Rootless mode is beginning to cause problems

[WorkerBee2015]

A lot of our customers that have switched to El Capitan are reporting problems, apparently because of rootless mode. Most are running Unix based stuff, which is often put in or uses some of the lower level directories. One of our customers disabled rootless and re-enabled it, and in doing so he claims it destroyed some symbolic links for X windows that had previously been there.

It's beginning to look to me like rootless was not a good idea. I would guess about 15-20% of our customers using El Capitan are complaining.

 

[KALLT]

Even though rootless may be the direct cause in this case, you bring this upon yourself when you are messing with things that are not within your ultimate control. The system owns these directories and they may change whenever you upgrade your system. That’s Apple’s prerogative as the system architect. When you do this then you should try out a system upgrade on a separate partition first before you make the switch.

 

[F1Mac]

Even though rootless may be the direct cause in this case, you bring this upon yourself when you are messing with things that are not within your ultimate control.

You do know a symbolic link is really just an alias right? People used to the Unix environment are not "messing" with anything. Rootless and SIP goes completely against the very foundation of OS X.

 

[KALLT]

You do know a symbolic link is really just an alias right? People used to the Unix environment are not "messing" with anything. Rootless and SIP goes completely against the very foundation of OS X.

When it involves system directories, it does. Otherwise SIP wouldn’t stop you. Apple uses these directories and the potential is always there that something breaks. That’s not inherent to SIP. When you install a system upgrade, you are giving Apple blanket permission to overwrite these things.

You do know a symbolic link is really just an alias right? People used to the Unix environment are not "messing" with anything. Rootless and SIP goes completely against the very foundation of OS X.

SIP does not go against Unix principles or even the foundation of OS X. There’s ample precedent for restricted root access across Unix and Linux. I learned the other day that OS X used to have a basic kernel level protection since day 1, as part of BSD in fact. They turned that off in Leopard.

 

[Shirasaki]

For those users using Mac OS X as a Mac OS X, SIP may not cause much trouble.

For those users using Mac OS X as a UNIX system, SIP would not be so friendly as it was before.

Apple now may focuse more on conventional user using Mac OS X as Mac OS X, not UNIX. So they introduce SIP.

UNIX user should take extra care upon system update, and prepare a test partition to test if their utilities cease working upon system update.

My 2 cents.

 

[leman]

There are some clear guidelines where applications should put their stuff in a UNIX system and all SIP does is to enforce these guidelines. Third party software does not belong in /bin. There are of course some issues because UNIX package maintainers do not always follow the guidelines. It will improve in time. Just make sure to install third-party stuff in /usr/local and SIP won't interfere with your experience in any way.

As a user who routinely uses and develops UNIX tools, I think that SIP is a great idea. It prevents me from accidentally damaging my base system. In the last 5 month of using 10.11, I have had not a single issue with SIP, except some minor tools insisting to be installed in the system directories by default (which was trivially fixed)

 

[ZVH]

I did a cursory search and as the OP pointed out, problems are clearly beginning to emerge. To summarize my cursory observations, the following will likely be problems:

1. Many Unix based applications
2. Most if not all applications that need system process information for some reason
3. A lot of applications associated with video and audio
4. Those requiring special access to ports. These can be audio, video, and network devices.

IMHO this is appearing to be a genuine can of worms. Aside from observing the above, there are also a lot of sites advertising how easy it is to hack this. I'm not enough of a programmer to tell what exactly they're doing, but those publishing the info seem to think it's trivial, with one calling this "security" process flat out stupid.

Apple is not a dominant desktop OS, and it's not in the position to dictate. The world isn't going to change just to accommodate Apple, the world will just walk away and go elsewhere.

 

[leman]

I did a cursory search and as the OP pointed out, problems are clearly beginning to emerge. To summarize my cursory observations, the following will likely be problems

Would you be so kind to share some more details on this? SIP should only affect applications that insist to be installed base OS directories, nothing more. I find the point 2. on your list particularly puzzling (I have had no issues with accessing process information under 10.11).

IMHO this is appearing to be a genuine can of worms. Aside from observing the above, there are also a lot of sites advertising how easy it is to hack this. I'm not enough of a programmer to tell what exactly they're doing, but those publishing the info seem to think it's trivial, with one calling this "security" process flat out stupid.

I would also be interested in seeing these sites. I was not able to find any hack that would work from a user system. But I have to admit that I did not spend much time looking.

 

[felt.]

I've had SIP disabled always and my symlinks are intact. MYTH BUSTED.

 

[MacRobert10]

I found the following article interesting, especially the last paragraph:

http://www.infoworld.com/article/2988096/mac-os-x/sorry-unix-fans-os-x-el-capitan-kills-root.html

The solution for the InfoWorld writer will probably be obvious: Switch to Windows...it just works. "It just works." Where have I heard that before?

Most people will not observe these as security changes, they'll observer them as bugs and signs that the OS is garbage. Look at all the negative feedback that Yosemite got in the App Store because of network problems, not to mention Jony "Stick Figure" Ive's "improvements" to the OS appearance. I also remember a change Apple made to El Capitan where the user now has to use a key sequence to get to the advanced features options for setting display parameters (it's a thread somewhere in this El Capitan section). The guy that wrote that thread rightfully, IMHO, assumed the feature was gone since Apple is on some type of fetish to accommodate the I.Q < 90 class that hungers for videos of Miley Cyrus and thinks Syria is a town in Ohio. Once again, a change not clearly documented.

Rootless mode is a stupid idea. Period. They should have put an option in the security settings to allow someone to enable or disable it and then reboot as needed instead of requiring people to put the system into recovery mode, open up terminal, and then enter a command line command to disable/enable it.

What's an idiot to do? Apparently, switch to Windows....It just works (or so I'm told).

 

[MattZani]

If it gets in your way, just disable it, then you'll have the same security as you did in Yosemite.

For the vast majority of OS X users, it's a good thing.

 

[Ritsuka]

Lol, switch to Windows, which isn't unix so you will have to use some kind of crappy compatibility environment like minwg or cygwin.
You know what, you can install your unix utilities whenever you want, you don't have to install them in system protected folders. You seeing issues where there are none.

 

[F1Mac]

1. Many Unix based applications
2. Most if not all applications that need system process information for some reason
3. A lot of applications associated with video and audio
4. Those requiring special access to ports. These can be audio, video, and network devices.

IMHO this is appearing to be a genuine can of worms. Aside from observing the above, there are also a lot of sites advertising how easy it is to hack this. I'm not enough of a programmer to tell what exactly they're doing, but those publishing the info seem to think it's trivial, with one calling this "security" process flat out stupid.

Exactly. When it prevents a DAW to properly load drivers/plugins and finally makes it completely useless, don't tell me SIP is a good thing, because for now, it's not, it just gets in the way. I'm not talking obscure third-party stuff here, unless of course Avid, Steinberg, even Apples's own software (!), Native Instruments, Propellerheads, Arturia, etc are not companies we can trust. You disable SIP and magically everything works again. Of course people who use their computer for safari, email and facebook will find that it's a actually a great addition that makes sure their computer is um, "protected".

 

[Janichsan]

1. Many Unix based applications

I first thought so myself, but my experience as user of various scientific UNIX applications is that none of those I use have any problems with the SIP, and that seems an experience that many other users in similar positions share. In addition, most of the problems with UNIX applications I heard about so far are all pretty easily fixed, unless the application has been developed in total disregard of all best practices.

 

[blipmusic]

Exactly. When it prevents a DAW to properly load drivers/plugins and finally makes it completely useless, don't tell me SIP is a good thing, because for now, it's not, it just gets in the way. I'm not talking obscure third-party stuff here, unless of course Avid, Steinberg, even Apples's own software (!), Native Instruments, Propellerheads, Arturia, etc are not companies we can trust. You disable SIP and magically everything works again. Of course people who use their computer for safari, email and facebook will find that it's a actually a great addition that makes sure their computer is um, "protected".

Honest question: is this because the software in question is taking liberties and/or shortcuts there is no need for in order to operate as "normal"? Someone mentioned e.g. placing binaries etc in directories where they do not necessarily belong in the first place, which comes off as a bad and unnecessary choice.

The only DAW I currently run in 10.11 is Reason 8.1 (granted, it is a special case as plugins do not have to be available system wide). It works fine with a USB-interface most of the time. Occasionally (once every three or four days) I might suddenly get a complete system lock followed by a reboot after 20 seconds or so. Luckily it's mostly noodling and very little recording at the moment so I haven't really lost anything.

In the terminal Homebrew (including homebrew installed python 3) works fine with the newer releases, same for latex (mactex).

 

[KALLT]

Rootless mode is a stupid idea. Period. They should have put an option in the security settings to allow someone to enable or disable it and then reboot as needed instead of requiring people to put the system into recovery mode, open up terminal, and then enter a command line command to disable/enable it.

The point of rootless is that it cannot be changed at runtime. Disabling it is trivial, you only have to boot into recovery once and can leave it off permanently. The only way to enable it again is by modifying or resetting the NVRAM. Unrestricted root access was never a good idea for a consumer operating system and obtaining that privilege is what most malware is after. Apple used to enforce a restricted root access before Leopard and it’s a philosophy you can find in various UNIX-based systems, including BSD itself.

 

[Janichsan]

Honest question: is this because the software in question is taking liberties and/or shortcuts there is no need for in order to operate as "normal"? Someone mentioned e.g. placing binaries etc in directories where they do not necessarily belong in the first place, which comes off as a bad and unnecessary choice.

I'm wondering that, too. If the applications are really developed in accordance to Apple's guidelines, there shouldn't be any problems with access to system process information, ports, video, audio, whatever.

 

[F1Mac]

Honest question: is this because the software in question is taking liberties and/or shortcuts there is no need for in order to operate as "normal"? Someone mentioned e.g. placing binaries etc in directories where they do not necessarily belong in the first place, which comes off as a bad and unnecessary choice.

I can't give you a definite answer. But what I'm wondering is how come Logic Pro X (made by this small company called Apple Inc iirc...) has trouble? Do you think Apple's own software took liberties and/or shortcuts in order to operate as normal?

...I don't use Logic myself and I had no problem with my Audio Units in Digital Performer for example. But there are plenty of reports in various audio forums. I like to think the Steinberg, Native Instruments or Propellerheads developers know what they're doing.

 

[Janichsan]

I can't give you a definite answer. But what I'm wondering is how come Logic Pro X (made by this small company called Apple Inc iirc...) has trouble? Do you think Apple's own software took liberties and/or shortcuts in order to operate as normal?

...I don't use Logic myself and I had no problem with my Audio Units in Digital Performer for example. But there are plenty of reports in various audio forums. I like to think the Steinberg, Native Instruments or Propellerheads developers know what they're doing.

But it is Logic itself that has the problems? From what I gathered, it's rather the third-party plug-ins/hardware drivers that cause the trouble.

 

[chrfr]

I can't give you a definite answer. But what I'm wondering is how come Logic Pro X (made by this small company called Apple Inc iirc...) has trouble? Do you think Apple's own software took liberties and/or shortcuts in order to operate as normal?

Any issues Logic Pro is having are not due to SIP/rootless. If add-ons are not installed in Apple-approved locations, or are not whitelisted (and there is an SIP whitelist at /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths) by Apple, then they're going to have compatibility problems.
Audio application developers have never rushed to support new OS releases on either Windows or OS X, and Apple has circumvented their own rules for their own software for years.

 

[xgman]

Basically Rootless Off = back to Yosemite. For me not a big deal. For Grandma and kids, I'd leave it on.

 

[b0fh666]

I'm having zero problems with SIP in el crapitan. first thing I did was disable it and now everything works as before.
actually, i have one problem... my recovery partitions refuse to boot for some reason had to use a flash drive.

 

[F1Mac]

Any issues Logic Pro is having are not due to SIP/rootless.

Yeah well, but the auvaltool in 10.11 can't scan plugins proplerly and it makes LPX crash/hang. Users have to disable SIP in order to make this work because they have to use an older version of auvaltool in /usr/bin... Apparently 10.11.1 fixes the issue, doesn't seem to me that third-party developers are at fault here.

 

[rnbwd]

When I switched from hosting a site on Debian to Ubuntu, I was confused b/c I wasn't allowed to run a server from any folder in the fs. When I switched to coreos, I was really confused by the relative absence of an OS and what tools I was limited to was determined by what was included by default.

I've consistently used /usr/local/ for all of my unix/linux scripts - and switching to El Capitan had virtually no impact on my work environment. For the last 2 years I've consistently been told to only use the /usr/local folder for dependencies. In retrospect maybe that was apple subtly warning us about SIP... Just was wanted to point out that OS X isn't the only unix base OS that has weird permissions on system folders, even if nobody else took out root, it's a very manageable situation. They didn't fundamentally chsnge anything that an app couldn't modify to not break in SIP. Disabling SIP should be a temporary hack to get old software running, not some sort of standard any dev should rely on for their app

 

[F1Mac]

Disabling SIP should be a temporary hack to get old software running, not some sort of standard any dev should rely on for their app

Indeed.