Apple OSX Leopard (10.5+), inadequate ACL insight can create vuln
OSX 10.5 "Leopard" has activated ACL use and gives ACLs preference over
standard POSIX permission bits. Apple's "Get Info" GUI sets and displays an
odd and confusing mix of POSIX and ACL settings, leaving plenty of room for
confused security.
Unfortunately, there are not yet adequate tools to detect ACL changes. Tools
like open-source Tripwire only check POSIX permission bits (a feature request
has been submitted for ACL support in open-source Tripwire). Apple's
proprietary Disk Utility appears to only check what Apple wants to check (it
probably leaves areas like user files vulnerable).
Historically, a number of legitimate and less-than-legitimate software
installers have altered the POSIX permission settings for key system files and
directories. Those alterations could easily be extended to ACLs, and would be
more difficult to detect, since there are almost no tools to find them.
Users should carefully consider if the risks of using ACLs in OSX outweigh the
benefits. For many systems with a small number of users, ACLs are massive
overkill, and should probably be disabled. The following command disables ACLs
on the root volume (the command only operates on each volume):
# fsaclctl -p / -d