There are few miseries I deal with regularly that compare to SIP or the hardened runtime telling me I may not debug processes on a computer where I have root. If anything is going to make me abandon macOS (I've been using it since I was a child) it's the "security and privacy" features.
sbuk 457 days ago [-]
The security and privacy features benefit the majority, of which you clearly are not, so there is an escape hatch for you; turn off SIP. Just don't disable it for typical users.
justsomeadvice0 457 days ago [-]
Yea, I'm really not sure how this is a "misery". System processes are protected for typical users to limit the blast radius of malware, among other reasons. If you are capable of debugging system processes you should be able to manage to:
Restart macOS, holding ⌘+R. Open Terminal. Type `csrutil disable`. Restart macOS again.
derbOac 457 days ago [-]
For some things though that's just Step 1 of many. Still doable but too much of a pain.
chongli 457 days ago [-]
That’s like telling me to remove the front door of my house rather than letting me have a key to unlock it.
jabedude 457 days ago [-]
What would be a suitable key in your analogy?
solarkraft 457 days ago [-]
Super-root?
But as far as I'm aware the reasoning is that if there's a way to access something from a normal user account (with admin privileges) it can be abused somehow.
Maybe a "key" would be the ability to boot/log in to a special mode with SIP enabled. Disabling/enabling it approximates this, but as far as I know an update will generally destroy your changes because Apple will just overwrite everything.
chongli 457 days ago [-]
The suitable key would be to allow users to grant their own fine-grained entitlements to applications using their own self-signed certificate. The process should be suitably involved and complex enough to scare off regular users who may be attempting to do it under the direction of a third party (who may be trying to trick them) but it should be available to users who know what they’re doing.
Gigachad 456 days ago [-]
Those resources are still owned by the root user so regular apps can't change them. Turning off SIP gives you something more like a regular linux system. The problem was when a normal user is prompted to type their password by an application, they simply do it granting the program root access so Apple decided regular users shouldn't be able to accidentally do this. If you need that access, you have to reboot in recovery mode to turn off the safety rails.
jabedude 451 days ago [-]
You can do that today on macOS? Build XNU with support for respecting your self-signed cert and then boot it
tempodox 457 days ago [-]
True, but giving us a key might jeopardize future revenue streams where we have to pay for the privilege of developing software on Apple platforms. You already get a degraded developer experience for iOS if you don't bribe Apple with a Developer Program subscription.
rogual 457 days ago [-]
Not just iOS. Notarizing apps for macOS requires payment too.
scarface74 457 days ago [-]
HN has been predicting a future that you could only install apps through the Mac App Store since it was introduced in 2011.
Any day now…
Gigachad 456 days ago [-]
We will see alt app stores on the iphone before we see macOS match those predictions.
aviramha 457 days ago [-]
Why not enable easier override for specific scenarios?
Turning off completely feels like a bad outcome
galad87 457 days ago [-]
It already allows to turn off only a part of it.
saagarjha 457 days ago [-]
Turning off any of SIP is largely isomorphic to turning it all off
aviramha 457 days ago [-]
But I don't want that. That's like taking the gate instead of adding a configurable ACL.
howinteresting 457 days ago [-]
Then iOS apps stop working, right? The DRM regime requires SIP to be enabled.
Stallman was right about "treacherous computing".
sbuk 457 days ago [-]
This has nothing to do with iOS.
howinteresting 457 days ago [-]
macOS now has support for iOS apps, but only if SIP is enabled and their DRM/"trusted" computing regime is active.
Turning off SIP means you can’t run iOS apps on macOS. This sucks.
lloeki 457 days ago [-]
Under "Security and Privacy" there's been "Developer Tools" for a while, within which I only ever saw Terminal.app (but any app could be added)
I'm not sure what it really does (could not find any docs, maybe someone can enlighten?) but the text made me think it could allow stuff like running unsigned debuggers:
Allow the applications below to run software locally that does not meet the system's security policies
Again I'm really not sure, but maybe it can cover some use cases without going the nuclear route of fully disabling SIP?
macshome 457 days ago [-]
It relaxes the signing requirements and malware signature checks for binaries run in the Terminal. This way you can build and test stuff without needing to relax the security posture of the entire Mac.
memco 457 days ago [-]
I Would be interested to know more about it too. I have been interested in running a piece of software that needs SIP partially disabled, but I’d I could just grant it exemption I would prefer that to a blanket removal.
Funny thing is all computers used to run without SIP, but since they added it I’m now hesitant to turn it off even though I’m not any worse off than I used to be.
aviramha 457 days ago [-]
I totally feel you though I can understand that for Apple the average consumer's security > hackers :)
I think Apple should remember that people debugging and working is important too, and make the documentation around the security features less obscure. (Attaching a debugger/ptrace on macOS is really evil to implement)
madeofpalk 457 days ago [-]
You can just disable SIP, no?
Gigachad 456 days ago [-]
Yes, the "locked down dictatorship macos" is surprisingly permissive. Impressively you can even dual boot linux on Apple Silicon completely unrestricted without having to turn on off the boot chain security features of macOS.
scarface74 457 days ago [-]
Yes because it’s not like bad things can happen when SIP is turned off. Not always malicious, it’s often ineptness
This got far more of a chuckle from me than it should have. Must have had a long day or far to little sleep.
WirelessGigabit 457 days ago [-]
While the explanation is super cool it makes me feel nervous. None of this did supported. APIs change without notice, as you don't have a contract. You're relying on the fact that there is an x64 version available.
aviramha 457 days ago [-]
Most odds is when x64 binary will stop shipping, arm64e won't be in preview mode anymore and we will be able to just do the re-signing part. (Which is supported)
ghostpepper 457 days ago [-]
It's pretty much expected that if you publish a method for working around a security feature it will be patched quickly. Cool research if that was the intention but if you're building a product around this... you're going to have a bad time.
eyalbukchin 457 days ago [-]
This is detailed in the post, but the security feature i.e. preventing injected libraries access to entitlements isn't actually bypassed here. Rather the binary is run without these entitlements (which aren't required anyway for mirrord's use case).
antihero 457 days ago [-]
This is interesting. I’m guessing just having a patched shell binary and forking stuff from within that wouldn’t work.
aviramha 457 days ago [-]
You could patch a shell binary, but you'd ultimately want to use other binaries as well. The most common example we had is when people tried to run our software with `pyenv` which was a shell script that used other system binaries + shell scripts
david2ndaccount 457 days ago [-]
This is a strange product they’re selling. You run your binary on on macOS but presumably your server is running linux. Why are you trying to run Darwin executables as if they were in the cloud when that is not what will actually be deployed? Shouldn’t the testing at least be done from a linux machine?
eyalbukchin 457 days ago [-]
Ideally! And it can be run on a Linux machine if the user prefers. But if you code on a Mac, mirrord still lets you go through a good number of test iterations (by letting your process run with network input/output, file content and environment variables from the cloud) before having to deploy your code to a Linux machine for that (hopefully) final round of testing.
pedrow 457 days ago [-]
Would it be an option to compile your own versions of `ls` et al., maybe from the Darwin source (if available, I don't know) or one of the BSDs? Does what you're trying to do depend on the specific implementation of Apple's utilities?
eyalbukchin 457 days ago [-]
Maybe, we haven't looked into that option for the following reasons:
a. It would require that we maintain a potentially pretty big list of self-compiled binaries
b. It would be an alteration of what the user's running, which we try to keep to a minimum, as mirrord's commonly used as a testing tool
jbverschoor 456 days ago [-]
I have no clue what this mirrord does. Is it some kind of API proxy?
What if I don't have 'pods', also, shouldn't it be called redirect_api? mirror sounds like it's mirrorring.
Why would I need this? or whatever this does?
aviramha 456 days ago [-]
mirrord is a tool for backend engineers that enables them to work on a remote environment without needing to deploy there or actually run there.
It makes the iteration time (code -> test -> [review] -> deploy) faster since you don't replace the remote service also, which means many devs can work the same time.
Restart macOS, holding ⌘+R. Open Terminal. Type `csrutil disable`. Restart macOS again.
But as far as I'm aware the reasoning is that if there's a way to access something from a normal user account (with admin privileges) it can be abused somehow.
Maybe a "key" would be the ability to boot/log in to a special mode with SIP enabled. Disabling/enabling it approximates this, but as far as I know an update will generally destroy your changes because Apple will just overwrite everything.
Any day now…
Stallman was right about "treacherous computing".
https://forums.macrumors.com/threads/if-you-disable-sip-all-...
I'm not sure what it really does (could not find any docs, maybe someone can enlighten?) but the text made me think it could allow stuff like running unsigned debuggers:
Again I'm really not sure, but maybe it can cover some use cases without going the nuclear route of fully disabling SIP?Funny thing is all computers used to run without SIP, but since they added it I’m now hesitant to turn it off even though I’m not any worse off than I used to be.
https://appleinsider.com/articles/19/09/25/google-chrome-upd...
This got far more of a chuckle from me than it should have. Must have had a long day or far to little sleep.
a. It would require that we maintain a potentially pretty big list of self-compiled binaries
b. It would be an alteration of what the user's running, which we try to keep to a minimum, as mirrord's commonly used as a testing tool
Why would I need this? or whatever this does?
You can read more about it here https://metalbear.co/blog/mirrord-3.0-is-out/