Fakeroot destrooting [Was: Re: lldb ...]

Clemens Lang cal at macports.org
Sat Sep 10 06:15:54 PDT 2016


Hi,

On Sat, Sep 10, 2016 at 02:42:36PM +0200, René J.V. Bertin wrote:
> >Except that fakeroot uses library preloading, a technique that's more
> >or less dead on modern OS X thanks to Apple's changes related to SIP:
> >DYLD_INSERT_LIBRARIES is stripped for all binaries with the SIP bit
> >set.
> 
> Fakeroot uses library preloading on Linux, but that doesn't mean other
> solutions aren't possible. Evidently that would require an official
> Apple fakeroot implementation.

There are no other solutions that I'm aware of on OS X. We discussed
using the sandboxing mechanism, but it doesn't support our use case.
Short of writing a kernel module or writing your own loader, there are
no other options.

> > It can still be done with utter hacks (copying the binary into a
> > file without the SIP bit and executing it from there, which we do
> > for trace mode), 
> 
> Do you mean something along the lines of `cat /bin/sh > /tmp/sh`? If
> so, why not simply use port:bash for trace mode?

Doing this only for the Shell isn't enough. Next affected tool would be
make(1), then install(1), cp(1), sandbox-exec(1), gzip(1), etc. pp. Just
FYI, I'm including a list of the files that are currently affected on my
system by the last 200-or-so runs of MacPorts at the end of this mail.

> BTW, how do you get calls like system() to use something other than
> /bin/sh ?

Hook execve(2) and posix_spawn(2) to transparently run a different
binary. That requires parsing the shebang line, too.

> > but I have neither seen any other library preloading utility that
> > used to work on OS X implement these changes nor convinced any of
> > their developers to do so.
> 
> They simpy advise to disable SIP, then?

They simply stopped caring. For most of them, it has always been
additional effort to support macOS for little gain. It's no secret that
macOS isn't the platform for Unix devs that it used to be.



Here's the list:
.
├── System
│   └── Library
│       └── Frameworks
│           ├── Python.framework
│           │   └── Versions
│           │       ├── 2.6
│           │       │   └── Resources
│           │       │       └── Python.app
│           │       │           └── Contents
│           │       │               └── MacOS
│           │       │                   └── Python
│           │       └── 2.7
│           │           └── Resources
│           │               └── Python.app
│           │                   └── Contents
│           │                       └── MacOS
│           │                           └── Python
│           └── Ruby.framework
│               └── Versions
│                   └── Current
│                       └── usr
│                           └── bin
│                               └── ruby
├── bin
│   ├── bash
│   ├── cat
│   ├── chmod
│   ├── cp
│   ├── csh
│   ├── date
│   ├── dd
│   ├── echo
│   ├── ed
│   ├── expr
│   ├── hostname
│   ├── ksh
│   ├── launchctl
│   ├── ln
│   ├── ls
│   ├── mkdir
│   ├── mv
│   ├── ps
│   ├── pwd
│   ├── rm
│   ├── rmdir
│   ├── sh
│   ├── sleep
│   └── test
├── sbin
│   └── md5
└── usr
    ├── bin
    │   ├── Rez
    │   ├── SetFile
    │   ├── ar
    │   ├── arch
    │   ├── awk
    │   ├── basename
    │   ├── bc
    │   ├── bison
    │   ├── bzip2
    │   ├── c++
    │   ├── c++filt
    │   ├── cc
    │   ├── clang
    │   ├── clang++
    │   ├── cmp
    │   ├── codesign
    │   ├── codesign_allocate
    │   ├── comm
    │   ├── cpio
    │   ├── cpp
    │   ├── ctags
    │   ├── curl
    │   ├── cut
    │   ├── diff
    │   ├── dirname
    │   ├── dsymutil
    │   ├── egrep
    │   ├── env
    │   ├── etags
    │   ├── expand
    │   ├── false
    │   ├── fgrep
    │   ├── file
    │   ├── find
    │   ├── flex
    │   ├── g++
    │   ├── gcc
    │   ├── getconf
    │   ├── git
    │   ├── gm4
    │   ├── gnumake
    │   ├── gperf
    │   ├── grep
    │   ├── groff
    │   ├── grotty
    │   ├── gzip
    │   ├── head
    │   ├── hiutil
    │   ├── hostinfo
    │   ├── ibtool
    │   ├── id
    │   ├── indent
    │   ├── install
    │   ├── install_name_tool
    │   ├── jar
    │   ├── java
    │   ├── javac
    │   ├── javadoc
    │   ├── join
    │   ├── ld
    │   ├── less
    │   ├── libtool
    │   ├── lipo
    │   ├── llvm-gcc
    │   ├── locale
    │   ├── logname
    │   ├── m4
    │   ├── machine
    │   ├── make
    │   ├── makeinfo
    │   ├── man
    │   ├── mig
    │   ├── mkfifo
    │   ├── mktemp
    │   ├── nm
    │   ├── nmedit
    │   ├── od
    │   ├── otool
    │   ├── patch
    │   ├── perl
    │   ├── perl5.18
    │   ├── pr
    │   ├── python
    │   ├── python2.6
    │   ├── python2.7
    │   ├── ranlib
    │   ├── readlink
    │   ├── rpcgen
    │   ├── rsync
    │   ├── ruby
    │   ├── sandbox-exec
    │   ├── sed
    │   ├── size
    │   ├── sort
    │   ├── split
    │   ├── stat
    │   ├── strings
    │   ├── strip
    │   ├── svn
    │   ├── svnversion
    │   ├── sw_vers
    │   ├── tail
    │   ├── tar
    │   ├── tbl
    │   ├── tclsh
    │   ├── tee
    │   ├── tiffutil
    │   ├── time
    │   ├── touch
    │   ├── tput
    │   ├── tr
    │   ├── troff
    │   ├── true
    │   ├── tsort
    │   ├── tty
    │   ├── uname
    │   ├── uniq
    │   ├── unzip
    │   ├── uudecode
    │   ├── wc
    │   ├── which
    │   ├── whoami
    │   ├── xargs
    │   ├── xcode-select
    │   ├── xcodebuild
    │   ├── xcrun
    │   ├── xsltproc
    │   └── zip
    ├── libexec
    │   ├── PlistBuddy
    │   └── java_home
    └── sbin
        ├── dtrace
        ├── pkgutil
        └── sysctl

26 directories, 161 files
-- 
Clemens


More information about the macports-dev mailing list