Local Links

External Links


Search this site

Accessing Mac OS X disks on block level to override security measures on volume level

Have you ever been annoyed by Unix and ACL file permissions, preventing you from modifying or even just reading certain files? Ever wanted to write to open files that the file system won't let you write to?

Fret not, OS X offers a work-around, at least for certain types of disks.

For some reason that I do not comprehend, OS X gives any user (doesn't even have to be admin) full read and write access to any disk that is not considered "internal" by the computer it is attached to.

Not only does this include disks attached via USB or Firewire, but also virtual disks mounted by VMware Fusion.

Now, it doesn't even matter if you booted from such a disk, or if it was already attached at boot time - if it's not a real internal disk (i.e. one that's built into a iMac, MacBook or Mac Pro), then it's fully readable and writable by any normal app, without the need for the user to authorize this by entering his password. Instead full access, all you need to add is some understanding of partitions and volume formats. Easy.

A few scenarios:

  • You run a OSX inside VMware, maybe even as a shared (virtual) internet server as it's popular with Linux and Windows servers everywhere - then the boot volume can be modified by non-root apps.
  • You run a OSX Server on a real Mac, with external disks attached that extend the server's available disk space. Here, these extra disks are exposed to this "feature".
  • You use Time Machine with an external disk attached to your Mac. Again, any content on that disk could be modified by any software you've downloaded, without you noticing or even be asked for permission.

And nothing will later be in the log files telling you about this.

I'd call this a big security hole, but, alas, the people I've talked to about this, including some at Apple, do not appear to be bothered. After all, it's been like this for years. Why should there be something wrong with it?

Well, so it must be a feature. Rejoice, root kit writers! Sadly, you can't take over every possible Mac this way, but only those that run on VMware (haven't checked with Parallels), or that get restored from a TM backup after you've patched the system on it. But it's a start. About time, someone exploits those arrogant Apple fellows, right?

Oh, you want proof? Just download my iBored application. Launch it, and see how external disks can be read and written to at block level. Without having to authenticate. Even as a Guest user. (Note: Before you can write, you need to use the command "Make Writable" under the "BlockView" menu first.)

See? There's actually no secret revealed here - it's just a ruse to make you all notice my great, free, block editor! ;)

Update 18 Nov 2011

Mac OS 10.7.2 is out and it still has the same issue.

But there's also good news: After I had contacted VMware to make them aware of this, and suggested a work-around, they've now informed me that VMware Fusion 4.1 does fix this issue by making Virtual SCSI HDs and CDs seen as internal drives, thereby avoiding the bug in OS X. (I've been a VMware Fusion user for several years now and have never had a complaint about its functionality or stability, and now I also applaud them for being so quick to follow up with such an issue).

Update 20 Sep 2012

Mac OS 10.8.2 is out and it still has the same issue. Apple has responded in the mean time to me, confirming the issue, with no details on how or when they plan to deal with this.

Page last modified on 2012-09-20, 17:32 UTC (do)
Powered by PmWiki