Since the introduction of the siblings / and /System/Volumes/Data architecture, some very basic, critical commands seems to have a broken behaviour ( cp, rsync, tar, cpio…). As an example, ditto which was introduced more than 10 years ago to integrate correctly all the peculiarity of HFS Apple filesystem as compared to the UFS Unix filesystem is not behaving correctly. For example, from man ditto: --rsrc Preserve resource forks and HFS meta-data. ditto will store this data in Carbon-compatible ._ AppleDouble files on filesystems that do not natively support resource forks. As of Mac OS X 10.4, --rsrc is default behavior. [...] --extattr Preserve extended attributes (requires --rsrc). As of Mac OS X 10.5, --extattr is the default. and nonetheless: # ls -@delO /private/var/db/ConfigurationProfiles/Store drwx------@ 5 root wheel datavault 160 Jan 20 2024 /private/var/db/ConfigurationProfiles/Store                            ********* com.apple.rootless 28 *************************** # mkdir tmp # ditto /private/var/db/ConfigurationProfiles tmp ditto: /Users/alice/Security/Admin/Apple/APFS/tmp/Settings: Operation not permitted ditto: /Users/alice/Security/Admin/Apple/APFS/tmp/Store: Operation not permitted # ls -@delO tmp/Store drwx------ 5 root wheel - 160 Aug 8 13:55 tmp/Store                            * # The extended attribute on copied directory Store is empty, the file flags are missing, not preserved as documented and as usual behaviour of ditto was since a long time ( macOS 10.5 ). cp, rsync, tar, cpio exhibit the same misbehaviour. But I was using ditto to be sure to avoid any incompatibility with the Apple FS propriaitary modifications. As a consequence, all backup scripts and applications are failing more or less silently, and provide corrupted copies of files or directories. ( I was here investigating why one of my security backup shell script was making corrupted backups, and only on macOS ). How to recover the standard behaviour --extattr working on modern macOS?

As a system & security administrator I started to install a lot of Unixes, 20 years ago with a dual volume for security purpose, inside critical infrastructures: volume mount options ------------------------------------------------ / ro /var rw, nosuid, nodev Everything which could be end user or admin modifiable and to be referenced from / was defined through simple symbolic links: /tmp --> /var/tmp /home --> /var/home /local --> /var/local /opt --> /var/opt /private --> /var/private And through many tests, and real attacks pressure of every day, with such a configuration, even as root, it was impossible to damage the system. Many attacks struck us ( ~ 20 / day )… none succeeded ( at least as I was aware of, and as I wasn't fired ). Why did Apple chose a rather more complex way similar architectures with the 2 volumes: volume mount options ------------------------------------------------ / ro /System/Volumes/Data rw, nosuid, nodev with a new concept of firmlinks which is not compatible with any other Unix FS, which brought Apple to put fundamental components of their new APFS outside of the FS internals ( in plain old files ) and which is rather very tricky to understand and to manage for system and security administrator? To give just one example of an highly deceiving point: it isn't now possible to make a quick carbon copy of a volume with tools as simple as cp or rsync because of new extended attributes. Real life teach us everyday that complexity is one of the biggest enemy of performance and security. What are the advantages of this sibling volumes architecture? ( I am not talking here of the real internal advantages of APFS versus HFS and traditionnal Unix UFS or ZFS, which I much easily grasped and verified in real life. ).

Hello, I have many problems to manage the new structure of the volumes introduced with High Sierra and Big Sur around the use and configuration of the APFS. Where could I find a technical documentation about this APFS organisation? By technical documentation I don't mean a theoretical nice PowerPoint for the boss. I mean a real technical documentation which will permit me for example: • to understand how is built and organized the complete set of different APFS volumes to install a new macOS, • to build an installer on an USB key which will be usabel for a highly secured environment where an Internet connection is not allowed and not possible, • to build a script to check that an actual APFS set of volumes doesn't present any major discrepency, a kind of meta-fsck, not the Disk Utility way, but the engineer way, essentially running through command line, and fully compatible with the traditionnal system, network and security administration. Sorry, I am a very special case of developper. I only develop tools from shell scripts to make system, network and security administration. And to build more scripts withm them. My answer to Select a Subtopic could have been: system administration, technical documentation

During many years, using different versions of MacOS ( Yosemite, El Capitan, Sierra, High Sierra, Mojave, Big Sur ) I got this error message upon trying to launch Preview ( and sometimes Safari ): The application Preview is not open anymore. I am not yet able to reproduce this bug ( otherwise I would have submitted a useful bug report ). In the case I am working on now, the error is true: Preview is not open anymore. Neither ps nor Activity Monitor find it. If I try to start the application with: open /Applications/Preview.app I get a slightly more intelligent error message: LSOpenURLsWithRole() failed with error -600 for the file /Applications/Preview.app. But it appears that in fact this function is deprecated ( from the developer official documentation ). I am actually working with opensnoop and dtruss to get which process is seeing this application not present and why this could block it starting again. How may I further debug this blocking error of MacOS?

I am running InternetSharing. When started, InternetSharing loads a PF anchor named: com.apple.internet-sharing/base_v4 I need to modify this anchor to improve the security of MacOS. Where is the source of this anchor loaded by InternetSharing?

I am using InternetSharing and running a web proxy to redirect all traffic through. How may I automatically add the correct redirect rules to the anchor InternetSharing is : com.apple.internet-sharing/base_v4 Where is the documentation to manage anchors in a constructive way not interfering with the GUI "System Preferences..."?