Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Desktops (Apple) Operating Systems Software IT

The 'App' You Can't Trash: How SIP is Broken in Apple's High Sierra OS (eclecticlight.co) 164

A reader shares a blog post that talks about why Mac running High Sierra 10.13.2 (and other versions near it) refuses to let users uninstall some third-party applications easily. For instance, when users attempt to uninstall BlueStacks, an Android emulator, the Finder shows this warning: "The operation can't be completed because you don't have the necessary permission." The blog post looks into the subject: The moment that we see the word permission, all becomes clear: it's a permissions problem. So the next step is to select the offending item in the Finder, press Command-I to bring up the Get Info dialog, and change the permissions. It does, though, leave the slight puzzle as to why the Finder didn't simply prompt for authentication instead of cussedly refusing. Sure enough, after trying that, the app still won't go and the error message is unchanged. Another strange thing about this 'app' is that it's not an app at all. Tucked away in a mysterious folder, new to High Sierra, in /Library/StagedExtensions/Applications, its icon is defaced to indicate that the user can't even run it. Neither did the user install it there. Trying to remove it using a conventional Terminal command sudo rm -rf /Library/StagedExtensions/Applications/BlueStacks.app also fails, with the report Operation not permitted.


High Sierra leaves the user wondering what has happened. There's nothing in Apple's scant documentation to explain how this strange situation has arisen, and seemingly nothing more that the user can do to discover what is wrong, or to do anything about it. The clue comes from probing around in Terminal, specifically using a command like ls -lO /Library Try that in High Sierra, and you'll see drwxr-xr-x@ 4 root wheel restricted 128 2 Jan 13:03 StagedExtensions

There are two relevant pieces of information revealed: the @ sign shows that directory has extended attributes (xattrs), and the word restricted that it is protected by System Integrity Protection (SIP). A quick peek inside /Library/StagedExtensions/Applications/BlueStacks.app shows that it is a stub of an app, lacking any main code, but it does contain a kernel extension (KEXT) which is also protected by SIP, by virtue of being inside a SIP-protected folder. > ls -lO /Library/StagedExtensions/Applications
drwxr-xr-x 3 root wheel restricted 96 2 Jan 13:03 BlueStacks.app So how did this third-party kernel extension end up in this mysterious folder, complete with SIP protection?
This discussion has been archived. No new comments can be posted.

The 'App' You Can't Trash: How SIP is Broken in Apple's High Sierra OS

Comments Filter:
  • SIP? (Score:5, Insightful)

    by Anonymous Coward on Wednesday January 03, 2018 @11:06AM (#55855759)

    Please STOP using existing acronym. SIP has already been in use by something else:

    https://en.wikipedia.org/wiki/Session_Initiation_Protocol

    By the headline, I was expecting an article to be about how SIP softphones were broke in MAC OS.

  • by kilodelta ( 843627 ) on Wednesday January 03, 2018 @11:18AM (#55855837) Homepage
    On Windows 10 you can't kill Cortana. So I just take the route of blocking all access to microsoft's Bing because that is what I found Cortana using to phone home.
    • by Megol ( 3135005 )

      Really? My system doesn't show it running. Microsoft didn't make it easy though which is yet another count against using their products.

    • Except that Cortan is a Microsoft product and a part of Windows 10. This article is talking about third party apps that won't uninstall.

  • I warn about that one.
    It asks for privileges to install (Mac OS X Applications usually don't need privileges, you just copy them with drag and drop into the Applications folder), then tries to install (with a warning) a "Yahoo Toolbar" and silently installs "Mac Keeper" a mal ware.
    But it is easy to remove with sudo "rm ..." ... but I think I used an chmod or chown before that ... don't remember what I actually needed to do to remove it.
    There was a background process running, watching the killing of the Mac Keeper process, so you needed to kill that first, remove the exe of that process and then kill Mac Keeper and remove the "Andy" programm.

    • by MrLint ( 519792 )

      Thus belies another issue with /Applications on macos. Being in the admin group you have permissions to access /Applications beyond that of a normal user. So to say that you dont 'usually need privileges' You do, you already have them. However this is really a problematic behaviro of MacOS, it really should be triggering a superuser exception for that folder.

      • Sorry, that is nonsense.
        You need no special priviledges because a copy of an app you 'install' is just a copy with no special rights.
        If a user double cliccks on the app it runs with the users privileges.
        Why would you need any special privileges to 'install' it?
        Exactly that above is the reason you should be wary IF THE OS ASKES FOR super user rights, beccause for ordinary stuff they are not needed and there never was an intentin or reason to need them!

        • by MrLint ( 519792 )

          This is the permissions for /Applications

            0 drwxrwxr-x+ 69 root admin 2346 Dec 26 09:05 Applications

          Please note the group permissions 'admin' and the file system permissions in octets.
          d - directory flag and then Owner (root) [RWX] Group (admin) [RWX] and Other [RX].

          Members of the admin group and hot write to /Applications. Users who are not in the admin group will get prompted for elevation.

  • So you go to security in preferences, and turn it off. That's also where you'll find your kernel extension which will not have been granted rights to run until you approve it in that preference pane.

    Using preferences is hard now?
    • by v1 ( 525388 )

      mycomputer:~ root # csrutil status
      System Integrity Protection status: disabled.

      guess what, it's disabled! The trick is you have to boot off the recovery partition to flip the bit. It's similar to the process of unsetting the SCHG flag on a file. You can set it with root access, but you can't UNset it if kernel protection mode has been elevated by booting off a normal OS. That is a one-way trip, and a restart is the only way to unset it. In other words, no, you cannot use system prefs to disable SIP. T

  • with imac pro you can't remove storage to remove it offline as well. Coming soon in mac os more lock down and down the road limited drivers for GPU's in TB docs. rootless = no updating build in ATI drivers and no NVIDIA ktexts

  • by Kenja ( 541830 ) on Wednesday January 03, 2018 @11:36AM (#55856007)
    Use the kextunload to unload a kernel extension. It can then be deleted.
  • does apple need an installer / uninstaller system? Like windows MSI?

    • by Kenja ( 541830 )
      It has one. It uses packages, similar to many other UNIX systems. However, there is no enforcement for apps to use them and there is no default package manager. Frankly, I avoid packages since they can do things like install kernel extensions.
      • Also they don't always clean up very nicely once you remove them, probably due to not everything being kept within their bundle directory. Too much smoke and mirrors, like 'specially' named directories. As parent mentions, there is not one standard way to install. Sometimes you run an executable, sometimes you copy a file into the app directory. Sometimes there are strange folders inside the install screen. It's kind of a mess.
        • by Kenja ( 541830 )
          My rule of thumb is to avoid anything but "drag the app into your apps folder". Means I don't get to use Flash or Java, but I'll manage.
          • There are the special cases though. Ie, an older version of Office kept the Windows model of having a "common" directory. Other apps have non trivial files that have to go into "/Library/Application Support". Apple's own products often have a really complicated web of stuff that happens (ie, xcode-select).

            Apple should have added some standard way to uninstall though, and I suspect they don't because it would mean acknowledging that not everything fits into the user-friendly application bundle model.

            I'm u

      • Apple has a standard .pkg format and a standard tool for installing, but no standard way of uninstalling. Most apps are just bundles (folders that appear to be single files in the GUI unless you right-click and say 'show contents') and so are uninstalled by simply deleting them (and are installed by just dragging them to where you want them to live), so this isn't a problem for most things. It is annoying for other things though, and sufficiently annoying that there are third-party tools that will read th

        • And, immediately after posting that, I discovered the pkgutil tool, so you should replace the lsbom command with 'pkgutil --files {bundle identifier}'. It still doesn't include an uninstall command (though it does allow you to repair and verify installed packages).
      • Most "apps" are just directories that are self contained; drag it out of the install media to the install location, and to uninstall you drag it to the trash or delete from the command line.

        The few apps that don't fit into that model are the ones that require a package method (ie, files go into both application and library folders). This is reasonably straight forward to install though, but the uninstall is difficult. I often find there's a readme file or a web support page describing how to uninstall and

    • It has a packaging system, or one just copies the app to the Applications folder. However, uninstalling is a completely different matter. macOS has no real standard way to uninstall packages, other than to drag the application to the trash, or click the x when the icons wiggle in the Launcher.

      macOS really needs a better packaging system. What would be ideal is not just one that can handle installs and clean uninstalls, but to be able to back off updates without reinstalling, similar to AIX's installp. I

    • No, software needs to not rely on installers / uninstallers. I'm automatically suspicious of any bit of software that comes with an installer (on a Mac OS system), because most software doesn't need it: you copy the app to your applications folder (or, for that matter, anywhere you want) and that's it. That's all normal user applications should need. Anything that wants to "install" itself makes me wonder what kind of wonky shit it's doing to my system besides just putting an app into the applications folde

      • No, software needs to not rely on installers / uninstallers. I'm automatically suspicious of any bit of software that comes with an installer (on a Mac OS system), because most software doesn't need it: you copy the app to your applications folder (or, for that matter, anywhere you want) and that's it. That's all normal user applications should need. Anything that wants to "install" itself makes me wonder what kind of wonky shit it's doing to my system besides just putting an app into the applications folder.

        I'm with you on that feeling.

        The only exceptions to that rule are genuine Apple Applications. I trust them not to install a keylogger, etc.

  • I've stayed on El Capitan (tried Sierra - twice - and eventually rolled back to El Capitan - twice). Unfortunately it will stop getting security updates sometime this summer, though... at which point I'll have to pick my poison and "upgrade".

    • I would say the biggest reason to move to 10.13.x is for APFS. It took Apple a long time, but APFS is a decent filesystem. Of course, it would have been nice if Apple licensed ZFS way back when.

      • I would say the biggest reason to move to 10.13.x is for APFS. It took Apple a long time, but APFS is a decent filesystem. Of course, it would have been nice if Apple licensed ZFS way back when.

        No.

        It would have been nice if Oracle had just let ZFS remain Truly Free and Open.

    • by antdude ( 79039 )

      Yep, that is why I don't always upgrade for major new versions.

  • A unix system is what you want, a unix system is what you get.
    • no, SIP is Apple's own invention

      buy Apple, get Apple weirdness.

      still, we were given choice and I like the mac I have from my employer more than windows box I could have had.

      • I had the option, but with the kind of work I do a mac would have been lower powered and I would find OS/X way too inefficient.
      • Re:Unix (Score:5, Informative)

        by TheRaven64 ( 641858 ) on Wednesday January 03, 2018 @12:27PM (#55856431) Journal
        SIP is basically the flags part of BSD securelevel 1. At securelevel 1 you can set the user and system immutable flags, but you can't remove them. If you want to, you need to reboot at securelevel 0 (or -1), use chflags to remove the relevant flags, and then delete the files (you can always increase the securelevel, you can't lower it without a reboot). On most BSD systems, securelevel 1 comes with some other restrictions related to opening certain devices, which are not enforced by XNU for SIP. This functionality dates back to 4.4BSD.
  • Back in the good old days you could force delete even OS stuff that would wreck the OS, and open files that would crash the computer. This made it easy to get rid of viruses.

    Whether they changed this to stop OS problems, or to stop viruses from using it to install themselves, it made virus removal harder as virus writers coopted it to prevent their own removal, when the OS people no doubt thought they had the upper hand.

  • Clearly the issue is you're uninstalling it wrong!
  • Stop it people! Stop Insignificant postings!!

  • You unload the kernel extension, if not, boot into single user mode. How did the thing get there: you or your user installed it with an admin password. It's not a standard app that comes with OS X so there is no other way it got installed.

  • Great word to use when describing apple os.
  • SIP is there for your protection and the protection of OSX. [apple.com]

    If you really want to get rid of the app, here is how to enable/disable SIP. [apple.com]

    Apple is trying to clean things up under the covers. They have a new modern filesystem (APFS) added SIP back in El Cap which was a solid security move. I realize things have been a bit shaky lately, but I blame on moving 12,000 people into the new spaceship campus . I am surprised all the developers haven't quit. [dezeen.com]

    As the space ship establishes a new workplace morphology, things will get better. Maybe the ex-NSA'ers will head to Apple and bolster security even more.

Do you suffer painful hallucination? -- Don Juan, cited by Carlos Casteneda

Working...