Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why is TextEdit accessing the Internet without permission? Does Big Sur's Access Control block stuff like this?


Well, /net is entirely disabled by default as of recently, so this entire method is no longer applicable.

However, since you asked, here is some useless information:

With /net or remote filesystems in general (NFS and SMB), the network accesses are performed by the kernel directly, rather than by the application using networking syscalls. Therefore, sandboxing network access from specific applications won't affect it.

Big Sur doesn't actually have a permission dialog for network access. But TextEdit does use the (long-existing) App Sandbox system, which is based on applications statically declaring permissions they need. Since TextEdit doesn't request a networking entitlement, it's prohibited from accessing the network directly; as I said, that doesn't include remote filesystems.


From the OP it sounds like there is a very weird feature/component in MacOS called "AutoMount" and/or "AutoFS" that lets HTTP GET network requests be made via reading file system locations... and it may somehow escape other access controls?

I too am curious for more details about this. Where did this feature come from, how has it been used, has it actually been used?

Is AutoMount/AutoFS still there after this CVE patch? Does it indeed circumvent Access Control or other such things? Is it a likely path for other security problems?


I don't think this is doing any HTTP. Autofs is generally used to mount remote file systems like NFS shares.

It's pretty common on Unix-like systems (especially in multi-user environments) and not at all specific to macOS.

References:

https://wiki.archlinux.org/index.php/autofs

https://www.freebsd.org/cgi/man.cgi?query=autofs&sektion=5

https://access.redhat.com/documentation/en-us/red_hat_enterp...


The only thing I know about this is what I learned from the OP reporting the vulnerability. Maybe I was mistaken the request was HTTP? Anyway, rest applies, assuming the article is correct in describing the nature of the vulnerability.

Anyway, if this is how TextEdit got around macos access controls related to network activity, I wonder if this is a route for other apps, including malicious ones, to get around it too?

> After digging into OSX internals, I came across the AutoMount feature that lets file:/// urls make remote requests. AutoFS is a program on OSX that uses the kernel to make a mounting request to a drive. Automount can also make remote requests to an external drive. Doing 'ls /net/EXAMPLE.com' forces OSX send a remote request to EXAMPLE.com

> While they did a good job blocking TextEdit from making external requests, this was the one thing they forgot when they allowed file:/// scheme, on OSX file:///net/11.22.33.44/a.css connects to 11.22.33.44.


It’s not that weird, but probably less widely used now; it’s wrapped up with NFS - SunOS had this starting back in the eighties and it’s really handy. You can also do much the same including HTTP access with UNC on Windows.

Both will follow normal network file access controls in their respective environments.

As for the why? It’s a really easy way of sharing resources between computers, and also way more efficient and easier to manage than static mounts.


This is why I use vallum.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: