=Start=
缘由:
因为工作的原因,需要学习一下macOS系统的安全设置和属性,方便在遇到问题的时候能给出及时有效的解答,同时解除一些自己在使用macOS系统时碰到的疑惑。这篇文章主要记录macOS系统上和隐私与安全性相关的 TCC.db 这个数据库文件,测试和验证的系统是当前手头上有的 Ventura(13.2.1) 和 Monterey(12.6.1) ,因为macOS系统的变化较为频繁且相对来说缺少一些连贯性,而且最新的中文资料也相对缺乏,所以当前的情况和结论无法保证在后面的系统中也能成立。
正文:
参考解答:
一开始源于我想知道如何从命令行上获取macOS系统上的隐私与安全设置信息,具体点说就是我想用命令知道哪些应用具备电脑的【完全磁盘访问权限】(早先我还不太清楚MDM,知道了之后我才知道macOS系统的设置-隐私与安全性-完全磁盘访问权限这里面列的也不够全,不过那是另一回事了,后面再找一篇文章进行记录)。
经过一些关键字搜索,找到了几篇文章并进行了一些测试验证,下面是一些简单的记录。
macOS上的TCC是什么?
What is TCC? (TCC是什么)
TCC (Transparency, Consent, and Control) is a mechanism in macOS to limit and control application access to certain features, usually from a privacy perspective. This can include things such as location services, contacts, photos, microphone, camera, accessibility, full disk access, and a bunch more. TCC was introduced with OSX Mavericks and has gone through a number of changes since to expand what it has control over.
TCC(透明、同意和控制)是macOS中的一种机制,用于限制和控制应用程序对某些功能的访问,通常从隐私的角度出发。包括位置服务、联系人、照片、麦克风、相机、可访问性、全磁盘访问等等。TCC是与OSX Mavericks一起引入的,并且已经经历了一些变化,以扩大它的控制范围。
macOS上给应用添加完全磁盘访问权限的方法
先说结论,一般情况下,你无法只通过命令行上的命令就直接给某个应用添加上完全磁盘访问权限(除非你关闭了系统的SIP并擅自更新TCC.db文件的内容),在macOS系统上,想要给特定应用添加完全磁盘访问权限常规就2种办法:
- 人工手动赋权,进入系统设置-隐私与安全,点击添加;
- 通过MDM下发profiles描述文件进行添加。
TCC.db这个数据库文件里有什么
隐私与安全性中的一些设置是写在了数据库文件TCC.db里面的,具体的数据库文件路径为:
/Library/Application\ Support/com.apple.TCC/TCC.db
但是要特别注意的一点是,如果你用于打开这个文件的应用本身没有完全磁盘访问权限的话,你是无法读取该文件的,即便你在命令前面加了 sudo 也不行,会提示:
Error: unable to open database "/Library/Application Support/com.apple.TCC/TCC.db": authorization denied
当你权限的问题解决了之后(比如给终端应用添加了完全磁盘访问权限),就可以查看该数据库的内容了,我测试的电脑上它包含以下几张表(如果你的设置比较多比较全面,表的数量可能会更多):
access
access_overrides
active_policy
admin
expired
policies
最关键的是 access 这张表。
还有需要注意的是,并不是在这张表里面的都是具备完全磁盘访问权限(service="kTCCServiceSystemPolicyAllFiles"
)的,而只是之前请求过这个权限,具体用户没有有给赋予权限,还需要看auth_value的值(=2时表示有权限)。
另外还有一个命令可以作为参考:
defaults read ~/Library/Preferences/com.apple.universalaccessAuthWarning.plist
# 上面这个命令用于读取系统记录的请求磁盘访问权限的应用以及用户是否给了权限,但也只是历史数据,最新的情况还是要读db才能知道。
access表中service字段的取值范围和含义:
$ sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db
sqlite> .headers on
sqlite> select service,count(1) from access group by service;
service|count(1)
kTCCServiceAccessibility|辅助功能
kTCCServiceDeveloperTool|开发者工具
kTCCServiceEndpointSecurityClient|1
kTCCServicePostEvent|1
kTCCServiceScreenCapture|屏幕录制
kTCCServiceSystemPolicyAllFiles|完全磁盘访问权限
...
$ plutil -p /System/Library/PrivateFrameworks/TCC.framework//Versions/A/Resources/Localizable.loctable > tcc_info.txt
$ vim tcc_info.txt
# access表结构
CREATE TABLE IF NOT EXISTS "access" (
service TEXT NOT NULL
,client TEXT NOT NULL
,client_type INTEGER NOT NULL
,auth_value INTEGER NOT NULL
,auth_reason INTEGER NOT NULL
,auth_version INTEGER NOT NULL
,csreq BLOB
,policy_id INTEGER
,indirect_object_identifier_type INTEGER
,indirect_object_identifier TEXT NOT NULL DEFAULT 'UNUSED'
,indirect_object_code_identity BLOB
,flags INTEGER
,last_modified INTEGER NOT NULL DEFAULT (CAST(strftime('%s','now') AS INTEGER))
,PRIMARY KEY (service, client, client_type, indirect_object_identifier)
,FOREIGN KEY (policy_id) REFERENCES policies(id) ON DELETE CASCADE ON UPDATE CASCADE
);
查看哪些应用具备完全磁盘访问权限
# 查看命令如下
## 方式一:进入db然后select查询
$ sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db
sqlite> select client,auth_value,last_modified from access where service = "kTCCServiceSystemPolicyAllFiles";
sqlite> select client,auth_value,last_modified from access where service = "kTCCServiceSystemPolicyAllFiles" and auth_value=2;
sqlite> select client,auth_value,datetime(last_modified,"unixepoch","localtime") from access where service = "kTCCServiceSystemPolicyAllFiles" and auth_value=2;
## 方式二:直接在终端上调用sqlite3传入SQL拿查询结果
$ sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select client,auth_value,last_modified from access where service = "kTCCServiceSystemPolicyAllFiles"'
$ sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select client,auth_value,datetime(last_modified,"unixepoch","localtime") from access where service = "kTCCServiceSystemPolicyAllFiles"'
参考链接:
A deep dive into macOS TCC.db
https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
What does the TCC Compatibility database do?
https://eclecticlight.co/2018/11/20/what-does-the-tcc-compatibility-database-do/
TCC
https://eclecticlight.co/tag/tcc/
Bypassing macOS TCC User Privacy Protections By Accident and Design
https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/
macOS TCC 还能一如既往地保护用户隐私吗?
https://www.4hou.com/posts/vR3r
macOS: List apps authorized for full disk access #最直接的回答
https://apple.stackexchange.com/questions/362865/macos-list-apps-authorized-for-full-disk-access
Sophos Central Mac Endpoint: Confirm Privacy Settings on macOS #它的这篇文档介绍的还是很细致的
https://support.sophos.com/support/s/article/KB-000039222?language=en_US
accessing TCC.db without privileges #介绍了一些前因后果,仔细看还是能学到一些知识的
https://applehelpwriter.com/2018/07/06/accessing-tcc-db-without-privileges/
How to read “Security & Privacy” settings using command line or programatically
https://stackoverflow.com/questions/41702509/how-to-read-security-privacy-settings-using-command-line-or-programatically
Privacy: what TCC does and doesn’t
https://eclecticlight.co/2023/02/10/privacy-what-tcc-does-and-doesnt/
Working Around macOS Privacy Controls in Red Team Ops
https://cedowens.medium.com/initial-access-checks-on-macos-531dd2d0cee6
macOS Red Teaming: Bypass TCC with old apps
https://wojciechregula.blog/post/macos-red-teaming-bypass-tcc-with-old-apps/
=END=
《 “从macOS上应用的完全磁盘访问权限说起” 》 有 3 条评论
Fix Terminal “Operation not permitted” Error in macOS Monterey, Big Sur, Catalina, Mojave
https://osxdaily.com/2018/10/09/fix-operation-not-permitted-terminal-error-macos/
`
# 给相关程序添加上完全磁盘访问权限即可解决这种提示操作不允许的报错
隐私与安全性 – 完全磁盘访问权限 – iTerm-2/Terminal/…
How to Fix “Operation not permitted” Error in Terminal for Mac OS
1. Pull down the Apple menu and choose ‘System Preferences’
2. Choose “Security & Privacy” control panel
3. Now select the “Privacy” tab, then from the left-side menu select “Full Disk Access”
4. Click the lock icon in the lower left corner of the preference panel and authenticate with an admin level login
5. Now click the [+] plus button to add an application with full disk access
`
ls: : Operation not permitted
https://discussions.apple.com/thread/252695259
`
System Preferences > Security & Privacy > Privacy > select Full Disk Access on the left, add Terminal.app on the right, and see if things work better.
`
Check security permissions on macOS
https://doc.sophos.com/central/customer/help/en-us/PeopleAndDevices/ProtectDevices/EndpointProtection/MacCheckSecurityPermissions/index.html
`
# Check permissions using a terminal
$ sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db ‘select * from access’ | grep -i sophos
# Check permissions for remote deployments
$ sudo cp /Library/Application\ Support/com.apple.TCC/MDMOverrides.plist ~/Desktop/
$ cat ~/Desktop/MDMOverrides.plist
`
Security permissions on macOS
https://doc.sophos.com/central/customer/help/en-us/PeopleAndDevices/ProtectDevices/EndpointProtection/MacSecurityPermissions/index.html
macOS: List apps authorized for full disk access
https://apple.stackexchange.com/questions/362865/macos-list-apps-authorized-for-full-disk-access
`
sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
‘select client from access where auth_value and service = “kTCCServiceSystemPolicyAllFiles”‘
sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
‘select * from access where auth_value’
# kTCCServiceScreenCapture 录屏与系统录音(截屏/录屏权限)
# kTCCServiceSystemPolicyAllFiles 完全磁盘访问权限(通过MDM添加权限的app并不在这里面进行展示)
# kTCCServiceAccessibility 辅助功能(允许相关的应用程序控制你的电脑)
`
不知道除了读取TCC.db这个数据库文件之外,还有没有其它的方式能较为实时的获取特定应用程序的权限授予变化情况(比如DLP程序被移除截屏/录屏权限,会影响取证和告警判断)?