We should find that out over the coming weeks.Įven then, more persistent issues in TCC’s robustness may not be as important as they might seem now. What is much more important at this stage is how well Apple responds, and whether these prove to be mere bugs, or more deeply embedded in TCC’s architecture. Given that TCC didn’t reach any sort of maturity until quite late during beta-testing, in August when many developers were on holiday, means that Apple’s ferocious product development cycle hasn’t really allowed much testing by third parties as yet. Both are real macOS wizards, and I’d be a little disappointed if neither could find a way around TCC at this stage. The other two vulnerabilities, announced by Patrick Wardle and Jeff Johnson, shouldn’t be too surprising. In response to comment, I discuss these issues further in the Appendix below. It is surely enabling Remote Login which needs one of TCC’s dialogs, with a very explicit warning as to what this can do.
The biggest problem with ssh is not its ability to bypass privacy protection, but the fact that no Mac which has Remote Login enabled has given any warning during Mojave’s configuration that that allows a remote user to bypass TCC’s privacy protection. The sysadmin might be connecting over VPN from a Linux laptop on a beach in the Bahamas, and for TCC to start asking them for consent would be a real nightmare. When a system administrator tries to connect to an unresponsive Mac using ssh over a local network, that Attribution Chain lacks a head. For local commands executed in Terminal, it is Terminal’s ability to fire off a consent dialog which you will notice. For command tools, TCC uses an Attribution Chain, which tracks privacy permissions upwards in the hope of reaching a caller which can interact with the user. On the other hand, trying to impose privacy restrictions on remote connections via ssh is neither a particularly tractable problem, nor one in which any apparent solution would be acceptable. If your Mac has Remote Login enabled and is thereby vulnerable to attack, the privacy of your data is a secondary concern, as it’s a disaster waiting to happen. There are several issues involved here, but fundamentally the problem is one of the virtues of ssh: its power.
One of the ‘vulnerabilities’, in which someone can ssh in and then has free access to private data, is surely not accidental. However, at this stage of the cycle, I’m not sure that this is a particularly serious problem, at least not for users. Glance at the headlines, and you’d think that the three vulnerabilities reported so far in TCC rendered it pretty well dead on arrival, and a serious blow to Mojave as a whole. That should have kept TCC away from the limelight, until early September when Trend Micro was caught exfiltrating private data from its App Store apps. Since then, it has largely been the concern of those distributing their apps through the App Store.
The last time that it was in the news was when DropBox abused Accessibility features two years ago. TCC has actually been around in the background of macOS for quite a few years now, but has been keeping a low profile. The biggest issues are centred on Mojave’s new privacy management, TCC, which most of us expected.
That’s not to say that Mojave has been an instant success, but it doesn’t seem to be the lemon that some had feared.Īpart from a few model-specific problems, such as the strange dislike for the iMac 27-inch Late 2012, 3 TB hard disk with a Boot Camp partition, and ongoing issues with some MacBook Pro 2018s, most who have upgraded seem not to have hit problems, and the support forums are quite quiet.
Looking around, there seem to be remarkably few problems or regrets. I hope, if you have upgraded to Mojave, that all went well and you’re now happy that you made the right decision.