![]() If I run a script that accesses my Calendar items from the “Personal” profile, the system would prompt me once to ask my permission, but never prompt me again in that profile. ![]() Switching between these modes would also switch the system’s active list of entitlements for Terminal. These are off the top of my head, and just to give an idea of the kinds of profiles that might make sense here. Experimental: Tasks that involve installing or running third-party tools that I am not familiar with and do not have a high degree of faith in.Collaborative: Tasks that involve installing and running third-party tools that I trust, committing to shared source repositories, etc.Administrative: Tasks that pertain to the overall maintenance of my Mac: examining system logs, delving into configuration files, etc.Personal: Everyday productivity tasks including running scripts, editing files in my home directory, etc.For example, given my uses of Terminal, I might set up a few profiles for the types of work I regularly do: Each profile would be considered by the system effectively as a different app. With Security Profiles, a user would be configure an arbitrary number of named profiles, and security privileges acquired by Terminal would be stored separately for the active profile. I don’t completely understand the limitations there, but I suspect that because commands in the Terminal are running as subprocesses of Terminal, there is some technical challenge to making the permissions apply at such a fine-grained level.Īs an alternative, I wonder if Apple could introduce some kind of “Security Profiles” feature for Terminal so that individual windows within the app could be run when different permissions? This could build on Terminal’s existing support for “Profiles” which already support varying Terminal settings dramatically on a per-window basis. It would be better if I could say “let ls access my Mail” rather than “let anything I run from Terminal access my Mail.” Ideally these permission grants would be applicable at the tool level, rather than at the application level. ![]() A consequence of this is that, unless I grant unlimited network access to Terminal, I can’t perform routine tasks such as pushing git changes to a server. I use the excellent TripMode to limit bandwidth usage when I’m traveling, and tethered to my phone. I’ve run into a variation of this problem in the past. This isn’t earth-shattering: it’s been the case forever that tools you run in the Terminal have access to “all your files.” But the new restrictions in macOS Mojave shine a light on a problem: the bluntness of security restrictions and relaxations with regard to Terminal. To grant myself the ability to list files in ~/Library/Mail, am I willing to grant the same access to every single thing I’ll ever run in Terminal? Now you can “ls” anything in your home folder, but absolutely every other thing you run in Terminal can as well. ![]() If you really wanted to regain access to these files via the Terminal, you have to grant the app “Full Disk Access.” This is a new section of the Security & Privacy pane in System Preferences. ![]() As a privacy enhancement, access to these files is now restricted unless apps have requested or been proactively granted access. In all previous macOS releases, this would list the contents of Apple’s internal Mail files. Don’t believe me? Try opening Applications > Utilities > Terminal, and run the following command: One consequence of these changes is that you can no longer access certain parts of your home directory from the Terminal. Activities such as running scripts, or using apps that access private information, are altered now such that users are prompted with one-time permission-granting requests. In macOS Mojave, Apple introduced a number of new security features that impact the day-to-day use of the computer. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |