Trusted Path Execution (TPE)
TPE is an ASL feature that prevent users from executing binaries that are either not owned by the root user, a trusted user, or are world-writable or writable by an untrusted user. This is useful to prevent users from uploading and executing their own malicious binaries or accidentally executing world or untrusted user writable system binaries and scripts that could have been modified by a malicious user. This security feature in ASL prevents a whole category of exploits whereby a malicious user tries to execute his or her own code to compromise the system.
This features is best thought of as a "defense in depth" means that makes both uploading malware and backdooring applications on the system harmless because the uploaded malware either cant be executed or the backdoored code can also not be executed because it has been configured insecurely. This also makes privilege escalation harder when an account restricted by TPE is compromised as the attacker won't be able to execute custom binaries, scripts and other tools which are either not in the trusted path, or are not owned by a trusted user. This feature can also prevent race conditions on code executed by non root users.
Replacing world writable, or group writable files or scripts is a well known and very old attack, and TPE prevents it from being exploited.
TPE is enabled by default, and can be controlled via this setting in ASL:
In ASL TPE can be used in one of two manners by setting the group policy via this setting:
Unless Deny, Allow
This setting, the default, is to only apply TPE to users defined in ASL. This means that unless a user is on in the "untrusted" group, the user is trusted and TPE is not applied.
Do not put root in the untrusted group.
Unless Allow, Deny
This setting causes TPE to be applied to all users, unless they are on the "trusted" list. This means that unless a user is on in the "trusted" group, the user is untrusted and TPE is applied.
ALWAYS put root in the trusted group.