13610 Views 42 Replies
      Latest reply on Sep 3, 2015 3:00 PM by kantx
      eng Level 1 Level 1 (0 points)
      eng Jun 9, 2015 1:50 PM

        Apple's new El Capitan feature SIP (System Integrity Protection) aka "rootless" will have some interesting impacts that will impede workflows for administrators.

         

        - If you Netboot across subnets, you will no longer be able to use bless. Apple's view is if someone can target a machine to boot to a non 10.11 OS, they can bypass SIP. This will prevent any unathorized boot methods.

         

        - You will be able to write to certain privileged folders through the use of a package signed with a valid Apple Developer code signing certificate.

         

        More soon on SIP if I can find the right engineer.

        • Re: SIP (Security Integrity Protection)
          meredith_corp Level 1 Level 1 (5 points)
          meredith_corp Jun 9, 2015 1:40 PM (in response to eng)

          That's some serious changes.  We rely on the ability to remote netboot.

          I don't fully understand the logic.

           

          A remote netboot attack would require a netboot server setup on an accessible network.  Are they thinking that someone would setup a public facing Netboot server and remote netboot clients to that?  That would be painfully slow on most connections. 

           

          What about locally holding "n" with HelperIPs?  Or booting to the recovery partition and turning it off? Or Target Disk Mode? Or hooking up an external drive to boot from?  Closing off that one method seems to punish the good.

          • Re: SIP (Security Integrity Protection)
            timsutton Level 1 Level 1 (0 points)
            timsutton Jun 9, 2015 1:41 PM (in response to eng)

            I'm not sure how removing the ability to bless --netboot helps secure things if someone can also just press N. Does bless --netboot get around firmware passwords?

            • Re: SIP (System Integrity Protection)
              frogor Level 1 Level 1 (0 points)
              frogor Jun 9, 2015 1:55 PM (in response to eng)

              If they put in a mechanism for an SIP-protected embedded whitelist of netboot targets, modifiable during imaging or something, I could see that as an acceptable workaround in combination with locking down bless.

               

              But seriously - too many enterprises have automated "boot to alternate OS servicing image/tool" workflows.

               

              And MDM could trigger the reboots in an "approved" way with DEP - but now you're trading something you have to invest serious $$$ and time into for what bless does now.

              • Re: SIP (System Integrity Protection)
                eng Level 1 Level 1 (0 points)
                eng Jun 10, 2015 10:54 AM (in response to eng)

                Radar reported: 21310286

                 

                openradar dot me id=4935225620561920

                • Re: SIP (System Integrity Protection)
                  cashxx Level 1 Level 1 (0 points)
                  cashxx Jun 9, 2015 5:26 PM (in response to eng)

                  I am running into this now trying to edit /sbin.   I can edit /etc, but not /sbin.  Logged in as root.  I can understand having these limitations as Admin as thats the default user created, but not Root!  But I guess if there is an exploit to get to root easily then maybe its a good thing.  But I don't get the logic with the lock down on Netboot either.  I do the same as hfike.

                   

                  To my understanding you can disable SIP by using a utility on Recovery Partition, but I have haven't tried to find it yet. 

                  • Re: SIP (System Integrity Protection)
                    spencerdiniz Level 1 Level 1 (0 points)
                    spencerdiniz Jun 11, 2015 9:49 AM (in response to eng)

                    So, I've noticed that SIP restricts write access do System/Library/LaunchDaemons.

                    Question is... How would I go about changing the default SSH port? In previous versions of OS X, I would just edit the ssh.plist file in this directory. Now, with SIP, this is no longer possible. What's the politically correct way of doing this on a SIP enabled Mac?

                    • Re: SIP (System Integrity Protection)
                      rtrouton Level 1 Level 1 (0 points)
                      rtrouton Sep 1, 2015 6:40 AM (in response to eng)

                      SIP has a list of Apple and third-party exceptions stored in the following location:

                       

                      /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths

                       

                      This is in addition to the list of exceptions defined in the following location:

                       

                      /System/Library/Sandbox/rootless.conf

                       

                      Contents of /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths as of 10.11 Developer Beta 8

                       

                      /System/Library/CFMSupport
/System/Library/CoreServices/Applications/Directory Utility.app/Contents/PlugIns/ADmitMac.daplug
/System/Library/CoreServices/CoreTypes.bundle/Contents/Library/iLifeSlideshowTypes.bundle
/System/Library/CyborgRAT.kext
/System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleRTL815XComposite109.kext
/System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleRTL815XEthernet109.kext
/System/Library/Filesystems/DAVE
/System/Library/Filesystems/fusefs_txantfs.fs
/System/Library/Filesystems/ufsd_NTFS.fs
/System/Library/Fonts/encodings.dir
/System/Library/Fonts/fonts.dir
/System/Library/Fonts/fonts.list
/System/Library/Fonts/fonts.scale
/System/Library/HuaweiDataCardDriver.kext
/System/Library/LaunchAgents/com.paragon.NTFS.notify.plist
/System/Library/LaunchDaemons/com.absolute.rpcnet.plist
/System/Library/LaunchDaemons/com.intel.haxm.plist
/System/Library/LaunchDaemons/com.seagate.TBDecorator.plist
/System/Library/LaunchDaemons/de.novamedia.nmnetmgrd.plist
/System/Library/PrivateFrameworks/BrowserKit.framework
/System/Library/PrivateFrameworks/Helium.framework
/System/Library/PrivateFrameworks/LiveType.framework
/System/Library/PrivateFrameworks/ProKit.framework
/System/Library/PrivateFrameworks/iLifeSlideshow.framework
/System/Library/QuickTime/QuickTimeMPEG2.component
/System/Library/QuickTime/WiretapDataHandler.component
/System/Library/Services/KAVService.service
/System/Library/Services/Send to Kindle.workflow
/System/Library/StartupItems
/System/Library/USBExpressCardCantWake_Huawei.kext
/sbin/amconfig
/sbin/fsck_ufsd_NTFS
/sbin/mount_cifs
/sbin/mount_fusefs_txantfs
/sbin/mount_ufsd_NTFS
/sbin/mount_vmhgfs
/sbin/newfs_fusefs_txantfs
/sbin/newfs_ufsd_NTFS
/sbin/rpctool
/usr/X11
/usr/bin/FAHClient
/usr/bin/FAHCoreWrapper
/usr/bin/FAHViewer
/usr/bin/VBoxAutostart
/usr/bin/VBoxBalloonCtrl
/usr/bin/VBoxHeadless
/usr/bin/VBoxManage
/usr/bin/VBoxVRDP
/usr/bin/VirtualBox
/usr/bin/cups-calibrate
/usr/bin/escputil
/usr/bin/extlookup2hiera
/usr/bin/facter
/usr/bin/gnutar
/usr/bin/kashell
/usr/bin/kav
/usr/bin/nortonscanner
/usr/bin/nortonsettings
/usr/bin/nvconfigurator
/usr/bin/nvpmgr
/usr/bin/phidgetwebservice21
/usr/bin/puppet
/usr/bin/shake
/usr/bin/stkLaunchAgent.sh
/usr/bin/testpattern
/usr/bin/vagrant
/usr/bin/vboxwebsrv
/usr/discreet
/usr/include/gutenprint
/usr/lib/cshost
/usr/lib/gutenprint
/usr/lib/libMatroxMpeg2IFrameCodec.dylib
/usr/lib/libUFSDNTFS.dylib
/usr/lib/libgutenprint.2.0.3.dylib
/usr/lib/libgutenprint.2.dylib
/usr/lib/libgutenprint.a
/usr/lib/libgutenprint.dylib
/usr/lib/libgutenprint.la
/usr/lib/libnv6.dylib
/usr/lib/libnv6audit.dylib
/usr/lib/libnv6cli.dylib
/usr/lib/libnv6****.dylib
/usr/lib/libnv6foreignras.dylib
/usr/lib/libnv6foreignrast.dylib
/usr/lib/libnv6gui.dylib
/usr/lib/libnv6guit.dylib
/usr/lib/libnv6http.dylib
/usr/lib/libnv6jobs.dylib
/usr/lib/libnv6jobst.dylib
/usr/lib/libnv6json.dylib
/usr/lib/libnv6jsont.dylib
/usr/lib/libnv6ndmp.dylib
/usr/lib/libnv6plugin.dylib
/usr/lib/libnv6plugint.dylib
/usr/lib/libnv6reports.dylib
/usr/lib/libnv6reportst.dylib
/usr/lib/libnv6scsi.dylib
/usr/lib/libnv6stats.dylib
/usr/lib/libnv6statst.dylib
/usr/lib/libnv6t.dylib
/usr/lib/libnv6xctl.dylib
/usr/lib/libnv6xpm.dylib
/usr/lib/libphidget21.jnilib
/usr/lib/libwkextmac.dylib
/usr/lib/pkgconfig/gutenprint.pc
/usr/libexec/aksusbd
/usr/libexec/com.matrox.vpg.Agent
/usr/libexec/com.matrox.vpg.MaxAgent
/usr/libexec/cups/backend/cifs
/usr/libexec/hasplmd
/usr/netvault
/usr/sbin/AELWriter
/usr/sbin/cups-genppd.5.2
/usr/sbin/cups-genppdupdate
/usr/sbin/fsctl_ufsd
/usr/sbin/jamf
/usr/sbin/jamfAgent
/usr/sbin/nipalsm
/usr/sbin/nmnetmgrd
/usr/sbin/nmnetmgrd_launchd
/usr/sbin/nmnetmgrd_launchd_MT
/usr/sbin/palModuleMgr.sh
/usr/sbin/proxyhelper
/usr/sbin/qmasterca
/usr/sbin/qmasterd
/usr/sbin/qmasterprefs
/usr/sbin/qmasterqd
/usr/sbin/rpc.net
/usr/sbin/rpcset
/usr/sbin/rpcstartup
/usr/sbin/setbufsize
/usr/share/cshost
/usr/share/cups/calibrate.ppm
/usr/share/cups/usb
/usr/share/doc/facter
/usr/share/doc/puppet
/usr/share/gutenprint
/usr/share/locale/ca/gutenprint_ca.po
/usr/share/locale/cs/gutenprint_cs.po
/usr/share/locale/da/gutenprint_da.po
/usr/share/locale/de/gutenprint_de.po
/usr/share/locale/el/gutenprint_el.po
/usr/share/locale/en_GB/gutenprint_en_GB.po
/usr/share/locale/es/gutenprint_es.po
/usr/share/locale/fi/gutenprint_fi.po
/usr/share/locale/fr/gutenprint_fr.po
/usr/share/locale/gl/gutenprint_gl.po
/usr/share/locale/hu/gutenprint_hu.po
/usr/share/locale/it/gutenprint_it.po
/usr/share/locale/ja/gutenprint_ja.po
/usr/share/locale/nb/gutenprint_nb.po
/usr/share/locale/nl/gutenprint_nl.po
/usr/share/locale/pl/gutenprint_pl.po
/usr/share/locale/pt/gutenprint_pt.po
/usr/share/locale/ru/gutenprint_ru.po
/usr/share/locale/sk/gutenprint_sk.po
/usr/share/locale/sl/gutenprint_sl.po
/usr/share/locale/sv/gutenprint_sv.po
/usr/share/locale/tr/gutenprint_tr.po
/usr/share/locale/uk/gutenprint_uk.po
/usr/share/locale/vi/gutenprint_vi.po
/usr/share/locale/zh_CN/gutenprint_zh_CN.po
/usr/share/locale/zh_TW/gutenprint_zh_TW.po