There are few miseries I deal with regularly that compare to SIP or the hardened runtime telling me I may not debug processes on a computer where I have root. If anything is going to make me abandon macOS (I've been using it since I was a child) it's the "security and privacy" features.
The security and privacy features benefit the majority, of which you clearly are not, so there is an escape hatch for you; turn off SIP. Just don't disable it for typical users.
Yea, I'm really not sure how this is a "misery". System processes are protected for typical users to limit the blast radius of malware, among other reasons. If you are capable of debugging system processes you should be able to manage to:
Restart macOS, holding ⌘+R. Open Terminal. Type `csrutil disable`. Restart macOS again.
But as far as I'm aware the reasoning is that if there's a way to access something from a normal user account (with admin privileges) it can be abused somehow.
Maybe a "key" would be the ability to boot/log in to a special mode with SIP enabled. Disabling/enabling it approximates this, but as far as I know an update will generally destroy your changes because Apple will just overwrite everything.
The suitable key would be to allow users to grant their own fine-grained entitlements to applications using their own self-signed certificate. The process should be suitably involved and complex enough to scare off regular users who may be attempting to do it under the direction of a third party (who may be trying to trick them) but it should be available to users who know what they’re doing.
Those resources are still owned by the root user so regular apps can't change them. Turning off SIP gives you something more like a regular linux system. The problem was when a normal user is prompted to type their password by an application, they simply do it granting the program root access so Apple decided regular users shouldn't be able to accidentally do this. If you need that access, you have to reboot in recovery mode to turn off the safety rails.
True, but giving us a key might jeopardize future revenue streams where we have to pay for the privilege of developing software on Apple platforms. You already get a degraded developer experience for iOS if you don't bribe Apple with a Developer Program subscription.
Under "Security and Privacy" there's been "Developer Tools" for a while, within which I only ever saw Terminal.app (but any app could be added)
I'm not sure what it really does (could not find any docs, maybe someone can enlighten?) but the text made me think it could allow stuff like running unsigned debuggers:
Allow the applications below to run software locally that does not meet the system's security policies
Again I'm really not sure, but maybe it can cover some use cases without going the nuclear route of fully disabling SIP?
It relaxes the signing requirements and malware signature checks for binaries run in the Terminal. This way you can build and test stuff without needing to relax the security posture of the entire Mac.
I Would be interested to know more about it too. I have been interested in running a piece of software that needs SIP partially disabled, but I’d I could just grant it exemption I would prefer that to a blanket removal.
Funny thing is all computers used to run without SIP, but since they added it I’m now hesitant to turn it off even though I’m not any worse off than I used to be.
I totally feel you though I can understand that for Apple the average consumer's security > hackers :)
I think Apple should remember that people debugging and working is important too, and make the documentation around the security features less obscure. (Attaching a debugger/ptrace on macOS is really evil to implement)
Yes, the "locked down dictatorship macos" is surprisingly permissive. Impressively you can even dual boot linux on Apple Silicon completely unrestricted without having to turn on off the boot chain security features of macOS.
While the explanation is super cool it makes me feel nervous. None of this did supported. APIs change without notice, as you don't have a contract. You're relying on the fact that there is an x64 version available.
Most odds is when x64 binary will stop shipping, arm64e won't be in preview mode anymore and we will be able to just do the re-signing part. (Which is supported)
It's pretty much expected that if you publish a method for working around a security feature it will be patched quickly. Cool research if that was the intention but if you're building a product around this... you're going to have a bad time.
This is detailed in the post, but the security feature i.e. preventing injected libraries access to entitlements isn't actually bypassed here. Rather the binary is run without these entitlements (which aren't required anyway for mirrord's use case).
You could patch a shell binary, but you'd ultimately want to use other binaries as well. The most common example we had is when people tried to run our software with `pyenv` which was a shell script that used other system binaries + shell scripts
This is a strange product they’re selling. You run your binary on on macOS but presumably your server is running linux. Why are you trying to run Darwin executables as if they were in the cloud when that is not what will actually be deployed? Shouldn’t the testing at least be done from a linux machine?
Ideally! And it can be run on a Linux machine if the user prefers. But if you code on a Mac, mirrord still lets you go through a good number of test iterations (by letting your process run with network input/output, file content and environment variables from the cloud) before having to deploy your code to a Linux machine for that (hopefully) final round of testing.
Would it be an option to compile your own versions of `ls` et al., maybe from the Darwin source (if available, I don't know) or one of the BSDs? Does what you're trying to do depend on the specific implementation of Apple's utilities?
I have no clue what this mirrord does. Is it some kind of API proxy?
What if I don't have 'pods', also, shouldn't it be called redirect_api? mirror sounds like it's mirrorring.
mirrord is a tool for backend engineers that enables them to work on a remote environment without needing to deploy there or actually run there.
It makes the iteration time (code -> test -> [review] -> deploy) faster since you don't replace the remote service also, which means many devs can work the same time.
