Apple automates bug update for Macs
Mike O'Dell
mo at ccr.org
Wed Dec 24 19:37:51 CST 2014
there was an earlier NTP bug that allowed servers
to be used as DDOS amplifiers. that is not this bug.
this bug allows execution of arbitrary code at elevated privilege.
very bad indeed.
i have been led to believe that this forced update was a
special case and that this does not represent a change in
the normal policy. note, however, that the update machinery
has always allowed 3 different modes under "automatically
check for updates": download notify of updates, apply updates
to apps, and apply updates for system components. The default
has always been to apply both types of updates automagically.
Once upon a time, the update machinery was much more careful
to avoid reboots. Then there was a period of significant system
reorganization and that's when reboots always seemed to be
required. Lately, I've seen some significant updates which did
not require a reboot. In fact, I don't think the NTP fix required
a reboot. I've had something running on my MacBookPro for quite
a few days non-stop and haven't seen evidence that it rebooted.
One of the big changes in the system had to do with how processes
are created and managed, especially for system services. The move
to launchd for controlling most of the system combined with the
dramatic refactoring of the trust boundaries of all the Apple apps
to operate in what amount to compartments with small, carefully
audited system-supplied helper services to do things like open a user file
subject to complex security policies (think "reference monitors" in
orange-book-speak) did not happen overnight. But now that it's mostly
all in place and the standard way to do things, it's now possible to
shut-down, reload, and restart most of the subsystems cleanly and
without rebooting the system. That's certainly case for anything
that ran out of the equivalent of /etc/init.d or /etc/rc.d
(depending on the flavor of Unix).
the whole point is to allow much tighter and more sophisticated
access controls on more objects.
A slightly different, but not unrelated, take on this approach is
now shipping in FreeBSD 10.x. The Capsicum System developed
at the Cambridge Computer Laboratory has implemented a fine-grained
capability system which meshes with and extends the "jail" container
system. Capsicum also refactors apps into high-level system services
like manipulating user files by remote-control subject to powerful
policy controls. The Capsicum group has demonstrated that refactoring
standard Unix apps is usually quite simple and the results are
quite striking. If any of this is interesting, I recommend visiting
www.freebsd.org and following the yellow brick roads into the docs
and papers that describe the system.
-mo
More information about the Tacos
mailing list