In face of the news that there is now a ransomware for mac in the wild I thought about the security of my time-machine backups.
Permissions
First, I had a look at the permissions of the files that reside on my timecapsule, which are the following:
Data Directory
User (unknown) Read & Write
Group (everyone) Read & Write
Individual Sparsebundles per backuped computer within Data Directory
User (unknown) Read & Write
Group (staff) Read & Write
Group (everyone) Read & Write
It seems that there is room for improvement here. First, I don't understand why an Unknown user is listed. Is there any reason for this or can I delete this item?
Second, is there any necessity to give Read and Write Permissions to "everyone" and "staff"?
If I understand correctly, Time Machine Backups are run by the backupd process, which, on my computer, runs as user root. So it seems that only the root user is required to have Read & Write access. Is that correct? Could I delete the existing permissions and add user "root" with Read & Write permissions?
Lastly, would this change provide a further line of defence against ransomware? If a ransomware runs as a normal user X and does not gain root, it could encrypt all files to which X has write access, but it could not encrypt time machine backups, because only root has access to them. Is this line or reasoning correct?
Running OSX El Capitan, 10.11.3.
Best Answer
Update after discussion with bmike (see below)
During an actual Time Machine Backup, backupd mounts two shares. /Volumes/Whatever and /Volumes/Time Machine Backups. While the former cannot be access by a non-root user, the latter can. It is indeed possible to clear ACLs of files and overwrite them subsequently. So the security issue is wide open.
Original answer
Thinking a little more about the underlying mounting system, I came to the view that my original question contained a misguided assumption, the removal of which perhaps makes the question obsolete. I decided to write an answer instead of removing the question for the benefit of the equally misguided.
When I checked the permissions of my sparsebundle files, I manually mounted the Time Capsule disk. Because I mounted the disk as a normal user, this user became the owner of the mount-point (checking in the terminal, I can see that my useraccount is the owner of the mount-point, "staff" being the group).
Now my assumption (which was not transparent to me) was that if Time Machine mounts the disk during a backup session, it would be present in the system just as if I mounted it manually. But this is wrong. For since backupd runs as root, the mount-point belongs to root (checking in the terminal, the owner is "root", the group is "wheel", group and world having no rights.) and thus a process belonging to a normal user would not be able to encrypt files on a Time Machine Disk mounted by backupd.
Thus, in a Time Capsule setup there does not seem to be, for the moment, a danger of a ransomware to encrypt the backup. However, it might be different with a locally connected external harddrive. I vaguely remember that when I still used an external harddrive, I could see the Time Machine partition as mounted in Finder (something I do not now) and thus it might be mounted with user rights. I cannot test this, as I don't have an external time machine harddrive, but maybe someone else can say something about this.