Linked by Thom Holwerda on Thu 11th May 2006 15:48 UTC, submitted by Eugenia
Mac OS X "Aside from an awesome user interface and a great underlying architecture, Apple built OS X with security in mind. As part of that central security theme, OS X has been designed using three key isolation features: system isolation, user isolation, and memory and application isolation."
Order by: Score:
Yes
by markus on Thu 11th May 2006 16:27 UTC
markus
Member since:
2006-01-14

I use (and develop softaware on) Mac OS X since 10.0.

I always liked the file system layout

User/... (the user has permissions to see / modify files in his account)
Library/... (all users can see but only the admin can modify files)
System/... (all users can see but only root can modify files)

o.k. there is one more

(Network/...)

When you need to update files in System/ (via SW Update or a Package Install) you enter the admin password and Mac OS X will do something like a su (note that root is disabled by default) to allow the admin to change things in System/...

Yes I think it's very cool and secure.

Reply Score: 2

Yet Another Useless Link
by ed wood on Thu 11th May 2006 17:11 UTC
ed wood
Member since:
2006-02-14

This paper cites features of Unix, almost all from the 1970s, and implies the design of these features was done by Apple. Sure Windows is junk, but hey, if Stevie was such a visionary why didn't he put these features in the original Mac OS (along with a preemptive task scheduler and IPC and virtual memory) - the Mac team started with a clean slate, had no requirement for compatibility with anything, and look what they came up with in the 1980s.

So now Apple is selling a 30-year-old design as their own fabulous modern "vision" - what an insanely great idea, su to root - no one ever did that before OS X.

Reply Score: 5

RE: Yet Another Useless Link
by GrapeGraphics on Thu 11th May 2006 17:23 UTC in reply to "Yet Another Useless Link"
GrapeGraphics Member since:
2005-07-07

calma seņor...

With all the rants about and FUD RE: OS X security this article may be called for...

Yes, these 'features' are from UNIX, but Steve did recognize this pretty early, and went with 'em. He made a good decision, MS did not. Steve recognized what UNIX could do, and used 'em.

In my opinion, these are not 'features' but basic neccessities in an OS.

ALL IMHO Jb

Reply Score: 2

RE[2]: Yet Another Useless Link
by El-Al on Thu 11th May 2006 19:11 UTC in reply to "RE: Yet Another Useless Link"
El-Al Member since:
2006-04-17

"Yes, these 'features' are from UNIX, but Steve did recognize....."

Steve? Steve who?

Reply Score: 1

RE[2]: Yet Another Useless Link
by mikebabcock on Thu 11th May 2006 20:24 UTC in reply to "RE: Yet Another Useless Link"
mikebabcock Member since:
2006-05-11

Early?

Early compared to what?

Linux?

How about 10 years later than they should've been implemented, at the least.

Reply Score: 1

RE: Yet Another Useless Link
by TomB7 on Thu 11th May 2006 17:25 UTC in reply to "Yet Another Useless Link"
TomB7 Member since:
2006-01-03

three points:

1. UNIX traditionally had a minimum amount of RAM it required to work efficiently. Advances in RAM production and "bulking up" of proprietary OS's, like Mac OS 6 t0 9 and Windows eventually erased that distinction. It would have been pretty expensive for individuals to own UNIX systems in the '80s, when Mac and Windows were in the cradle.

2. Mac OS 6 to 9, while greatly inferior to OS X, were significantly SUPERIOR to Windows 3.1 through XP, in my opinion.

3. Mac 6 to 9 HAD virtual memory; it just happened to suck.

Edited 2006-05-11 17:26

Reply Score: 1

RE: Yet Another Useless Link
by Criceto on Thu 11th May 2006 19:33 UTC in reply to "Yet Another Useless Link"
Criceto Member since:
2006-04-20

> if Stevie was such a visionary why didn't he put these features in the
> original Mac OS (along with a preemptive task scheduler and IPC and
> virtual memory) - the Mac team started with a clean slate, had no
> requirement for compatibility with anything, and look what they
> came up with in the 1980s.

But they had a big constrain: 128Kb of Ram and 400K floppy for BOTH System and applications!
The first Mac had to be a very cheap computer (under 1000$ believed their developers, even if then Apple was greedy and charged much more for it).
Lisa was developed in the same timeframe, or a bit earlier, and had preemptive multitasking and virtual memory (and an hard disk).
Unix workstations and mini computers of that time costed much much more.

Reply Score: 2

RE: Yet Another Useless Link
by Fuji257 on Thu 11th May 2006 20:24 UTC in reply to "Yet Another Useless Link"
Fuji257 Member since:
2006-01-24

>>>This paper cites features of Unix, almost all from the 1970s, and implies the design of these features was done by Apple. Sure Windows is junk, but hey, if Stevie was such a visionary why didn't he put these features in the original Mac OS (along with a preemptive task scheduler and IPC and virtual memory) - the Mac team started with a clean slate, had no requirement for compatibility with anything, and look what they came up with in the 1980s.

So now Apple is selling a 30-year-old design as their own fabulous modern "vision" - what an insanely great idea, su to root - no one ever did that before OS X.<<<<

Two words you should think about looking up: 1. IDEA 2. EXECUTION

Reply Score: 0

Windows NT?
by stew on Thu 11th May 2006 17:31 UTC
stew
Member since:
2005-07-06

Memory protection, personal user folders, special permissions for system files - weren't these the features for which we liked Windows NT over OS 9?

Reply Score: 5

Whaaa?
by JustAnotherMacUser on Thu 11th May 2006 17:49 UTC
JustAnotherMacUser
Member since:
2006-01-08

Apple built OS X with security in mind.

Yea they did but I'll come right out and say what's going on.

1: Apple apparently didn't stress test the OS to find the breaks causing all the exploits we Mac users have been seeing lately. In fact several were found by just one guy, at one time!

http://secunia.com/product/96/


2: Applications installing as root. The admin password is the key to root, it seems lately that more and more applications are demanding root access to install/use their software. This is causing a "too many chefs in the kitchen" problem that is rapidly eroding Mac OS X security.

3: Outgoing Firewall, Apple doesn't provide any. People who install Little Snitch are shocked to find out how many applications, web pages and even Mac OS X system processes are contacting servers on the internet or network.

Mac OS X security is rapidly eroding, there was even a Mac botnet running for some time, caused by a program exploit which had root access.

Reply Score: 3

RE: Whaaa?
by dukes on Thu 11th May 2006 18:54 UTC in reply to "Whaaa?"
dukes Member since:
2005-07-06

1) No comment. No facts to back a statement up.

2) Applications installed as root does not erode security. Who taught you this? Do you have a reference?

3) Outgoing Firewall? Is this an Apple problem or an industry-wide problem?

Rapidly eroding? LOL You are full of it.

Reply Score: 0

RE: Whaaa?
by snozzberry on Thu 11th May 2006 20:20 UTC in reply to "Whaaa?"
snozzberry Member since:
2005-11-14

2: Applications installing as root. The admin password is the key to root, it seems lately that more and more applications are demanding root access to install/use their software. This is causing a "too many chefs in the kitchen" problem that is rapidly eroding Mac OS X security.

In single-user Linuxes like Ubuntu, your password is the key to root. In OS X the admin password is not equivalent to root, and I can prove you wrong. When Palm Desktop 4 for OS X came out, it was impossible to install unless you logged in as a root user and installed it under that account. If you didn't have a root user you couldn't install it -- because the installer refused to install the hotsync daemon under any other privilege. This was a mistake on Palm's part, but there was no way around it.

Admin is limited privs which largely mean "can install software and create other accounts." Try opening the home folder of one of those accounts, however, and you'll see the limits of Admin.

Reply Score: 1

RE[2]: Whaaa?
by JustAnotherMacUser on Fri 12th May 2006 03:42 UTC in reply to "RE: Whaaa?"
JustAnotherMacUser Member since:
2006-01-08

I'm sorry dude your a bit off base.

I can easily open other users Home folders by simply changing the permissions status of their folders using my Admin password or using the command line "sudo" prefix.

I don't know the issue behind why Palm needed a Admin user to create and log as Root user, perhaps because under Admin the root access "window" is only temporary and their software needed to synch some certain files constantly. But I can assure you, with the Admin password it's cart blanche.

Only with the Admin password can Root user be enabled.

Reply Score: 1

RE[3]: Whaaa?
by snozzberry on Fri 12th May 2006 17:28 UTC in reply to "RE[2]: Whaaa?"
snozzberry Member since:
2005-11-14

I stand corrected. About a year ago I took my default user off Admin privs and created an Admin user whose sole function is to install software and perform a few tasks; I use his name/pw instead of mine and the end result is that I can't even sudo in the Terminal (apparently stripping Admin rights automatically removes you from sudoers).

Reply Score: 1

Should be re-titled to
by taos on Thu 11th May 2006 18:09 UTC
taos
Member since:
2005-11-16

Three basic principles for any operating system.

"Key Isolation Features"? Compare to what? Windows 95?

Reply Score: 1

lets deal with the fud....
by BluenoseJake on Thu 11th May 2006 20:03 UTC
BluenoseJake
Member since:
2005-08-11

Windows NT and up have protected memory for 32Bit apps, if you run as a normal user, you get the same user isolation features, and if you are a normal user, then you need to become admin to install apps. alot of the problems with windows security is not the design, it's the implementation. As long as normal users run in admin mode by default, then you run into problems.

When I run XP, I run as a normal user, and have had surprisingly little problems. I can't play most games, but I have an xbox for that. I haven't had a virus in years, and I run firefox, which takes care of the spyware problem for the most part.

It's easy to knock on windows security, but changing one thing, the security context of your user, and things get better.

Reply Score: 4

They are behind though
by aent on Fri 12th May 2006 00:53 UTC
aent
Member since:
2006-01-25

While Apple has Linux's old security layer implemented deeply into it like Linux has forever, in today's evolving level of viruses and hackers, its not enough anymore. While Linux has firewalls and such built into it as well, Apple does not. Linux also has recently been adding Mandatory Access Control (MAC) security to the security subsystem. Apple has nothing that compares to this. Until Apple adds a firewall and also adds MAC support, it still will not be at the same security level as Linux, and Apple needs to recognize that its not nearly as secure at the moment.

Reply Score: 1

more apple marketing ^^
by tilde on Fri 12th May 2006 00:57 UTC
tilde
Member since:
2005-11-15

I won't buy it :-D

Reply Score: 0