You are currently looking at an older section of the wincent.com website.
Please check the new version of the site at https://wincent.com/ for updated content.

wincent Wincent Colaiuta's weblog

« Progress notes | Main | Writing a parser generator in Ruby »

January 23, 2007

Input Managers

The ownership and permissions on my InputManagers folders (both inside my home folder and at system level):

-r--------     1 root     wheel    -     0 Jan 27  2006 InputManagers

For these restrictions to be effective you should probably revoke group write access to the /Library/ folder as well (if recent disclosures weren't enough to make you worry about it already). And don't run as an admin user.

Input managers are an evil idea, all too easily abused. I tightened up access controls a year ago in response to the Sandvox and Path Finder Input Manager mini-scandal (see also this), but today we have yet another reason to avoid them like the plague.

For the really paranoid

See man chflags. You can set the "system immutable" flag on a folder so that not even the root user can change the permissions on it without first explicitly clearing the flag.

sudo chflags schg target_folder

Results in this:

dr--------    2 root     wheel    schg    68 Jan 23 12:13 target_folder/

Even root won't be able to change the flags on the folder after that:

sudo chmod 777 target_folder
chmod: example: Operation not permitted

But things get better: the only way for root to clear the "system immutable" flag is to boot into single user mode and run sudo chflags noschg target_folder (merely dropping back to the console is not sufficient). If you don't want to go so far look at the "user immutable" flag; this will prevent all users from modifying the target (even root) but you don't have to reboot into single user mode in order to remove it (the file owner or root can both unset the flag).

More MOAB articles

Posted by wincent at January 23, 2007 12:02 PM