Firewall rules, admin vs. user accounts

Question

Created Nov ’20

Replies 3

Boosts 0

Participants 2

Is the way macOS handles network or firewall rule changes for UDP broadcasts and UDP replies different between running command-line utilities in admin accounts, versus running them from user accounts that do not have admin privileges?

If so, where is this documented?

Also, the behavior of UDP from non-admin accounts appears to have changed somewhere between Mohave and the Big Sur betas. UDP broadcasts appear to work when sent from non-admin accounts under Mohave, but do not work under the Big Sur beta (packets are blocked or lost?), except from an admin account.

A similar change occurred with the UDP broadcast code embedded into an iOS 14 app, which I assume enforces non-admin access rules. Receiving UDP replies (worked under iOS 12) stopped working.

Boost

Answer 1

Systems Engineer OP

Apple

Nov ’20

A similar change occurred with the UDP broadcast code embedded into an iOS 14 app

Yes, in iOS 14 UDP broadcast now require a user to accept local network privacy. For more on this see: Local Network Privacy FAQ-2.

Also, the behavior of UDP from non-admin accounts appears to have changed somewhere between Mohave and the Big Sur betas. UDP broadcasts appear to work when sent from non-admin accounts under Mohave, but do not work under the Big Sur beta (packets are blocked or lost?), except from an admin account.

Can you give a specific example of this?

Is the way macOS handles network or firewall rule changes for UDP broadcasts

I am not aware of any, but can you be specific about what you mean by firewall?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

hotpaw2 OP

Nov ’20

In reply: A partially specific example was posted in this thread:
https://developer.apple.com/forums/thread/662859
But the behavior of this code seems to vary with one or more of: macOS version compiled under or run under, Xcode version compiled with, account privileges the binary is run from, directory and or account the command-line binary was copied from or to.
The last is the weirdest, as I can copy a working binary out of one directory into another, and it stops working (on 10.15.7).
But when I copied that copy (command line cp -p) into an admin account, it started working.
My stats are: UDP broadcast plus reception of UDP reply always works under Mohave (after initial permission grant), works less under Catalina (depending on build, etc.), works rarely under Big Sur (but not never). 3 different Macs. Sometimes the UDP broadcast fails (isn't seen on the LAN by multiple sensors), sometimes the UDP reply is lost (never received by Mac).

Where are the owners, directory paths, and version info of the apps that the firewall or network stack permits/denies stored?
Could that permission storage be confused by dozens of binaries with the same name, but in different directories, with different owners, built with different versions of Xcode on different Macs, but all from the same source repo?

Yes, the behavior change of UDP in iOS is documented. Is there a similar documentation of behavior change for macOS?

0

Answer 3

Systems Engineer OP

Apple

Nov ’20

It would be best to open TSI so I can take a deeper look at what is going on here with any logs or a sysdiagnose on the reported versions of macOS you are experiencing issues on. Please see the Requesting Technical Support page for more details.

Also, if you do so, please see the sysdiagnose instructions for iOS and macOS.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0