of my description is not to offend, it is to imitate how these Windows/Mac arguments usually go. I am trying to say we should stick to talking about the article.
  • spectre_25gt, on 10/12/2007, -1/+5I stand corrected. That is a bit misleading.
  • spectre_25gt, on 10/12/2007, -6/+9Right, because it originated elsewhere it suddenly doesn't exist in OS X now? This article was talking about security features that are built into OS X. Nowhere does it say that Apple designed or implemented these features on their own.
  • mancat, on 10/12/2007, -0/+3"Why would you need to run as a limited user? oh wait your on windows..."

    Because just about every secure operating system on the planet relies on the user having only the basic priveleges needed to operate. It's not an "OH NO IT'S WINDOWS" thing. One of the largest security problems with Windows is that almost nobody outside of the business world makes use of limited privelege user accounts.

  • drakethegreat, on 10/12/2007, -1/+4While Apple users owe a lot to the BSD community, the technology was originally borrowed at NeXT and modified, then it moved over to Apple and was modified a lot more. At this point it was built on BSD but I consider it to be Apple's creation.

    Bare in mind its not like BSD was created by the FreeBSD or OpenBSD project. BSD itself is very old and all its derivatives owe engineers from Berkely for this (interesting how that was where the Steves went to college). I consider the fact that these Unixes are so heavily modified when being used by different companies and projects that they owe credit but not as much as people are suggesting here. Apple deserves credit for taking a complicated secure OS and making it usable by the average person as well without compramising security.
  • bubbagump, on 10/12/2007, -0/+2Its not that bad. Besides that, I'm also isolated from those little annoying spyware, key loggers, and virus'.

    I can live with that...there is still ample software to do everything that most people need a computer for, and most of it is included in the price of the hardware.
  • l0ne, on 10/12/2007, -0/+2It's much easier to drag an .app to AppZapper than having to search for the app name (and bundle ID, as it might not be exactly the same as the app name and thus not be found by Spotlight).
  • iamdravenman, on 10/12/2007, -1/+3"I've been running as a limited user for about 6 months now."

    6 months?
    So it's about time you fragged the system and reinstalled, eh?
  • spectre_25gt, on 10/12/2007, -0/+2Wait until someone you love dies of cancer and see if you make that comment again. Ignorant bastard.
  • l0ne, on 10/12/2007, -0/+2(Note that the "an administrator name and password is needed" dialog isn't handled by sudo, but by the much more powerful Security Server. Terminal "sudo" commands are of course handled by sudo :D)
  • quasarkitten, on 10/12/2007, -3/+5Yeah, I think it matter that BSD is given due credit. I also think Apple could show some gratitude by throwing some money back at the BSD projects. I know OpenBSD could use some help.
  • bubbagump, on 10/12/2007, -0/+2Running as a limited user is an afterthought to Microsoft, and that is the core problem.

    Windows 3.1 thorugh windows NT gave users full rights to the system, so now that we have moved to NT and beyond, the decision made in the very early 90's still haunt Microsoft today. Most software still assumes you are an admin user.

    The underpinnings of Windows XP might be fine, but the user experience is still full of holes, and with as often as Vista has slipped it is obvious that fixing those holes is difficult, if not impossible.

    The real world evidence shows it...Apple has made themselves a lightning rod for malicious software by claiming to be immune. I know that is not the case, I know some guy will come up with a method to cause me grief. But up to now (how many years?) have been immune to anything except for really bad social engineering experiments, and there is _NO_ OS that isn't susceptible to that, even the might Apple.

    You want to take your chances with Microsoft -- go ahead. Its still a free market. I'll stay as far away form MS as I can, and laugh to myself as you are going through a constant barrage of attacks and patches.
  • spectre_25gt, on 10/12/2007, -0/+2Actually, none of the 9x versions of windows had protected memory. It was very common to see the domino effect with them. NT is the branch that introduced protected memory.
  • spectre_25gt, on 10/12/2007, -0/+2No, you don't. You only have to "enable root" to log in as root.
  • kevinmotel, on 10/12/2007, -0/+1i think its awesome that macosiscrap used to be macsrpoop, and that he was forced to leave digg because people blocked him and he was a troll
  • sspooner, on 10/12/2007, -4/+5"each system has its highlights"

    Except Windows.
  • seanmc303, on 10/12/2007, -5/+6It would be a bad idea to disenfranchise the *Nix community. Those that know the underpinnings of an OS also know its weaknesses.
  • shmatt, on 10/12/2007, -0/+1you have to enable root first don't you?
  • ohmar, on 10/12/2007, -5/+6A very well thought out and organized article.
  • spectre_25gt, on 10/12/2007, -5/+6There's some good information here, but overall the article just reeks of biased opinion. Much of this is actually implemented in Windows. NT has had protected memory for a very long time. Windows XP is capable of operating with limited user accounts as well. It's a complete pain in the ass if you use certain programs and it may not be as well separated, but I've been running as a limited user for about 6 months now.

    Articles like this really annoy me because they make things up to bash on Windows when there are so many actual problems with it that are overlooked.
  • Ireland, on 10/12/2007, -3/+4It's actually hear hear, not "here here". I got slated in a forum (I wont say which) a while back for making that mistake, and I wont ever make it again, as I'm still feelin' the pain......LOL

    http://www.wsu.edu/~brians/errors/hear.html
  • shmatt, on 10/12/2007, -0/+1this guy likes to say ***** like that. just ignore him and bury it... he just wants to piss people off
  • timalmond, on 10/12/2007, -0/+1The problem is that most people don't use Opera/Firefox, but use the less secure Internet Explorer.

    People CAN do all sorts of things with Windows. They can create a locked-down user account. They can run Firefox. They can run an AV. They can run anti-spyware.

    The issue is whether that behaviour is by default.
  • Rickard, on 10/12/2007, -1/+2If only there was a non-profit organization behind OpenBSD. As it is now, all donations go via Theo de Raadt and that definitely keeps a lot of people from donating.
  • l0ne, on 10/12/2007, -2/+3Please, sombody go read the docs at developer.apple.com. You get to see exactly what OS X (not NeXT) added to BSD and what it borrowed from the other OSes. So we can stop all the inaccuracies and fanboy flames. Ok?
  • MasteRR, on 10/12/2007, -6/+7"Right, because it originated elsewhere it suddenly doesn't exist in OS X now? "
    Never said they don't exist.

    "Nowhere does it say that Apple designed or implemented these features on their own."
    Well the summary seems to suggest this, IMO. But whatever.
    From the summary: "OS X has been designed using three key isolation features".
    I still say that this was designed as part of Unix, and Apple just used it. They didn't design it. Maybe I misinterpreted, but thats what I got from it.
  • inactive, on 10/12/2007, -2/+3"I'll only use OS X when I can install it on a PC that I build. Fu*k all that Mac Hardware. Like the Operating System itself but I wouldn't own an Apple Computer! "

    Putting OS X on a PC that you built would be like putting a Ferrari's Engine into a Corvette. Both would be exceptionaly great, Im assuming you can build a really good PC for cheap since you seem to be advertising it but the compatability wouldnt be there. Sure it could happen and if I remeber correctly actually has happened but the full potential of your hardware and the software would not be optimized to their standards
  • titlesaysitall, on 10/12/2007, -5/+5Why would you need to run as a limited user? oh wait your on windows...
  • inactive, on 10/12/2007, -1/+1sudo root passwrd
  • blackjack75, on 10/12/2007, -1/+1They forgot market share isolation...
  • inactive, on 10/12/2007, -2/+2Sudo - With great power comes great responsibility
  • timalmond, on 10/12/2007, -1/+1So what?

    Would you rather deal with the factual content, or some spelling/grammar errors? The fact that you could scan out the error hardly makes it important.
  • jeffburg, on 10/12/2007, -1/+1who still gets the domino effect on windows xp?
    it just doesn't happen
    i am a mac user. i like macs... i like osx. But i won't claim osx is invincible and i won't use a normal account because im stupid and don't know how to browse the web without getting sick. even on a pc. just use opera with java and javascript off... if a page needs java and you trust it flip it on and if it doesn't work in oepra then open firefox. figuring out how to stay clean is not brain science... you just can't be stupid

    oh and that app zapper thing is pretty much null and void thanks to spotlight. Just search for the program and you can select all of its associated files and drag them to the trash.
  • hohack, on 10/12/2007, -5/+5here, here
  • inactive, on 10/12/2007, -3/+2Careful there, spectre, if you speak out against biased articles, you risk being burried like my comment. lol.
  • timalmond, on 10/12/2007, -1/+0just to backup mancat. The issue is not whether it has limited accounts or not.

    It's whether out-of-the-box behaviour is good. The most logical option for a PC is that it is locked-down out of the box. Technical people can easily unlock it if they need to, but Jo Public won't.
  • xswag, on 10/12/2007, -3/+2*quote*
    Putting OS X on a PC that you built would be like putting a Ferrari's Engine into a Corvette. Both would be exceptionaly great, Im assuming you can build a really good PC for cheap since you seem to be advertising it but the compatability wouldnt be there. Sure it could happen and if I remeber correctly actually has happened but the full potential of your hardware and the software would not be optimized to their standards
    *quote*

    Spare me! Quit acting like the hardware in a Mac is so superior to anything you can put in a PC. There is nothing special about Mac Hardware. Except that you have to pay more for it and your choices are limited!

    If OS X is so great why did Apple go to so much trouble to get Windows to work on it?
  • Fetching more discussions...
    Show 51 - 77 of 77 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.