30 lines
1.6 KiB
Markdown
30 lines
1.6 KiB
Markdown
|
# MacOS Security & Privilege Escalation
|
|||
|
|
|
|||
|
|
First of all, please note that **most of the tricks about privilege escalation affecting Linux/Unix will affect also MacOS** machines. So see:
|
|||
|
|
|
|||
|
|
{% page-ref page="../linux-unix/privilege-escalation/" %}
|
|||
|
|
|
|||
|
|
## Security Restrictions
|
|||
|
|
|
|||
|
|
### Gatekeeper
|
|||
|
|
|
|||
|
|
_Gatekeeper_ is designed to ensure that, by default, **only trusted software runs on a user’s Mac**. Gatekeeper is used when a user **downloads** and **opens** an app, a plug-in or an installer package from outside the App Store. Gatekeeper verifies that the **software is from an identified developer**, is notarised by Apple to be **free of known malicious content**, and **hasn’t been altered**. Gatekeeper also **requests user approval** before opening downloaded software for the first time to make sure the user hasn’t been tricked into running executable code they believed to simply be a data file.
|
|||
|
|
|
|||
|
|
Gatekeeper builds upon **File Quarantine.**
|
|||
|
|
Upon download of an application, a particular **extended file attribute** \("quarantine flag"\) can be **added** to the **downloaded** **file**. This attribute **is added by the application that downloads the file**, such as a **web** **browser** or email client, but is not usually added by others like common BitTorrent client software.
|
|||
|
|
When a user executes a "quarentined" file, **Gatekeeper** is the one that **performs the mentioned actions** to allow the execution of the file.
|
|||
|
|
|
|||
|
|
It's possible to check it's status and enable/disable \(root required\) with:
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
spctl --status
|
|||
|
|
assessments enabled
|
|||
|
|
|
|||
|
|
spctl --enable
|
|||
|
|
spctl --disable
|
|||
|
|
#You can also allow nee identifies to execute code using the binary "spctl"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|