hacktricks/macos/macos-security-and-privilege-escalation.md

MacOS Security & Privilege Escalation

First of all, please note that most of the tricks about privilege escalation affecting Linux/Unix will affect also MacOS machines. So see:

{% page-ref page="../linux-unix/privilege-escalation/" %}

Security Restrictions

Gatekeeper

Gatekeeper is designed to ensure that, by default, only trusted software runs on a user’s Mac. Gatekeeper is used when a user downloads and opens an app, a plug-in or an installer package from outside the App Store. Gatekeeper verifies that the software is from an identified developer, is notarised by Apple to be free of known malicious content, and hasn’t been altered. Gatekeeper also requests user approval before opening downloaded software for the first time to make sure the user hasn’t been tricked into running executable code they believed to simply be a data file.

Gatekeeper builds upon File Quarantine.
Upon download of an application, a particular extended file attribute "quarantine flag" can be added to the downloaded file. This attribute is added by the application that downloads the file, such as a web browser or email client, but is not usually added by others like common BitTorrent client software.
When a user executes a "quarentined" file, Gatekeeper is the one that performs the mentioned actions to allow the execution of the file.

It's possible to check it's status and enable/disable root required with:

spctl --status
assessments enabled

spctl --enable
spctl --disable
#You can also allow nee identifies to execute code using the binary "spctl"