“Aside from an awesome user interface and a great underlying architecture, Apple built OS X with security in mind. As part of that central security theme, OS X has been designed using three key isolation features: system isolation, user isolation, and memory and application isolation.”
I use (and develop softaware on) Mac OS X since 10.0.
I always liked the file system layout
User/… (the user has permissions to see / modify files in his account)
Library/… (all users can see but only the admin can modify files)
System/… (all users can see but only root can modify files)
o.k. there is one more
(Network/…)
When you need to update files in System/ (via SW Update or a Package Install) you enter the admin password and Mac OS X will do something like a su (note that root is disabled by default) to allow the admin to change things in System/…
Yes I think it’s very cool and secure.
This paper cites features of Unix, almost all from the 1970s, and implies the design of these features was done by Apple. Sure Windows is junk, but hey, if Stevie was such a visionary why didn’t he put these features in the original Mac OS (along with a preemptive task scheduler and IPC and virtual memory) – the Mac team started with a clean slate, had no requirement for compatibility with anything, and look what they came up with in the 1980s.
So now Apple is selling a 30-year-old design as their own fabulous modern “vision” – what an insanely great idea, su to root – no one ever did that before OS X.
calma señor…
With all the rants about and FUD RE: OS X security this article may be called for…
Yes, these ‘features’ are from UNIX, but Steve did recognize this pretty early, and went with ’em. He made a good decision, MS did not. Steve recognized what UNIX could do, and used ’em.
In my opinion, these are not ‘features’ but basic neccessities in an OS.
ALL IMHO Jb
“Yes, these ‘features’ are from UNIX, but Steve did recognize…..”
Steve? Steve who?
Early?
Early compared to what?
Linux?
How about 10 years later than they should’ve been implemented, at the least.
three points:
1. UNIX traditionally had a minimum amount of RAM it required to work efficiently. Advances in RAM production and “bulking up” of proprietary OS’s, like Mac OS 6 t0 9 and Windows eventually erased that distinction. It would have been pretty expensive for individuals to own UNIX systems in the ’80s, when Mac and Windows were in the cradle.
2. Mac OS 6 to 9, while greatly inferior to OS X, were significantly SUPERIOR to Windows 3.1 through XP, in my opinion.
3. Mac 6 to 9 HAD virtual memory; it just happened to suck.
Edited 2006-05-11 17:26
> if Stevie was such a visionary why didn’t he put these features in the
> original Mac OS (along with a preemptive task scheduler and IPC and
> virtual memory) – the Mac team started with a clean slate, had no
> requirement for compatibility with anything, and look what they
> came up with in the 1980s.
But they had a big constrain: 128Kb of Ram and 400K floppy for BOTH System and applications!
The first Mac had to be a very cheap computer (under 1000$ believed their developers, even if then Apple was greedy and charged much more for it).
Lisa was developed in the same timeframe, or a bit earlier, and had preemptive multitasking and virtual memory (and an hard disk).
Unix workstations and mini computers of that time costed much much more.
>>>This paper cites features of Unix, almost all from the 1970s, and implies the design of these features was done by Apple. Sure Windows is junk, but hey, if Stevie was such a visionary why didn’t he put these features in the original Mac OS (along with a preemptive task scheduler and IPC and virtual memory) – the Mac team started with a clean slate, had no requirement for compatibility with anything, and look what they came up with in the 1980s.
So now Apple is selling a 30-year-old design as their own fabulous modern “vision” – what an insanely great idea, su to root – no one ever did that before OS X.<<<<
Two words you should think about looking up: 1. IDEA 2. EXECUTION
Memory protection, personal user folders, special permissions for system files – weren’t these the features for which we liked Windows NT over OS 9?
Apple built OS X with security in mind.
Yea they did but I’ll come right out and say what’s going on.
1: Apple apparently didn’t stress test the OS to find the breaks causing all the exploits we Mac users have been seeing lately. In fact several were found by just one guy, at one time!
http://secunia.com/product/96/
2: Applications installing as root. The admin password is the key to root, it seems lately that more and more applications are demanding root access to install/use their software. This is causing a “too many chefs in the kitchen” problem that is rapidly eroding Mac OS X security.
3: Outgoing Firewall, Apple doesn’t provide any. People who install Little Snitch are shocked to find out how many applications, web pages and even Mac OS X system processes are contacting servers on the internet or network.
Mac OS X security is rapidly eroding, there was even a Mac botnet running for some time, caused by a program exploit which had root access.
1) No comment. No facts to back a statement up.
2) Applications installed as root does not erode security. Who taught you this? Do you have a reference?
3) Outgoing Firewall? Is this an Apple problem or an industry-wide problem?
Rapidly eroding? LOL You are full of it.
2: Applications installing as root. The admin password is the key to root, it seems lately that more and more applications are demanding root access to install/use their software. This is causing a “too many chefs in the kitchen” problem that is rapidly eroding Mac OS X security.
In single-user Linuxes like Ubuntu, your password is the key to root. In OS X the admin password is not equivalent to root, and I can prove you wrong. When Palm Desktop 4 for OS X came out, it was impossible to install unless you logged in as a root user and installed it under that account. If you didn’t have a root user you couldn’t install it — because the installer refused to install the hotsync daemon under any other privilege. This was a mistake on Palm’s part, but there was no way around it.
Admin is limited privs which largely mean “can install software and create other accounts.” Try opening the home folder of one of those accounts, however, and you’ll see the limits of Admin.
I’m sorry dude your a bit off base.
I can easily open other users Home folders by simply changing the permissions status of their folders using my Admin password or using the command line “sudo” prefix.
I don’t know the issue behind why Palm needed a Admin user to create and log as Root user, perhaps because under Admin the root access “window” is only temporary and their software needed to synch some certain files constantly. But I can assure you, with the Admin password it’s cart blanche.
Only with the Admin password can Root user be enabled.
I stand corrected. About a year ago I took my default user off Admin privs and created an Admin user whose sole function is to install software and perform a few tasks; I use his name/pw instead of mine and the end result is that I can’t even sudo in the Terminal (apparently stripping Admin rights automatically removes you from sudoers).
Three basic principles for any operating system.
“Key Isolation Features”? Compare to what? Windows 95?
Windows NT and up have protected memory for 32Bit apps, if you run as a normal user, you get the same user isolation features, and if you are a normal user, then you need to become admin to install apps. alot of the problems with windows security is not the design, it’s the implementation. As long as normal users run in admin mode by default, then you run into problems.
When I run XP, I run as a normal user, and have had surprisingly little problems. I can’t play most games, but I have an xbox for that. I haven’t had a virus in years, and I run firefox, which takes care of the spyware problem for the most part.
It’s easy to knock on windows security, but changing one thing, the security context of your user, and things get better.
While Apple has Linux’s old security layer implemented deeply into it like Linux has forever, in today’s evolving level of viruses and hackers, its not enough anymore. While Linux has firewalls and such built into it as well, Apple does not. Linux also has recently been adding Mandatory Access Control (MAC) security to the security subsystem. Apple has nothing that compares to this. Until Apple adds a firewall and also adds MAC support, it still will not be at the same security level as Linux, and Apple needs to recognize that its not nearly as secure at the moment.
I won’t buy it 😀