Rootless mode is beginning to cause problems

[leman]

For the last 2 years I've consistently been told to only use the /usr/local folder for dependencies. In retrospect maybe that was apple subtly warning us about SIP... Just was wanted to point out that OS X isn't the only unix base OS that has weird permissions on system folders, even if nobody else took out root, it's a very manageable situation.

Even more, Apple has explicitly communicated — around 10.9 release at latest — that support for unsigned kexts will be dropped, and that support for installing third-party stuff in system folders might be dropped. So this should not really be a surprise.

Commenting on that funny article MacRobert10 linked above: signing a kext literally takes a few minutes. And again, Apple has been asking developers to sign their kexts since at least 2013. If you buy a 2.5k piece of equipment and the developer does not even bother to sign the kext, then you should complain about the lack of support from the developer side, and not from Apple.

 

[BradHatter]

Even more, Apple has explicitly communicated — around 10.9 release at latest — that support for unsigned kexts will be dropped, and that support for installing third-party stuff in system folders might be dropped. So this should not really be a surprise.

Commenting on that funny article MacRobert10 linked above: signing a kext literally takes a few minutes. And again, Apple has been asking developers to sign their kexts since at least 2013. If you buy a 2.5k piece of equipment and the developer does not even bother to sign the kext, then you should complain about the lack of support from the developer side, and not from Apple.

You mean all these "small timers" like Adobe? A lot of people don't sign their stuff. I'd venture to say more people don't sign them than do sign them. Also, any apps developed prior to the signing began will still register a warning.

As an interesting side note, one developer with a full developers account was finally kicked out of the App Store. It seems he was taking copyrighted material, putting a wrapper around it, and then selling it as his own stuff. He finally got caught - a few years later and after having apparently done this over 600 times.

Now that's security!

 

[Janichsan]

You mean all these "small timers" like Adobe? A lot of people don't sign their stuff. I'd venture to say more people don't sign them than do sign them. Also, any apps developed prior to the signing began will still register a warning.

Adobe apparently has stopped caring about proper development for OS X years ago. Just remember how long it took them to finally drop Carbon. Or support 64bit on Macs.

As an interesting side note, one developer with a full developers account was finally kicked out of the App Store. It seems he was taking copyrighted material, putting a wrapper around it, and then selling it as his own stuff. He finally got caught - a few years later and after having apparently done this over 600 times.

Now that's security!

No, that's copyright infringement. When the bootlegged apps where properly signed and sandboxed, that has nothing to do with security.

Try to see it that way: when even a shifty low-life of a bootlegger manages to properly sign his apps, why shouldn't actually legitimate and competent developers be able to do it?

 

[BradHatter]

Adobe apparently has stopped caring about proper development for OS X years ago. Just remember how long it took them to finally drop Carbon. Or support 64bit on Macs.


No, that's copyright infringement. When the bootlegged apps where properly signed and sandboxed, that has nothing to do with security.

Try to see it that way: when even a shifty low-life of a bootlegger manages to properly sign his apps, why shouldn't actually legitimate and competent developers be able to do it?

Perhaps Adobe (and others) have recognized that some people still use older OS versions that don't even recognize the signing. If I recall correctly some variants of Leopard and Snow Leopard will "choke" on the code signing. Additionally, its quite possible that they're doing their Mac development using Xcode 3 since it can still support older OSes as well as newer OS versions without code changes. Snow Leopard still constitutes about 10% of the user base. If you expect a developer to tell 10% of his customers to essentially stuff it and update or get new systems to accommodate Apple, you're crazy.

It is not the worlds duty to accommodate Apple, it's the opposite….unless they're really interested in going out of business.

 

[leman]

Perhaps Adobe (and others) have recognized that some people still use older OS versions that don't even recognize the signing.

Nope, Adobe and most other big software companies (like IBM etc.) simply don't care about writing proper, beautiful software. They are big enough to create a drug-like dependency for their users, so they don't need to bother with doing a proper job. I am not installing things like Acrobat, Lotus Notes, Citrix or MS Office on my computer, because they literally pile my computer with garbage. I need to run Notes and Citrix because of my job, but I only run it within a virtual machine. Apple manages to put en entire server package as well as a full development tree within application bundles, there is absolutely no reason why Adobe or MS can't do the same, except laziness. And of course, the fact that their codebase is a huge pile of legacy, bloated mess.

In fact, I wish for big software corporations like these, who parasite on their customers, to disappear. A small company is more then capable to produce a really good tool, and do a much better job as far as interests of the user are concerned. My prime example is Pixelmator.

 

[ethanwa79]

Here's the thing folks... Apple does not sell OS X as a "flavor" of Unix, it only says it's built on top of it. They can modify it any way they wish.

OS X != Unix. If you want rootless, GO USE UNIX.

It's like you guys are using Samsung Galaxy phones and are complaining you aren't getting the 100% clean Android OS. Of course you aren't! It's from Samsung! If you want clean Android you go to Google. If you want clean Unix you go to one of the Open Source distros.

 

[tampageek]

Why should anyone have to use all these workarounds just to get their computer to work properly? The mere fact that any of this is necessary says a lot about where Apple is headed - and it's not pretty. I agree with some other comments here that the yearly update schedule is not working out because by the time they get an OS to work, they change it.

I for one, don't see the benefit of a few extra features as a worthwhile trade-off for all the problems SIP is causing. It seems that trying to wall off a major part of the OS is a very bad idea. As for it being a "security" feature, that's a joke. Sounds like a lot of people are turning it off. And even with it on, I find it hard to believe that it really stops anything but functionality of the machine.

Yosemite is not great, but at least my computer still works without me having to spend all my time in terminal.

Just my 2 cents worth.

 

[KALLT]

Here's the thing folks... Apple does not sell OS X as a "flavor" of Unix, it only says it's built on top of it. They can modify it any way they wish.

OS X != Unix. If you want rootless, GO USE UNIX.

OS X is still UNIX. El Capitan conforms to the Single UNIX Specification. There are so many versions of UNIX-based systems that you probably can’t even speak of a singular UNIX anymore.

Why should anyone have to use all these workarounds just to get their computer to work properly? The mere fact that any of this is necessary says a lot about where Apple is headed - and it's not pretty. I agree with some other comments here that the yearly update schedule is not working out because by the time they get an OS to work, they change it.

I for one, don't see the benefit of a few extra features as a worthwhile trade-off for all the problems SIP is causing. It seems that trying to wall off a major part of the OS is a very bad idea. As for it being a "security" feature, that's a joke. Sounds like a lot of people are turning it off. And even with it on, I find it hard to believe that it really stops anything but functionality of the machine.

Yosemite is not great, but at least my computer still works without me having to spend all my time in terminal.

Just my 2 cents worth.

Most of these problems are transitional. As leman said, Apple has discouraged the use of system-owned directories for years and it is this software that has the most problems now. I personally can’t understand the fuss so much, when Apple does things like these all the time. Universal binaries, Rosetta, XQuartz, Java, Flash. When you really depend on these things then I’m seriously wondering why you would update so quickly, especially since Apple does maintain support for the older version for some time. OS X is inherently unstable with its short update intervals.

 

[2984839]

I found the following article interesting, especially the last paragraph:

http://www.infoworld.com/article/2988096/mac-os-x/sorry-unix-fans-os-x-el-capitan-kills-root.html

The solution for the InfoWorld writer will probably be obvious: Switch to Windows...it just works. "It just works." Where have I heard that before?

Most people will not observe these as security changes, they'll observer them as bugs and signs that the OS is garbage. Look at all the negative feedback that Yosemite got in the App Store because of network problems, not to mention Jony "Stick Figure" Ive's "improvements" to the OS appearance. I also remember a change Apple made to El Capitan where the user now has to use a key sequence to get to the advanced features options for setting display parameters (it's a thread somewhere in this El Capitan section). The guy that wrote that thread rightfully, IMHO, assumed the feature was gone since Apple is on some type of fetish to accommodate the I.Q < 90 class that hungers for videos of Miley Cyrus and thinks Syria is a town in Ohio. Once again, a change not clearly documented.

Rootless mode is a stupid idea. Period. They should have put an option in the security settings to allow someone to enable or disable it and then reboot as needed instead of requiring people to put the system into recovery mode, open up terminal, and then enter a command line command to disable/enable it.

What's an idiot to do? Apparently, switch to Windows....It just works (or so I'm told).

That article is full of problems. OS X is not locking out the root user, nor is preventing root from having unfettered access something new. BSD has prevented root from doing certain things (such as changing files with the immutable flag) going all the way back to the Berkeley releases. The modern BSDs prevent root from lowering the securelevel, and OpenBSD's new pledge() system call is not something that root can disable either, nor can programs running with root privileges bypass it.

Allowing this to be easily turned off at runtime is a bad idea. It's hard to do that securely, if not impossible, and security that can be turned off is not security. Look at all the people who disable SELinux or complain that grsecurity broke something and stop using it. The better solution is to make it the default and tell developers to fix their programs.

 

[leman]

Here's the thing folks... Apple does not sell OS X as a "flavor" of Unix, it only says it's built on top of it. They can modify it any way they wish.

OS X != Unix. If you want rootless, GO USE UNIX.

I think you (and some other people) are fundamentally confused in regards to this. Being UNIX does not mean that you can change everything, it merely means that your OS is built around a certain set of well-defined abstractions and behaviours. I think because of popularity of Linux systems, which like to advertise themselves as being infinitely configurable (which is quite funny in itself), people have this particular view of what a unix system should be. However, UNIX is not Linux and Linux is not necessarily UNIX. OS X however, is UNIX, because it is build around one of the few proper UNIX implementations (FreeBSD).

In the end, it is the matter of picking the right tool. Need to modify the base system, recompile the kernel, do all kind of low-level wizardry? OS X is not for you — use a suitable Linux distro. OS X is built around standardised behaviour and it enforces this behaviour both on the developer and the user. This is a good thing(tm), because it makes software behave in a predictable way.

Why should anyone have to use all these workarounds just to get their computer to work properly? The mere fact that any of this is necessary says a lot about where Apple is headed - and it's not pretty ... And even with it on, I find it hard to believe that it really stops anything but functionality of the machine.

You won't even notice that SIP is activated unless you are using software that is badly written, software that hacks system components or software that violates OS X development guidelines. Simple as that. And SIP does not prevent any noteworthy functionality, unless by functionality you mean "its my computer, so I am entitled to modifying anything I want". As I have said before, if that is your argument, then OS X is simply not for you and never has been.

I for one, don't see the benefit of a few extra features as a worthwhile trade-off for all the problems SIP is causing. It seems that trying to wall off a major part of the OS is a very bad idea. As for it being a "security" feature, that's a joke. Sounds like a lot of people are turning it off.

SIP is not causing any problems, badly written and outdated software is. It does not wall off a major part of the OS, it isolates the core system from the third party, user-managed tools. Which is btw the fundamental design of UNIX systems and the traditional role of the root user. Unfortunately, nowadays the root user is often abused, which makes more strict security measures necessary. And the truth is: Apple is right. There is absolutely reason for anyone to write to most locations protected by SIP*, unless you want to change the core behaviour of the OS (i.e. — hack it). The only people who are really hurt by SIPs are hackers (used here in two ways — both people who want to hack your computer and people that want to hack their own computer). Yeah, some programs might have issues because of the lazy coding. This will be fixed in time. Apple is big enough to enforce it. And better written software = happier user.

Finally, minor complaints on the forums does not mean that a lot of people are turning it off

*An orthogonal issue is of course whether SIP protects all the relevant locations and whether all locations protected by SIP are relevant. It can be that it also locks out some stuff that should remain accessible. However, I have been using 10.11 since early summer, I work almost exclusively with UNIX-based tools and UNIX development, databases, a lot of in-house developed software etc. and as said before, I never even noticed that SIP was there.

 

[MacRobert10]

You're missing my points completely, namely that Apple Mac's comprise a small market share and they're not in a position to dictate. Unless a developer develops explicitly for Mac's, Mac's will likely be "back burner" projects...don't rush to fix them...or maybe not even bother. The more Apple alienates developers, the fewer applications will be developed for Macs, and then there will be little need for anyone to own a Mac.

Even at Apple the Mac is now treated almost like a second class citizen.

 

[pastrychef]

You're missing my points completely, namely that Apple Mac's comprise a small market share and they're not in a position to dictate. Unless a developer develops explicitly for Mac's, Mac's will likely be "back burner" projects...don't rush to fix them...or maybe not even bother. The more Apple alienates developers, the fewer applications will be developed for Macs, and then there will be little need for anyone to own a Mac.

Even at Apple the Mac is now treated almost like a second class citizen.

It makes no sense to change an operating system and/or weaken security because developers can't program properly.

Can you imagine what a mess of an operating system would be if Apple changed OS X every time there is an app that breaks the rules?

 

[leman]

You're missing my points completely, namely that Apple Mac's comprise a small market share and they're not in a position to dictate. Unless a developer develops explicitly for Mac's, Mac's will likely be "back burner" projects...don't rush to fix them...or maybe not even bother. The more Apple alienates developers, the fewer applications will be developed for Macs, and then there will be little need for anyone to own a Mac.

For large developers like Adobe, Mac has been low priority for years. Which makes perfect sense. Professional photo editor? Get a PC, better bang for buck, better performance, more stable. And still, Mac market share is raising. The strength of Macs and what makes them attractive is that they are versatile, jack-of-all trades machines.

And yet, companies like Adobe, MS and the like, support OS X. Sure, right now there are still some bugs here and there, but give it a few month and most of them will be fixed. Just like every year.

Even at Apple the Mac is now treated almost like a second class citizen.

Nonsense. OS X and Mac development is now active and thriving more than it ever has been. Yeah, Apple makes most of its money with iOS and services. But I don't see a single indication that they are neglecting Macs. Quite in contrary.

 

[howiest]

This is an excellent thread thus far.
Although I've been holding off on upgrading to El Capitan until there's a few more refinements (I'm doing the same with iOS 9), it is this kind of info that will help me to move away from Yosemite in a more informed way.
Good stuff people.

 

[rnbwd]

FYI, Linux != Unix either. Is unix even an OS? Or is it a standard from the 70's? There's still programs which run in the terminal that are decades old, OS X and Linux - the same can't be said true for windows. If my history is correct, 'Unix' has never been fully implemented in an OS. I'm not saying that OS X is some unix masterpiece - but 95% of my command line programming was learned from debian wheezy / raspbian. There are more differences in between frameworks in the same programming language than there are differences in the FS / UNIX style OS that runs Apple's

 

[Janichsan]

Perhaps Adobe (and others) have recognized that some people still use older OS versions that don't even recognize the signing. If I recall correctly some variants of Leopard and Snow Leopard will "choke" on the code signing. Additionally, its quite possible that they're doing their Mac development using Xcode 3 since it can still support older OSes as well as newer OS versions without code changes. Snow Leopard still constitutes about 10% of the user base. If you expect a developer to tell 10% of his customers to essentially stuff it and update or get new systems to accommodate Apple, you're crazy.

If you haven't noticed yet: Adobe has told these 10% of their customers to stuff it a long time ago: none of their current applications still supports Snow Leopard, let alone Leopard. The most recent versions even require 10.9 or later. The same is true for virtually every other professional application.

 

[m4v3r1ck]

This is an excellent thread thus far.
Although I've been holding off on upgrading to El Capitan until there's a few more refinements (I'm doing the same with iOS 9), it is this kind of info that will help me to move away from Yosemite in a more informed way.
Good stuff people.

+1 100% agreed, I'm holding off too untill OSX 10.11.1/2. Indeed a great thread, thanks to all the techie explorers here on MR!

Cheers

 

[tampageek]

You won't even notice that SIP is activated unless you are using software that is badly written, software that hacks system components or software that violates OS X development guidelines. Simple as that. And SIP does not prevent any noteworthy functionality, unless by functionality you mean "its my computer, so I am entitled to modifying anything I want". As I have said before, if that is your argument, then OS X is simply not for you and never has been....


While I agree with some of your points, the part about users not having full access to their machines because  says so - is livestock-poop.

I use both Windows and MAC and don't think either company has the right to sell me a product and then drastically change the way I am "allowed" to use it. Call me suspicious, but in this day and age, I find it hard to believe that so-called new "security features" are really designed to help "protect" the user. Windows 10 is has become little more than an advanced spying/data collection tool, and with El Cap,  holds the keys to the core of OS X. How do I know who else they're unlocking that door for? IMHO no tech company can be blindly taken at their word when it comes to potential back doors - I don't care what they say in their press releases. Lying and/or distorting the truth seems to be built-in to the corporate mentality, especially when it comes to controlling access to hard drives and data.

 

[leman]

Call me suspicious, but in this day and age, I find it hard to believe that so-called new "security features" are really designed to help "protect" the user. Windows 10 is has become little more than an advanced spying/data collection tool, and with El Cap,  holds the keys to the core of OS X. How do I know who else they're unlocking that door for? IMHO no tech company can be blindly taken at their word when it comes to potential back doors - I don't care what they say in their press releases. Lying and/or distorting the truth seems to be built-in to the corporate mentality, especially when it comes to controlling access to hard drives and data.

You are changing the topic. The issue of trust is a fundamental one. And it has nothing to do with rootless or not rootless. I choose to rather trust Apple in this matters because I think, based on how they have acted in the past, that they are telling the truth when they say that they take privacy issues seriously. Compare it to MS who flatly says 'we reserve the right to do anything we want with your private data'.

While I agree with some of your points, the part about users not having full access to their machines because  says so - is livestock-poop. I use both Windows and MAC and don't think either company has the right to sell me a product and then drastically change the way I am "allowed" to use it.

Now again this is the silly "it's my computer so I should be able do with it as I please" argument I was talking about earlier. If SIP pisses you off that much, you are free to turn it off. Apple gives you a tool to do it and the steps are clearly documented by Apple itself: https://developer.apple.com/library...ion/ConfiguringSystemIntegrityProtection.html

They are not — in any way — changing the way how you are allowed to use your machine, nor are they disabling you access to parts of it. What they do is plain and simple enforce a series of best practices. Again, unless you are interested in hacking the operating system, you do not need access to the directories protected by SIP.

 

[2984839]

Apple owns the operating system running on your computer, not you. This is very clear from the license agreement.

Their motives for SIP may also include preventing 3rd parties from being able to do what they want, but that's what happens when you allow strangers to own your OS. Plenty of other operating systems are available. On the other hand, it does provide at least some security benefit, and turning it on by default is the right choice.

edit: The quote disappeared, but this was in response to @tampageek

 

[2984839]

It makes no sense to change an operating system and/or weaken security because developers can't program properly.

Can you imagine what a mess of an operating system would be if Apple changed OS X every time there is an app that breaks the rules?

Exactly. It reminds me of when OpenBSD turned ASLR, W^X, and other protections on by default. Everything started breaking and people complained. It exposed a lot of bugs in programs that nobody knew were there. They got fixed, and now you can run those programs on an ASLR, W^X, etc enabled system. If you could just turn it off, people would see that Firefox crashes, turn off ASLR, and that would be it. Nothing would get fixed and they wouldn't have any security benefit.

The operating system should do the right thing*, not work around crappy software. Developers of 3rd party software should fix it if it doesn't work.

*whether SIP is effective and the right way to go or not is a different discussion

 

[tampageek]

You are changing the topic. The issue of trust is a fundamental one. And it has nothing to do with rootless or not rootless. I choose to rather trust Apple in this matters because I think, based on how they have acted in the past, that they are telling the truth when they say that they take privacy issues seriously. Compare it to MS who flatly says 'we reserve the right to do anything we want with your private data'.



Now again this is the silly "it's my computer so I should be able do with it as I please" argument I was talking about earlier. If SIP pisses you off that much, you are free to turn it off. Apple gives you a tool to do it and the steps are clearly documented by Apple itself: https://developer.apple.com/library...ion/ConfiguringSystemIntegrityProtection.html

They are not — in any way — changing the way how you are allowed to use your machine, nor are they disabling you access to parts of it. What they do is plain and simple enforce a series of best practices. Again, unless you are interested in hacking the operating system, you do not need access to the directories protected by SIP.

Not really "changing the topic." Apple creates an OS (El Cap) that only gives access to the root to Apple. Can you say with certainty that Apple will NEVER give those keys to any govt agency?

And I am not interested in "hacking" my computer, I just want to be able to run the same apps I've been using for years. Many are now blocked by El Cap.

 

[Partron22]

Apple owns the operating system running on your computer...

What with all the open source bits, the truth of that statement is not as clear as it might be.

 

[Fishrrman]

My solution to "rootless" was to turn it off.
Permanently.

So it will be on my Macs, until Apple makes it impossible to disable...

 

[leman]

Not really "changing the topic." Apple creates an OS (El Cap) that only gives access to the root to Apple. Can you say with certainty that Apple will NEVER give those keys to any govt agency?

As long as they give you the tools to disable SIP and documents these tools publicly, I fail to see the problem. Your question applies to any kind of operating system, with or without similar security mechanisms.

And I am not interested in "hacking" my computer, I just want to be able to run the same apps I've been using for years. Many are now blocked by El Cap.

What apps are those exactly? Like TotalFinder? Well, these apps actually hack the OS, and they are very clear about it.