Apple OSX Leopard (10.5+), inadequate ACL insight can create vuln

[bgtrq.tryfixingit () antichef net]

OSX 10.5 "Leopard" has activated ACL use and gives ACLs preference over standard POSIX permission bits.  Apple's "Get 
Info" GUI sets and displays an odd and confusing mix of POSIX and ACL settings, leaving plenty of room for confused 
security.

Unfortunately, there are not yet adequate tools to detect ACL changes.  Tools like open-source Tripwire only check 
POSIX permission bits (a feature request has been submitted for ACL support in open-source Tripwire).  Apple's 
proprietary Disk Utility appears to only check what Apple wants to check (it probably leaves areas like user files 
vulnerable).

Historically, a number of legitimate and less-than-legitimate software installers have altered the POSIX permission 
settings for key system files and directories.  Those alterations could easily be extended to ACLs, and would be more 
difficult to detect, since there are almost no tools to find them.

Users should carefully consider if the risks of using ACLs in OSX outweigh the benefits.  For many systems with a small 
number of users, ACLs are massive overkill, and should probably be disabled.  The following command disables ACLs on 
the root volume (the command only operates on each volume):

# fsaclctl -p / -d