Security researcher Csaba Fitzl of Offensive Security discovered a security vulnerability in macOS that allows standard accounts to read all files on the hard drive, including files belonging to other user accounts and files protected by Catalina’s privacy protection. He alerted Apple to the issue on 13 March, and the issue was addressed in macOS Catalina 10.15.5 on 26 May. However, Fitzl says that Apple’s fix hasn’t in fact fixed the problem and Apple is not planning to address it.
Apple claims to have blocked the bug (in macOS Catalina 10.15.5), but for the ‘fix’ to work, Full Disk Access must be turned off for Terminal (and any other terminal programs like Iterm). However, there is a flaw with this because most Mac users who regularly use a terminal have Full Disk Access turned on as they actually want to access the entire hard drive themselves.
What these users probably do not want is that anyone else using the computer with a standard account should be able to read all their files. But that’s exactly what Apple has done for them. And since Full Disk Access is a system setting for your entire computer, you can’t enable it for your admin account alone.
The error lies in the mount_apfs command used to mount volumes with Apple’s new file system apfs, in combination with the apfs feature snapshots, which are mainly used to streamline Time Machine.
Any user can create a new snapshot and mount it with the ‘noowners’ flag, which overrides the entire Unix system. Then just read other users’ files. If FileVault is enabled, this will not work through guest accounts but only standard accounts.
Before Apple’s “fix”, Full disk access didn’t even have to be turned on for the terminal, so it was not at all possible to protect itself.
Fitzl alerted Apple to the fact that the fix wasn’t sufficient but Apple has replied to Csaba Fitzl confirming that no further action will be taken. Apple believes that users should turn off Full Disk Access for all terminal applications. But it is hardly a secure solution since so many users use that setting with diligence and hardly expect it to open for other accounts to read all their files.
In addition, it means that a program that you give Full disk access to for any other reason can suddenly read all other users’ files, regardless of which user is logged in and without requesting the admin solution.
A safer and more sensible solution would be that mount_apfs either completely requires root privileges (via the sudo command) or requires it to enable the noowners flag. Accounts that do not have sudo rights should simply never access any files belonging to other users, it fundamentally violates the entire Unix model.
Hopefully, Apple’s developers are fixing this properly. Until then, we can only recommend that a multi-user Mac turns off Full Disk Access for Terminal, Iterm, and other terminal applications, and only temporarily activates it when needed.
For more advice about Mac security read our Mac Security Tips.
This article originally appeared on Macworld Sweden. Translation by Karen Haslam.