Darwin Version
Richard L. Hamilton
rlhamil at smart.net
Sat Oct 3 23:21:48 PDT 2015
Presumably keeping normal uses of system programs from being subverted (even if they're not running privileged, i.e. setuid/setgid). There is probably some benefit to normal uses, but it's demonstrably trivial to work around if one already has full control.
I tend to think they went overboard, and/or this wasn't well designed, although I suspect that if number of users benefited vs adversely affected is the only measure, it may work as intended. My impression is that at the very least, there are a number of cases of legitimate configuration that aren't supported. Fine-grained permissions (an alternative to all-powerful root) in Solaris make some sense, for example; this reminds me more of the 3rd party open-source "Papillion" module for Solaris, which could lock down or blacklist or restrict to user view certain features, but wasn't really comprehensive.
Were I to take a really wild guess, some of the thinking of how to do this (in principle, if not detail) may have come from the iOS/OS X cross-pollination. But what's appropriate on a mobile device (assuming you agree they should be locked down) isn't necessarily appropriate on a general purpose system. It wouldn't take a lot of change to accommodate doing much better; just allow an overriding per-system config file that updates didn't touch, that could add exceptions to the directories and files protected by SIP. If one wanted to be paranoid, one could then have that file lock itself down, too, once one had it the way one wanted. That way, nobody would ever have to turn off SIP (except temporarily, to set up that file if they wanted it).
> On Oct 4, 2015, at 01:42, Sven Kolja Heinemann <web at bachsau.name> wrote:
>
> Where is the security benefit from this, that Apple wants to Achieve?
>
> Am 03.10.2015 um 22:30 schrieb Richard L. Hamilton <rlhamil at smart.net <mailto:rlhamil at smart.net>>:
>
>> But it's so easy to test that theory: :-)
>> sh-3.2# dtruss /bin/sh
>> dtrace: failed to execute /bin/sh: dtrace cannot control executables signed with restricted entitlements
>> sh-3.2# dtruss /net/localhost/bin/sh
>> sh-3.2# SYSCALL(args) = return
>> thread_selfid(0x0, 0x0, 0x0) = 867702 0
>> csops(0x0, 0x0, 0x7FFF563BF720) = 0 0
>> issetugid(0x0, 0x0, 0x7FFF563BF720) = 0 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/macports-users/attachments/20151004/7b8f8811/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.macosforge.org/pipermail/macports-users/attachments/20151004/7b8f8811/attachment.sig>
More information about the macports-users
mailing list