Balena Etcher needs privileged access- Macintosh

Hello. This is my first time using balena etcher, so please bear with me. Every time I try to flash something, BalenaEtcher sends a password prompt, pic given here. I enter the password to my computer, but it doesn’t accept it. 3 more times, and it stops the process entirely.

that of space 2021-09-02 at 5.00.16 PM

Hi and welcome to the forums,

balenaEtcher needs admin privileges in order to write to disk, hence the prompt. Does the account on your Mac have admin rights?

You can check that by doing the following:

  1. Open the Apple menu.
  2. Select System Preferences.
  3. In the System Preferences window, click on the Users & Groups icon.
  4. On the left side of the window that opens, locate your account name in the list.
  • If the word Admin is immediately below your account name, then you are an administrator on this machine.
  • If the word Standard is there, then you are not an administrator and your account cannot be used to install software or make administrative changes.

Note that the admin password requirement is only for macOS Catalina and above.

Let us know how it goes.

Best regards,
Genadi

Yes, my account is the only one on the mac, and it has admin rights.

Hi, which version of etcher and macOS are you using?

Well, I don’t know how to check for the version, but I downloaded it today from the official website. Macos- 11.4, Big sur.

Hi there, this is by design. If you prefer Etcher not to prompt, open a macOS Terminal, run sudo su - and then open Etcher in that terminal session.

Please someday fix / improve this:

  1. Balena acquiesces Mac security in a weird funky hack way unlike typical Mac apple which can prompt for an administrative credential and escalate themselves. I’ve seen virtually no applications that prompt for credentials in the way Balena does
  2. If you provide a standard user, Balena fails with an error related to not being able to spawn processes
  3. If you are ‘2’ then you also cant do “sudo su -”

Huge pain every time I need to use Balena I have to remember whatever my workaround was to this bad security prompt / security escalation it performs.

No way I’m providing your App (or maybe even you - who can tell?) with my sudo pass. Apple’s API warns that this approach must be never trusted and instead, the access request should pass through them. So as long as Apple doesn’t trust you, I also don’t.

From your code, the GUI spawns a helper, then talks to it over WebSocket. The client side even has comments saying authentication is missing:

  • lib/gui/app/modules/api.ts:100-101TODO: use the path as cheap authentication

  • lib/util/api.ts:67 → same TODO

The privileged helper binds a WebSocket server here:

  • lib/util/api.ts:63-70

and it accepts commands like:scan, write, sourceMetadata, cancel, skip, terminate from incoming WebSocket messages:

  • lib/util/api.ts:121-129

  • lib/util/api.ts:166-209

  • lib/util/api.ts:220-257

But there is no actual auth check there. You even generate an ETCHER_SERVER_ID in the parent (lib/gui/app/modules/api.ts:195-197), but in the helper it is commented out and unused (lib/util/api.ts:54-56, lib/util/api.ts:65). So we have a root-capable helper controlled over localhost with no real authentication.

Hey @Geogouz

If you found an actual exploit, please reach out to security at balena.io for a safe disclosure.
If it’s just concern about the architecture, I agree with you. I wrote that todo as part of bigger project that been put on the back-burner, I’ll have another look.