|
Introduction and First Start |
TinkerTool System is a professional all-in-one maintenance tool for the Macintosh platform. It allows you to change advanced operating system settings and offers a wide variety of maintenance features. It strictly complies with the software guidelines for Mac OS X, and also uses Apple's official instructions and recommendations for the resolution of certain system problems.
TinkerTool System is very different from other maintenance applications because it never uses any scripts and is fully integrated into the security architecture of Mac OS X.
Together with its sister program "TinkerTool" which is available at no charge, TinkerTool System is a perfect substitute for the following types of maintenance applications:
When you launch TinkerTool System for the first time, it will automatically integrate into the security model of Mac OS X. This is necessary because the application can be used (and could be misused) to perform critical operations in Mac OS X, for example deleting files owned by other users. Only responsible system administrators which manage the computer's installation should be allowed to perform such actions.
For this reason TinkerTool System contains a safeguard which communicates with the security features of Mac OS X. Under normal conditions, TinkerTool System is restricted to behave like a normal user program and does not have any extended privileges. For example it cannot use any system features which could affect more than the current user. However, certain maintenance functions require that TinkerTool System is allowed to act for the whole computer and all users. In this case, the built-in safeguard of TinkerTool System requests permission from Mac OS X to temporarily use a system feature which needs extended privileges. As response to this request, Mac OS X will completely "freeze" TinkerTool System and open a password entry panel in which you'll have to enter a valid password for one of the system's administrators. If the password is correct, Mac OS X will allow TinkerTool System to continue and to execute the requested action. If the password was wrong, TinkerTool System will also continue, but will additionally receive the response that the permission was not granted and the current request is rejected. In that case, TinkerTool System cannot perform the action currently selected. With this design it becomes impossible that an unauthorized person could misuse an application like TinkerTool System.
This policy strictly complies with Apple's software guidelines for system utilities. Note that TinkerTool System doesn't even "see" the administrator password when it is entered. All security-related interactions are directly handled and monitored by Mac OS X. So even in the unlikely case a computer virus would attack TinkerTool System, trying to "eavesdrop" on your password entry in an attempt to store and steal the password, it would have no success, because only the specially protected core of Mac OS X actually receives and checks the entered password information.
The first password entry is requested by Mac OS X when you start TinkerTool System for the first time. This allows the tool to form the aforementioned trust relationship and protection mechanisms. Other password requests will follow as soon as you start an operation which needs extended privileges.
Mac OS X automatically ensures that the user doesn't need to enter the password too often. After a password has been entered, Mac OS X will "trust" all applications started by the same user for an interval of 5 minutes.
The security policy outlined above puts some limitations on possible places where your copy of TinkerTool System can be stored and can be launched from. Imagine the following scenario:
An attacker puts a copy of TinkerTool System onto an external hard drive and uses his administrator password to integrate the tool into the security of his own Mac OS X installation. Then he connects the hard drive to the computer he likes to attack, with the plan to misuse some of the system functions accessible with TinkerTool System. The other computer must not trust the program on the external drive because the tool has only been security-activated by an unknown administrator of an unknown Mac OS X system. The tool did not receive authorization from the adminstrator of the current system. If Mac OS X allowed to execute the tool without reauthentication on the current computer, this would be a big security hole.
For this reason, Mac OS X keeps track where TinkerTool System - and all of its own utilities, like Activity Monitor for example - are launched from. Mac OS X does not allow that you run a system utility from one of the following locations:
You can run TinkerTool System from the following volumes:
The recommended location where to put TinkerTool System is of course the Applications folder of your system disk, or a subfolder of the Applications folder.
If you copy TinkerTool System to another volume or into a folder with different ownership, the Finder will display a warning that you are about to copy an application with special permissions. The copy will have to be reauthenticated by a system administrator.