-
Re: SIP (Security Integrity Protection)
meredith_corp Jun 9, 2015 1:40 PM (in response to eng)That's some serious changes. We rely on the ability to remote netboot.
I don't fully understand the logic.
A remote netboot attack would require a netboot server setup on an accessible network. Are they thinking that someone would setup a public facing Netboot server and remote netboot clients to that? That would be painfully slow on most connections.
What about locally holding "n" with HelperIPs? Or booting to the recovery partition and turning it off? Or Target Disk Mode? Or hooking up an external drive to boot from? Closing off that one method seems to punish the good.
-
Re: SIP (Security Integrity Protection)
timsutton Jun 9, 2015 1:41 PM (in response to eng)I'm not sure how removing the ability to bless --netboot helps secure things if someone can also just press N. Does bless --netboot get around firmware passwords?
-
Re: SIP (Security Integrity Protection)
hfike Jun 9, 2015 1:45 PM (in response to timsutton)Yes, I use this all the time on my lab machines that are locked with a firmware password. Using bless I can reboot them to netboot.
-
Re: SIP (Security Integrity Protection)
frogor Jun 9, 2015 1:46 PM (in response to timsutton)I'm thinking they're looking at it as a escalation to a circumvention process for SIP:
- Something happens, BadGuy process gets root/sudo
- Uses it to then bless --netboot a remote BadGuy automation toolset
- Triggers system reboot
Then the machine reboots to the netboot volume, which bypasses the SIP protections since it could be a non-10.11 netboot without SIP itself - then modifies the local /System/whatever structure. Then re-blesses back to internal and reboots. SIP circumvented.
-
Re: SIP (Security Integrity Protection)
meredith_corp Jun 9, 2015 1:49 PM (in response to frogor)That's some action movie stuff there. Anyone seen The Net?
I actually used this method to install VMWare Tools on the 10.11 VM. Had to boot it to a 10.10 NBI to install the tools. But our Netboot image is password protected anyway. This seems a little strong handed.
-
Re: SIP (System Integrity Protection)
rM4UtgoL Jun 10, 2015 10:40 AM (in response to meredith_corp)Wouldn't FV2 be a mitigation for this? The attacker that is NetBooting to another system presumably wouldn't be able to bypass the FDE login and the internal system disk wouldn't be modifiable unless it could be decrypted.
-
Re: SIP (System Integrity Protection)
mistacabbage Jun 11, 2015 10:08 AM (in response to rM4UtgoL)If they already have root on the booted system I think authenticated restart would get around FilveVault 2.
sudo fdesetup authrestart
OS X: Macs that support authenticated restart with FileVault
-
-
-
Re: SIP (Security Integrity Protection)
eng Jun 9, 2015 1:47 PM (in response to timsutton)I just spoke with another engineer for confirmation.
If you have helper statements, you can still use Startup Disk to boot into a NBI for imaging purposes.
They have an internal solution/idea for bless, but they need more impact data to understand whether they will work on it or not.
As far as writing to /System with a package, it's still unknown what areas you will be able to write to with a Developer signed pkg. Preinstall/postinstall actions should still work. You cannot sign a package with a self signed certificate and import it into the System Keychain.
I was told to file a RADAR regarding SIP blocking /Library/Desktop\ Pictures .
-
Re: SIP (System Integrity Protection)
Greg Neagle Jun 9, 2015 1:55 PM (in response to eng)"I was told to file a RADAR regarding SIP blocking /Library/Desktop\ Pictures"
Not seeing that here. I can create a new file in that directory using sudo.
-
Re: SIP (System Integrity Protection)
eng Jun 9, 2015 1:59 PM (in response to Greg Neagle)Neither Rich nor I could do it in our VM's, using Finder/Terminal.
How did you do it?
-
Re: SIP (Security Integrity Protection)
meredith_corp Jun 9, 2015 2:02 PM (in response to eng)I can 'sudo touch file' in /Library/Desktop Pictures/
homeadmins-Mac:~ homeadmin$ cd /Library/Desktop\ Pictures/ homeadmins-Mac:Desktop Pictures homeadmin$ touch file touch: file: Permission denied homeadmins-Mac:Desktop Pictures homeadmin$ sudo touch file Password: homeadmins-Mac:Desktop Pictures homeadmin$ ls -l file -rw-r--r-- 1 root wheel 0 Jun 9 14:01 file
-
-
Re: SIP (System Integrity Protection)
rtrouton Jun 9, 2015 2:07 PM (in response to Greg Neagle)/Library/Desktop Pictures itself is not blocked, but try modifying /Library/Desktop Pictures/El Capitan.jpg, which is what /System/Library/CoreServices/DefaultDesktop.jpg points to.
I was not able to delete /Library/Desktop Pictures/El Capitan.jpg or remove it in my testing. I could make a copy of the file, and was even able to make a copy of it inside of /Library/Desktop Pictures.
-
Re: SIP (Security Integrity Protection)
meredith_corp Jun 9, 2015 2:13 PM (in response to rtrouton)This I can replicate.
Odd choice of protected files.
I'd think it'd be just as easy to
if [ ! "$desktop_picture" ]
then
use solild color
fi
-
Re: SIP (System Integrity Protection)
eng Jun 10, 2015 10:53 AM (in response to meredith_corp)RADAR reported:
21308772
openradar dot me id=5054091155734528
-
-
Re: SIP (System Integrity Protection)
Greg Neagle Jun 9, 2015 4:52 PM (in response to rtrouton)The issue you describe is pretty different from the one Eric mentioned!
-
-
-
Re: SIP (System Integrity Protection)
JKersten Jun 10, 2015 1:42 PM (in response to eng)Our site is one that will be majorly impacted if netbooting across subnets is broken. We routinely use this method to reimage an ever-growing number of lab machines (currently ~500).
What the best way now to provide feedback/impact data to Apple regarding this?
(As of the current 10.11 beta I am still able to bless/netboot to our imaging server (Nothing to RADAR yet))
-
Re: SIP (System Integrity Protection)
meredith_corp Jun 10, 2015 8:05 PM (in response to JKersten)There has been chatter today that netbooting across subnets will work properly if the network is setup with HelperIPs. Our environment is setup with HelperIPs so it should be easy to see if blessing to a broadcast IP or direct server works or not. I plan on testing this on Thursday to confirm/deny. Regardless since there's no official documentaiton on this yet I'd recommend filing a bug with the impact on your environment.
-
Re: SIP (System Integrity Protection)
marcus_suburbia Jun 10, 2015 9:17 PM (in response to JKersten)the impact for us is over 1200 lab machines that get re-imaged every year. Add to that the potential to netrestore any of our 1000 or so staff machines if they need a nuke-and pave.
-
-
-
-
Re: SIP (System Integrity Protection)
frogor Jun 9, 2015 1:55 PM (in response to eng)If they put in a mechanism for an SIP-protected embedded whitelist of netboot targets, modifiable during imaging or something, I could see that as an acceptable workaround in combination with locking down bless.
But seriously - too many enterprises have automated "boot to alternate OS servicing image/tool" workflows.
And MDM could trigger the reboots in an "approved" way with DEP - but now you're trading something you have to invest serious $$$ and time into for what bless does now.
-
Re: SIP (System Integrity Protection)
eng Jun 10, 2015 10:54 AM (in response to eng)Radar reported: 21310286
openradar dot me id=4935225620561920
-
Re: SIP (System Integrity Protection)
cashxx Jun 9, 2015 5:26 PM (in response to eng)I am running into this now trying to edit /sbin. I can edit /etc, but not /sbin. Logged in as root. I can understand having these limitations as Admin as thats the default user created, but not Root! But I guess if there is an exploit to get to root easily then maybe its a good thing. But I don't get the logic with the lock down on Netboot either. I do the same as hfike.
To my understanding you can disable SIP by using a utility on Recovery Partition, but I have haven't tried to find it yet.
-
Re: SIP (System Integrity Protection)
cashxx Jun 9, 2015 5:32 PM (in response to cashxx)Well that was easy......boot to Recovery Partition and right under the Utilities menu is Security Configuration. Simple check box.
-
Re: SIP (Security Integrity Protection)
meredith_corp Jun 9, 2015 5:58 PM (in response to cashxx)Easy for just one machine but hands on is the _only_ way to change that setting. Our sneakernet has been retired for a while now. I'm not a fan of turning it off yet, either. This isn't going anywhere anytime soon. It'd be better to address it's limitations and try to help excelerate it's maturity than to ignore it, especially as it is brand new. Feedback, feedback, feedback, and impact, impact, impact.
-
Re: SIP (System Integrity Protection)
cashxx Jun 9, 2015 6:09 PM (in response to meredith_corp)I do agree!
-
Re: SIP (System Integrity Protection)
calum.hunter Jun 10, 2015 10:46 PM (in response to meredith_corp)Disabling SIP can also be acheived by:
sudo nvram boot-args="rootless=0”
-
Re: SIP (System Integrity Protection)
meredith_corp Jun 11, 2015 6:34 AM (in response to calum.hunter)For now. Don't expect that to exist in ElCap's final form.
-
Re: SIP (System Integrity Protection)
eng Jun 11, 2015 9:26 AM (in response to meredith_corp)Spoke with an engineer regarding this yesterday. They don't anticipate this option being removed for the final release (similar to Yosemite's signed kext method).
I also asked whether this option would be deprecated next year (again similar to the kext signing) and they did not anticipate it being deprecated. Who knows what happens between now and OS X 10.12.
-
Re: SIP (System Integrity Protection)
eng Jun 11, 2015 10:14 AM (in response to eng)And today the story has changed. The argument will be taken away either before final release or once released to public.
-
-
-
-
-
Re: SIP (System Integrity Protection)
kantx Sep 3, 2015 11:50 AM (in response to cashxx)I have no SIP under Utilities when booting in Recovery Mode. Where is the bloody thing ?
-
-
-
Re: SIP (System Integrity Protection)
spencerdiniz Jun 11, 2015 9:49 AM (in response to eng)So, I've noticed that SIP restricts write access do System/Library/LaunchDaemons.
Question is... How would I go about changing the default SSH port? In previous versions of OS X, I would just edit the ssh.plist file in this directory. Now, with SIP, this is no longer possible. What's the politically correct way of doing this on a SIP enabled Mac?
-
Re: SIP (System Integrity Protection)
eng Jun 11, 2015 10:26 AM (in response to spencerdiniz)You can modify files in /private/etc so this would be the recommended approach. Only the /etc symlink is protected by SIP.
-
Re: SIP (System Integrity Protection)
Greg Neagle Jun 11, 2015 2:00 PM (in response to spencerdiniz)something like:
sudo launchctl unload -w /System/Library/LaunchDaemons/ssh.plist
Create a replacement ssh.plist in /Library/LaunchDaemons with your changes.
sudo launchctl load -w //Library/LaunchDaemons/ssh.plist
(I'm using the legacy syntax here; haven't memorized the "new" syntax yet)
-
Re: SIP (System Integrity Protection)
sitay1 Aug 4, 2015 4:39 AM (in response to Greg Neagle)Hi Greg,
What do you mean by 'new syntex'?
does the launchctl command doesn't work any more?
in the past i used it see the running services by using: launchctl list
will that won't work anymore on El-Capitan?
Is their an alternative to the launchctl API in El-Capitan?
Thanks,
-
Re: SIP (System Integrity Protection)
Greg Neagle Aug 21, 2015 6:15 AM (in response to sitay1)"What do you mean by 'new syntex'?"
Sorry to be blunt, but: `man launchctl`
The syntax/commands we've used since 10.4 is now "legacy" and there are a whole new set of subcommands. Read. Learn. Love.
-
-
-
-
Re: SIP (System Integrity Protection)
rtrouton Sep 1, 2015 6:40 AM (in response to eng)SIP has a list of Apple and third-party exceptions stored in the following location:
/System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths
This is in addition to the list of exceptions defined in the following location:
/System/Library/Sandbox/rootless.conf
Contents of /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths as of 10.11 Developer Beta 8
/System/Library/CFMSupport /System/Library/CoreServices/Applications/Directory Utility.app/Contents/PlugIns/ADmitMac.daplug /System/Library/CoreServices/CoreTypes.bundle/Contents/Library/iLifeSlideshowTypes.bundle /System/Library/CyborgRAT.kext /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleRTL815XComposite109.kext /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleRTL815XEthernet109.kext /System/Library/Filesystems/DAVE /System/Library/Filesystems/fusefs_txantfs.fs /System/Library/Filesystems/ufsd_NTFS.fs /System/Library/Fonts/encodings.dir /System/Library/Fonts/fonts.dir /System/Library/Fonts/fonts.list /System/Library/Fonts/fonts.scale /System/Library/HuaweiDataCardDriver.kext /System/Library/LaunchAgents/com.paragon.NTFS.notify.plist /System/Library/LaunchDaemons/com.absolute.rpcnet.plist /System/Library/LaunchDaemons/com.intel.haxm.plist /System/Library/LaunchDaemons/com.seagate.TBDecorator.plist /System/Library/LaunchDaemons/de.novamedia.nmnetmgrd.plist /System/Library/PrivateFrameworks/BrowserKit.framework /System/Library/PrivateFrameworks/Helium.framework /System/Library/PrivateFrameworks/LiveType.framework /System/Library/PrivateFrameworks/ProKit.framework /System/Library/PrivateFrameworks/iLifeSlideshow.framework /System/Library/QuickTime/QuickTimeMPEG2.component /System/Library/QuickTime/WiretapDataHandler.component /System/Library/Services/KAVService.service /System/Library/Services/Send to Kindle.workflow /System/Library/StartupItems /System/Library/USBExpressCardCantWake_Huawei.kext /sbin/amconfig /sbin/fsck_ufsd_NTFS /sbin/mount_cifs /sbin/mount_fusefs_txantfs /sbin/mount_ufsd_NTFS /sbin/mount_vmhgfs /sbin/newfs_fusefs_txantfs /sbin/newfs_ufsd_NTFS /sbin/rpctool /usr/X11 /usr/bin/FAHClient /usr/bin/FAHCoreWrapper /usr/bin/FAHViewer /usr/bin/VBoxAutostart /usr/bin/VBoxBalloonCtrl /usr/bin/VBoxHeadless /usr/bin/VBoxManage /usr/bin/VBoxVRDP /usr/bin/VirtualBox /usr/bin/cups-calibrate /usr/bin/escputil /usr/bin/extlookup2hiera /usr/bin/facter /usr/bin/gnutar /usr/bin/kashell /usr/bin/kav /usr/bin/nortonscanner /usr/bin/nortonsettings /usr/bin/nvconfigurator /usr/bin/nvpmgr /usr/bin/phidgetwebservice21 /usr/bin/puppet /usr/bin/shake /usr/bin/stkLaunchAgent.sh /usr/bin/testpattern /usr/bin/vagrant /usr/bin/vboxwebsrv /usr/discreet /usr/include/gutenprint /usr/lib/cshost /usr/lib/gutenprint /usr/lib/libMatroxMpeg2IFrameCodec.dylib /usr/lib/libUFSDNTFS.dylib /usr/lib/libgutenprint.2.0.3.dylib /usr/lib/libgutenprint.2.dylib /usr/lib/libgutenprint.a /usr/lib/libgutenprint.dylib /usr/lib/libgutenprint.la /usr/lib/libnv6.dylib /usr/lib/libnv6audit.dylib /usr/lib/libnv6cli.dylib /usr/lib/libnv6****.dylib /usr/lib/libnv6foreignras.dylib /usr/lib/libnv6foreignrast.dylib /usr/lib/libnv6gui.dylib /usr/lib/libnv6guit.dylib /usr/lib/libnv6http.dylib /usr/lib/libnv6jobs.dylib /usr/lib/libnv6jobst.dylib /usr/lib/libnv6json.dylib /usr/lib/libnv6jsont.dylib /usr/lib/libnv6ndmp.dylib /usr/lib/libnv6plugin.dylib /usr/lib/libnv6plugint.dylib /usr/lib/libnv6reports.dylib /usr/lib/libnv6reportst.dylib /usr/lib/libnv6scsi.dylib /usr/lib/libnv6stats.dylib /usr/lib/libnv6statst.dylib /usr/lib/libnv6t.dylib /usr/lib/libnv6xctl.dylib /usr/lib/libnv6xpm.dylib /usr/lib/libphidget21.jnilib /usr/lib/libwkextmac.dylib /usr/lib/pkgconfig/gutenprint.pc /usr/libexec/aksusbd /usr/libexec/com.matrox.vpg.Agent /usr/libexec/com.matrox.vpg.MaxAgent /usr/libexec/cups/backend/cifs /usr/libexec/hasplmd /usr/netvault /usr/sbin/AELWriter /usr/sbin/cups-genppd.5.2 /usr/sbin/cups-genppdupdate /usr/sbin/fsctl_ufsd /usr/sbin/jamf /usr/sbin/jamfAgent /usr/sbin/nipalsm /usr/sbin/nmnetmgrd /usr/sbin/nmnetmgrd_launchd /usr/sbin/nmnetmgrd_launchd_MT /usr/sbin/palModuleMgr.sh /usr/sbin/proxyhelper /usr/sbin/qmasterca /usr/sbin/qmasterd /usr/sbin/qmasterprefs /usr/sbin/qmasterqd /usr/sbin/rpc.net /usr/sbin/rpcset /usr/sbin/rpcstartup /usr/sbin/setbufsize /usr/share/cshost /usr/share/cups/calibrate.ppm /usr/share/cups/usb /usr/share/doc/facter /usr/share/doc/puppet /usr/share/gutenprint /usr/share/locale/ca/gutenprint_ca.po /usr/share/locale/cs/gutenprint_cs.po /usr/share/locale/da/gutenprint_da.po /usr/share/locale/de/gutenprint_de.po /usr/share/locale/el/gutenprint_el.po /usr/share/locale/en_GB/gutenprint_en_GB.po /usr/share/locale/es/gutenprint_es.po /usr/share/locale/fi/gutenprint_fi.po /usr/share/locale/fr/gutenprint_fr.po /usr/share/locale/gl/gutenprint_gl.po /usr/share/locale/hu/gutenprint_hu.po /usr/share/locale/it/gutenprint_it.po /usr/share/locale/ja/gutenprint_ja.po /usr/share/locale/nb/gutenprint_nb.po /usr/share/locale/nl/gutenprint_nl.po /usr/share/locale/pl/gutenprint_pl.po /usr/share/locale/pt/gutenprint_pt.po /usr/share/locale/ru/gutenprint_ru.po /usr/share/locale/sk/gutenprint_sk.po /usr/share/locale/sl/gutenprint_sl.po /usr/share/locale/sv/gutenprint_sv.po /usr/share/locale/tr/gutenprint_tr.po /usr/share/locale/uk/gutenprint_uk.po /usr/share/locale/vi/gutenprint_vi.po /usr/share/locale/zh_CN/gutenprint_zh_CN.po /usr/share/locale/zh_TW/gutenprint_zh_TW.po
-
Re: SIP (System Integrity Protection)
kantx Sep 3, 2015 11:40 AM (in response to rtrouton)I never found SIP under Utilities in Recovery mode. Where is it ?
-
-
Re: SIP (System Integrity Protection)
kantx Sep 3, 2015 1:09 PM (in response to rtrouton)???
Doesn't tell where SIP is under Utilities in R-Mode…
-
Re: SIP (System Integrity Protection)
Max108 Sep 3, 2015 1:13 PM (in response to kantx)Apple have removed the GUI with the Recovery HD update. Now the supported way to control SIP is using the csrutil command from the Terminal in Recovery Mode (only - doesn't work while booted normally). For example:
- csrutil disable
-Max.
-
Re: SIP (System Integrity Protection)
kantx Sep 3, 2015 1:42 PM (in response to Max108)I must be dumb, but how do you access Terminal in R-Mode ???
-
Re: SIP (System Integrity Protection)
Max108 Sep 3, 2015 1:48 PM (in response to kantx)Utilities menu (Menubar)
-
Re: SIP (System Integrity Protection)
kantx Sep 3, 2015 3:00 PM (in response to Max108)Dumb myself, mixed up (Disk) Utility and Utilities.
-
-
-
-
-
-