Securing /Applications Directory

[stcanard]

Okay here's where I am at:

I really like the convenience of running as an admin user, but I'm trying to make sure I have my system reasonably locked down.

Preferences are fine because the finder-sudo prompts for a password before I can modify. Check.

The /usr and /etc trees are fine because they are all root owned, with no group or other write permissions. Check.

/Applications scares me. It's all group admin and has group write permissions on it.

So here's what I'm wondering. I want to take the group write permissions off all the files in /Applications to lock it from "accidental" overwriting (read virus).

To be succint this is what I would like to do:

cd /Applications
sudo chown -R root:admin *
sudo chmod -R go-w *

To make it look like the other system file trees. I know theoretically all application configurations and preferences are in ~/Library so I should be all right.

Has anybody tried this? Will I run into problems denying myself write access to these files?

I assume not, since non-admin users don't have write access but it's kind of irreversible so I would like confirmation. A quick google hasn't turned up anything.

 

[stcanard]

Okay, I guess nobody knows the answer to this. Here's another question then:

If I go ahead and take group write off my applications will "Repair Permissions" fix the items that came installed with Panther (e.g. iLife, Preview etc)?

 

[stcanard]

Okay, trying to get some discussion going here...

I took group write off of Preview.app and it still runs fine, and I can set preferences etc.

However, check permissions complains wildly that the permissions are wrong on it.

Is there any reason other than convenience for people not used to a multi-user OS that Apple insists on group write being allowed for its apps?

I notice that most of the applications I installed myself have good permissions (go group/other write).

Not surprisingly, Microsoft seems to be the one vendor that consistently delivers insecure file permissions in their apps.

 

[7on]

Why do you need to lock down the applications? I guess you could on the "Get Info" and Ownership & Permissions tab change the group to something else and make that read only.

 

[stcanard]

As a standard security precaution, the account you run as should not have write access to any applications or system files period. It makes it a lot harder for viruses to infect a computer.

Apple's done a great job of using the program called 'sudo' (and creating gui hooks to it) so that theoretically I could safely operate as an administrator and not worry about a virus corrupting my OS or settings.

I can install programs, but I must password authenticate first. So I am alerted to virus activity by the authentication dialog when they try to install themselves (this doesn't protect against trojans, but nothing other than trusted sources and code signing can protect against that).

Yet for some reason they've left a gaping security hole that I can write to the applications without pasword authentication, thus allowing viruses to infect OSX fairly easily.

I accept that this is probably to appease the MacOS(n) users who aren't used to multi-user OS's and file permissions, but I want more!

Now, I could use seperate Administrator / User accounts and fast switch to install / change settings, but I want a more elegant solution. I want to be able to operate on one account and do all my administration via sudo, which seems to be the philosophy with which Apple designed the OS (and is by far the most elegant solution to the problem I have seen in any OS yet).

Locking down the applications is easy, but I want to know if anybody's tried something like this, and if so what did it break.

It seems to me that OSX Server would come fairly securely configured, does it have group write on all the applications?

 

[stcanard]

Well after some investigation I discovered that the permissions for "Repair Permissions" are stored in the receipts file. I've decided if Apple's gone through that much effort to individually specify group writeability on those files, there must be some reason.

So I've instead moved to this:

1) Create a new administrator account
2) Took admin priviliges off my working account
3) Added my working account to the sudoers file

At a brief test, this appears to be a workable solution. Now when I change configs through the UI I have to supply a username and a password, which is no more inconvenient than before, and allows me to avoid the FUS I thought I would have to do.

By default I can no longer write to / or /Applications, which is a huge improvement (and what I really, really, wanted to have happen)

And if I really want to write to any of it I am still only one sudo away.

 

[rainman::|:|]

okay.

i can respect the desire to have a tightly managed system. that said,

leave it alone. while apps won't usually want to modify the app file itself, it may happen, and this could cause problems. you are NOT going to get a virus, or have anything else happen to the directory-- unless particularly malevolent people who have physical access to your computer do something. in that case, just make sure the whole system is locked down before you get up.

you'd be far better off backing the directory up... try Deja Vu, it's automated, very nice. that way if something did happen to them, you could revert to, say, last night's backup. But again, nothing is going to happen there.

Apple did everything for a reason. if there was really a potential problem here, they'd give you some option.

one of the great things about OS X is that all you need to do is turn the firewall on (or use another one, like i do), change the security prefs to whatever you want (disable or enable auto-login, etc), and you're good to go. nothing more to worry about. if you try to worry about more, you're likely to cause yourself a headache.

paul