The Security Policy of Mac Power Monitor

When you launch Mac Power Monitor for the first time, it will automatically integrate into the security model of macOS. This is necessary because the application can be used to perform critical operations in macOS, for example to show the list of all running processes of all users.

To guarantee a high security level, Mac Power Monitor works in two parts: The normal main application with the graphical user interface is coordinating all operations. It also executes all tasks that don’t require any special permissions. However, as soon as a privileged operation has to be executed, for example retrieving statistics for all running processes of all users, the application internally checks whether the current user has permission to perform the requested task. If yes, the task will continue and the privileged operation can start. If not, the main application is stopped temporarily and users are asked to identify themselves as administrators first.

The privileged job is not executed by the main application, however. A second component, the so-called privileged helper does this work by receiving the request of the main application via a secure, tap-proof channel. Even if an unauthorized attacker would manage to manipulate the main program, it could not trigger any malicious functions in the computer, because it could not get permission to do that. Only the privileged component, which is monitored and specially protected by macOS, has this technical capability. This means we have a separation of user rights in this setup. The privileged helper will also be called security component in this context.

In case the current user cannot identify as system administrator, the privileged operation will be rejected, denying its execution. You receive a notice in the graphical user interface that the pending task could not be continued due to security reasons.

Confirming a privileged operation

To create the aforementioned monitored link between main application and privileged component, macOS asks for permission to setup the helper program during the first start of Mac Power Monitor. After this special trust relationship has been established between main application and privileged component, Mac Power Monitor will begin to control the special permissions from there on. The following rules apply when verifying the right to execute a protected operation:

(1) The main job of Mac Power Monitor, namely to show power statistics of macOS, can be executed by all users if an administrator has confirmed this once by entering a password.

(2) In all other cases where privileged rights are required, the running user session must be owned by an administrator: For security reasons, only those users can initiate a privileged operation in Mac Power Monitor for which the option Allow user to administer this computer is enabled in the account management of macOS. This special option is the default for the user who owns the computer and has set it up. The login session in which Mac Power Monitor is running must have been started by this user, or by a different user who has also been granted administrative rights. This means it won’t be possible to initiate a privileged operation for a user account which has not logged in as administrator. You cannot act as a different user while your identity is being verified by entering that user’s name and password.

This is compliant with the classic security guidelines that were established for the first generations of macOS (called Mac OS X at that time), and is stricter than the guidelines usually in effect for graphical applications running with modern versions of macOS. The policy is similar to that used by macOS and other Unix systems for the sudo command on the command line, which is also responsible for unlocking privileged operations individually.

If you are currently working with a user account that has no administrative rights, you won’t need to cancel your running login session in order to use a privileged feature of Mac Power Monitor, however. By activating the feature Fast User Switching via System Preferences, you can enable an item at the top right hand side in the graphical user interface of macOS which allows a direct re-registration, starting a second login as system administrator. This way you can work with multiple screen sessions for different users and switch back and forth between them. For more information, please see the reference manual of macOS, available via the Help menu of the Finder.

The application cannot read your password: Neither the main application, nor its privileged component are involved in the password entry and verification of credentials. Both tasks are exclusively handled by macOS, so that your password cannot be seen by the programs. Only after macOS has checked your identity, the result will be sent to the application.

An administrator cannot have an empty password: Although it was possible with previous versions of macOS to create user accounts for administrators without a password (which actually means they have a password of zero length), up-to-date versions of the operating system consider this a configuration error. Affected administrator accounts cannot authenticate in all cases and several system features will fail for them. This includes the privileged operations which can be used under control of Mac Power Monitor. With default methods, accounts without passwords can no longer be created. If you still have such an account which was migrated from an older version of macOS, you must define a password for it before the account is permitted to use any features of Mac Power Monitor that require privileged operations.

On computers with Touch ID, the confirmation can also be done by fingerprint: If your computer contains Apple’s fingerprint reader Touch ID, the verification of your identity can also be done by fingerprint. To check the pending operation, there will be an additional short description in the Touch Bar.

A confirmation is valid for the pending operation, and for further operations in the next five (5) minutes: In some cases, Mac Power Monitor has to execute multiple privileged operations in rapid succession to perform a certain task, for example, a protected file may need to be deleted, and another one must be created in a protected folder. The application is designed to handle such a composite operation as single event, even if the operations are internally considered separate actions requiring different permissions. You only have to authenticate once, not twice in this example. But even operations which don’t belong together don’t necessarily lead to a renewed password entry: If a time of less than five minutes has passed between a privileged operation and your last authorization, another check of your identity will be avoided.

An authorization won’t be shared with other applications: When you have confirmed your identity to Mac Power Monitor to execute a privileged operation, this authorization will only be valid for the application itself, but not for other programs.

The paragraphs below contain information for experienced system administrators. You can skip them during first reading.

Technical Details for Advanced Users

The security component will be installed into the folder /Library/PrivilegedHelperTools which is Apple’s recommended folder to be used for such utility programs. The name of the component is MacPowerMonitor2-PrivilegedLegacyAPITool. macOS will automatically launch and quit this program as needed, avoiding to let it run as a background service for an extended period of time.

You can choose to remove the security tool at any time without any traces. In this case Mac Power Monitor will lose its capability to access privileged system areas, so the program will be forced to shut down either. Perform the following steps to remove the component:

  1. Launch Mac Power Monitor if it is not running yet.
  2. Select the menu item Commands > Remove Security Component….
  3. Follow the instructions the program is giving. The program will quit itself as last step of this operation.