At its core, CCC is a product that is designed to make backups of your Mac's user data, applications and system settings. In order for CCC to be able to make copies of system files (e.g. user accounts), CCC needs to have the privilege of copying files that can't be read nor written by just any user. Likewise, CCC is often tasked with copying the data associated with multiple users. macOS prevents you from accessing files that belong to other users. If you, as the administrator of the Mac, want CCC to back up everybody's files, then again, CCC requires elevated privileges.
Acquiring elevated privileges on macOS
There are a few different ways to perform a task on macOS with elevated privileges. The simplest – and least secure – method to do this would be to prompt the user to authenticate when he opens the application, and then relaunch the application as the "root" user. The application would then have all of the privileges it needs. This would grant far too much privilege, though, because it also gives the user (or malware that is exploiting the application) privileged access to other users' files.
A better way to securely acquire elevated privileges is to isolate the code that requires those privileges into a separate, "faceless" application. This is a common practice known as privilege separation. Even here, though, there is a right way and a wrong way for the isolated application to gain elevated privileges. The antiquated technique is for the parent application to ask for administrator authentication, then launch the faceless application as root. Apple specifically discourages this practice as well.
Adhering to a higher standard of security
Starting in Mac OS X 10.6 (Snow Leopard), Apple introduced a more secure paradigm for performing tasks with elevated privileges. Rather than blindly granting privileged access to an application, developers can ask the system to install a "privileged helper tool". macOS then invokes the privileged helper tool on demand, and the calling application can only communicate with the helper when it has met stringent requirements:
- The calling application and the privileged helper tool must be code signed (and valid)
- The calling application must be one of the applications that is specifically approved to make requests to that specific helper
- The calling application must have a valid authorization reference
These requirements prevent unauthorized use of the helper tool and they prevent maliciously modified applications from making requests to the helper tool.
CCC has leveraged a privileged helper tool since CCC v3 and Mac OS X Snow Leopard – right from the start.