Slashdot Mirror
The 'App' You Can't Trash: How SIP is Broken in Apple's High Sierra OS (eclecticlight.co)
A reader shares a blog post that talks about why Mac running High Sierra 10.13.2 (and other versions near it) refuses to let users uninstall some third-party applications easily. For instance, when users attempt to uninstall BlueStacks, an Android emulator, the Finder shows this warning: "The operation can't be completed because you don't have the necessary permission." The blog post looks into the subject: The moment that we see the word permission, all becomes clear: it's a permissions problem. So the next step is to select the offending item in the Finder, press Command-I to bring up the Get Info dialog, and change the permissions. It does, though, leave the slight puzzle as to why the Finder didn't simply prompt for authentication instead of cussedly refusing. Sure enough, after trying that, the app still won't go and the error message is unchanged. Another strange thing about this 'app' is that it's not an app at all. Tucked away in a mysterious folder, new to High Sierra, in /Library/StagedExtensions/Applications, its icon is defaced to indicate that the user can't even run it. Neither did the user install it there. Trying to remove it using a conventional Terminal command sudo rm -rf /Library/StagedExtensions/Applications/BlueStacks.app also fails, with the report Operation not permitted.
High Sierra leaves the user wondering what has happened. There's nothing in Apple's scant documentation to explain how this strange situation has arisen, and seemingly nothing more that the user can do to discover what is wrong, or to do anything about it. The clue comes from probing around in Terminal, specifically using a command like ls -lO /Library Try that in High Sierra, and you'll see drwxr-xr-x@ 4 root wheel restricted 128 2 Jan 13:03 StagedExtensions
There are two relevant pieces of information revealed: the @ sign shows that directory has extended attributes (xattrs), and the word restricted that it is protected by System Integrity Protection (SIP). A quick peek inside /Library/StagedExtensions/Applications/BlueStacks.app shows that it is a stub of an app, lacking any main code, but it does contain a kernel extension (KEXT) which is also protected by SIP, by virtue of being inside a SIP-protected folder. > ls -lO /Library/StagedExtensions/Applications
drwxr-xr-x 3 root wheel restricted 96 2 Jan 13:03 BlueStacks.app So how did this third-party kernel extension end up in this mysterious folder, complete with SIP protection?
High Sierra leaves the user wondering what has happened. There's nothing in Apple's scant documentation to explain how this strange situation has arisen, and seemingly nothing more that the user can do to discover what is wrong, or to do anything about it. The clue comes from probing around in Terminal, specifically using a command like ls -lO /Library Try that in High Sierra, and you'll see drwxr-xr-x@ 4 root wheel restricted 128 2 Jan 13:03 StagedExtensions
There are two relevant pieces of information revealed: the @ sign shows that directory has extended attributes (xattrs), and the word restricted that it is protected by System Integrity Protection (SIP). A quick peek inside /Library/StagedExtensions/Applications/BlueStacks.app shows that it is a stub of an app, lacking any main code, but it does contain a kernel extension (KEXT) which is also protected by SIP, by virtue of being inside a SIP-protected folder. > ls -lO /Library/StagedExtensions/Applications
drwxr-xr-x 3 root wheel restricted 96 2 Jan 13:03 BlueStacks.app So how did this third-party kernel extension end up in this mysterious folder, complete with SIP protection?
Please STOP using existing acronym. SIP has already been in use by something else:
https://en.wikipedia.org/wiki/Session_Initiation_Protocol
By the headline, I was expecting an article to be about how SIP softphones were broke in MAC OS.
Glass half full, glass half empty... maybe you're just thinking about it the wrong way?
Perhaps this "app" is really the kernel. Or maybe you should think about it that way. And the rest of your kernel, and whole damn computer, is wrapped around its little finger.
There. Problem solved. Just a bit of topological thinking and you're good!
The moment that we see the word permission, all becomes clear: it's a permissions problem.
thanks eisenstein
I replaced my last Windows OS by a Linux (without systemd, of course).
Irrelevant news and morons using moderation to mod down what they disagree on. 2018 resolution: so long.
On Windows 10 you can't kill Cortana. So I just take the route of blocking all access to microsoft's Bing because that is what I found Cortana using to phone home.
I warn about that one. ..." ... but I think I used an chmod or chown before that ... don't remember what I actually needed to do to remove it.
It asks for privileges to install (Mac OS X Applications usually don't need privileges, you just copy them with drag and drop into the Applications folder), then tries to install (with a warning) a "Yahoo Toolbar" and silently installs "Mac Keeper" a mal ware.
But it is easy to remove with sudo "rm
There was a background process running, watching the killing of the Mac Keeper process, so you needed to kill that first, remove the exe of that process and then kill Mac Keeper and remove the "Andy" programm.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
"The moment that we see the word permission, all becomes clear: it's a permissions problem"
Thanks, Sherlock.
So you go to security in preferences, and turn it off. That's also where you'll find your kernel extension which will not have been granted rights to run until you approve it in that preference pane.
Using preferences is hard now?
with imac pro you can't remove storage to remove it offline as well. Coming soon in mac os more lock down and down the road limited drivers for GPU's in TB docs. rootless = no updating build in ATI drivers and no NVIDIA ktexts
Only LUDDITES would want to trash modern appy app apps in favor of LUDDITE software!
Apps!
Use the kextunload to unload a kernel extension. It can then be deleted.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
NSA agents will come knocking, for revealing state secrets.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
does apple need an installer / uninstaller system? Like windows MSI?
It has one. It uses packages, similar to many other UNIX systems. However, there is no enforcement for apps to use them and there is no default package manager. Frankly, I avoid packages since they can do things like install kernel extensions.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
I've stayed on El Capitan (tried Sierra - twice - and eventually rolled back to El Capitan - twice). Unfortunately it will stop getting security updates sometime this summer, though... at which point I'll have to pick my poison and "upgrade".
#DeleteChrome
A unix system is what you want, a unix system is what you get.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Also they don't always clean up very nicely once you remove them, probably due to not everything being kept within their bundle directory. Too much smoke and mirrors, like 'specially' named directories. As parent mentions, there is not one standard way to install. Sometimes you run an executable, sometimes you copy a file into the app directory. Sometimes there are strange folders inside the install screen. It's kind of a mess.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
My rule of thumb is to avoid anything but "drag the app into your apps folder". Means I don't get to use Flash or Java, but I'll manage.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Windows has had something very similar since the XP days, where if one blows away a DLL, Windows silently copies it back.
One more reason to stay with 10.9.5
The unreadable thing gray fonts of the latest versions being the primary reason.
#DeleteFacebook
It has a packaging system, or one just copies the app to the Applications folder. However, uninstalling is a completely different matter. macOS has no real standard way to uninstall packages, other than to drag the application to the trash, or click the x when the icons wiggle in the Launcher.
macOS really needs a better packaging system. What would be ideal is not just one that can handle installs and clean uninstalls, but to be able to back off updates without reinstalling, similar to AIX's installp. It also would be nice to have a repair mechanism so that a damaged install can be backed out completely. Other package managers are transactional, but it would be nice to have a cleanup process to find broken, not completed installs and remove them.
As an added bonus, if signatures and such are done right, SIP could be used to protect the integrity of one program from another, as a way to mitigate rootkits.
SIP can be disabled. Generally, you don't want to, because it does what it says: protects the integrity of the system, by preventing the user from modifying system files. If you really want to, then reboot into recovery mode, disable SIP, and then reboot into normal mode. This is no different from the procedure for lowering the default securelevel on a BSD system (reboot to single-user mode, tweak the config file, boot to multiuser), does that mean that when you use FreeBSD then the FreeBSD project owns your computer?
I am TheRaven on Soylent News
The reason SIP was protecting the kext is because it was loaded into the actively running kernel. Unload the kext with "kextunload kextfile" and it is no longer protected by SIP and can be removed.
Yes, Apple could make this easier do so without using a shell. Ex: By putting a button in Preferences>Security that pops up a window displaying loaded kexts in a list & a button to unload them.
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
Back in the good old days you could force delete even OS stuff that would wreck the OS, and open files that would crash the computer. This made it easy to get rid of viruses.
Whether they changed this to stop OS problems, or to stop viruses from using it to install themselves, it made virus removal harder as virus writers coopted it to prevent their own removal, when the OS people no doubt thought they had the upper hand.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Apple has a standard .pkg format and a standard tool for installing, but no standard way of uninstalling. Most apps are just bundles (folders that appear to be single files in the GUI unless you right-click and say 'show contents') and so are uninstalled by simply deleting them (and are installed by just dragging them to where you want them to live), so this isn't a problem for most things. It is annoying for other things though, and sufficiently annoying that there are third-party tools that will read the manifest from a .pkg file and delete everything for you (.pkg files install a plist containing all of the things that they've installed in /Library/Receipts).
Most things installed from .pkg files can be uninstalled by running 'lsbom -pf /Library/Receipts/{installer name} | xargs rm -rf ', but that doesn't help you if it ran some post-install script that put files elsewhere.
I am TheRaven on Soylent News
And, immediately after posting that, I discovered the pkgutil tool, so you should replace the lsbom command with 'pkgutil --files {bundle identifier}'. It still doesn't include an uninstall command (though it does allow you to repair and verify installed packages).
I am TheRaven on Soylent News
They have a better packaging system that does uninstalls, it's called the Mac app store and its been around for years
Clearly the issue is you're uninstalling it wrong!
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Stop it people! Stop Insignificant postings!!
WARNING: Smartphones have side effects--most of them undocumented.
Aside: When did links stop working?
Based on the curly quotes and en.m.wikipedia.org hostname I see on that link's href attribute value in View Source, links in your comments stopped working roughly when you enabled automatic curly quotes on your iPhone or iPad or upgraded your iPhone or iPad to a version of iOS that enabled automatic curly quotes by default. Quoted attribute values in HTML5 must use Basic Latin quotation marks, be they single or double.
That is for operating system files, not applications.
The problem here is that the application includes a kext (kernel module) for some purpose, and applications that include a kext cannot be distributed through Mac App Store.
Mac OS is slowly and confidently becoming Linux.
This is not SIP. It is the Apple Mac implementation of MAC.
If you don't know what MAC is, then you have to return your Geek card.
As is SIP, it's just that somehow the app was marked as a system file (technically, installed to a system directory). That latter part is the problem: seems like a malware magnet. It makes sense for parts of the kernel, but for apps?
Socialism: a lie told by totalitarians and believed by fools.
Mac app store has content censorship and to much sand boxing
No, software needs to not rely on installers / uninstallers. I'm automatically suspicious of any bit of software that comes with an installer (on a Mac OS system), because most software doesn't need it: you copy the app to your applications folder (or, for that matter, anywhere you want) and that's it. That's all normal user applications should need. Anything that wants to "install" itself makes me wonder what kind of wonky shit it's doing to my system besides just putting an app into the applications folder.
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
You unload the kernel extension, if not, boot into single user mode. How did the thing get there: you or your user installed it with an admin password. It's not a standard app that comes with OS X so there is no other way it got installed.
Custom electronics and digital signage for your business: www.evcircuits.com
SIP does nothing useful, and prevents actually useful programs from running.
See subject: For deleting remnants of 'Win 10 update' forced on users via GWX folder 50mb left AFTER Win10 "upgrade nag" KB3035583 https://tech.slashdot.org/comments.pl?sid=8599605&cid=51279109/ under %WinDir%\system32 you could NOT remove even as ADMIN class user - so, how to get rid of it?
Take ownership of the folder & files it had (via rightclick security properties for NTFS ACL) + those above it folder-wise, from "Trusted Installer" changing it to YOUR USERNAME & giving yourself FULL control & BOOM - then, you could delete it all out saving tons of diskspace + removing the 'threat' of it etc. - et al!
* Some folks here are 'hitting on' the use of MAC (mandatory access control) otherwise knows as MACL or DACL (discretionary) on other OS ' & they're right imo...
APK
P.S.=> HOWEVER - as this sounds like MORE than disk data alone? SO others know, in Windows @ least, it too has ACL's IN REGISTRY (that's part of what I wrote in the link above) & those can be set to remove 'unremovables' too the same basic way - & MacOS X being a BSD *NIX? It's probably going to be some config files under etc (etc, pun intended) too... apk
Great word to use when describing apple os.
damaged by dogma
As any seasoned Unix sysadmin knows: it's called single user mode. It avoids SIP, Gatekeeper and pretty much all kernel extensions. You can then kextunload or simply delete the file and (optionally) rebuild the kernel cache.
Custom electronics and digital signage for your business: www.evcircuits.com
See subject & why not (until I see otherwise, sounds ok) + as you can see I'm no 'seasoned *NIX admin' (Windows here MOSTLY for decades as a tech/admin/software engineer (mostly latter)) but assuming you're right (you sound confident enough) I LEARNED A NEW THING HERE today, so it's not a wasted day when you can say that!
* I sounded off on something MUCH like it in Windows & how I beat it (others sounded off on ACL/MAC in MacOS X so it sounded alike & similar scenario is all so I "let it rip" on what worked for me on a diff. platform).
APK
P.S.=> See subject... apk
Did World Wildlife Fund sue Zynga over Words With Friends or something?
A piece of shit
And yet again you showed the world you are a retard because of your ignorance.
APK as always is wrong.
I guess that is why he keeps working on toy problems on toy OSes.
Oddly, that's exactly what the post reference link says.
Glad you read it.
Too bad others didn't.
---- Teach Peace. It's Cheaper Than War.
Why does an android emulator need to install a kernel module?
mac os classic like BS no system wide uninstall system.
Back then windows had the windows installer + 3rd party ones. and the system wide uninstall list.
BlueStacks is a Kernel Extension, not a user space application? Is it installed by a method different than "regular" applications?
A user "installing an application" that they then are unable to easily "uninstall" seems broken behavior.
Most "apps" are just directories that are self contained; drag it out of the install media to the install location, and to uninstall you drag it to the trash or delete from the command line.
The few apps that don't fit into that model are the ones that require a package method (ie, files go into both application and library folders). This is reasonably straight forward to install though, but the uninstall is difficult. I often find there's a readme file or a web support page describing how to uninstall and clean up. Otherwise you search the usual suspected directories for remnants to clean up (libraries, documents, application support).
So this new problems seems to be some applications that have loaded kernel extensions which is difficult for the average user to know how to undo. And that's where having a good uninstall script will help, but there's no standard Apple way to do this.
There are the special cases though. Ie, an older version of Office kept the Windows model of having a "common" directory. Other apps have non trivial files that have to go into "/Library/Application Support". Apple's own products often have a really complicated web of stuff that happens (ie, xcode-select).
Apple should have added some standard way to uninstall though, and I suspect they don't because it would mean acknowledging that not everything fits into the user-friendly application bundle model.
I'm using some eclipse based tools from vendors that are application bundles that do have Java JRE underneath. It does mean a separate copy of JRE for each application which is bulky. It also means that they almost always have an older version of JRE so that the tools are dreadfully slow.
Do lots of users use the Apple Store for applications on a Mac? I know the iphone users do, but it seems somewhat rare on the Mac in my experience. So many tools I use are not on the store anyway, the store requires you to have an Apple ID, and it doesn't fit well into a corporate environment.
You can dream, but at the end of the day, lather, rinse repeat and it's still just Apple.
Oh, like no other OS has had the occasional weird permissions issue?
Gimme a break!
My rule of thumb is to avoid anything but "drag the app into your apps folder". Means I don't get to use Flash or Java, but I'll manage.
I'm not a fan of Flash or anything, but it's a case of "drag the bundle into your ~/Library/Internet\ Plug-Ins folder". Getting the plugin out of the Adobe dmg is more complicated than it needs to be but it can all be done with user-level privileges.
No, software needs to not rely on installers / uninstallers. I'm automatically suspicious of any bit of software that comes with an installer (on a Mac OS system), because most software doesn't need it: you copy the app to your applications folder (or, for that matter, anywhere you want) and that's it. That's all normal user applications should need. Anything that wants to "install" itself makes me wonder what kind of wonky shit it's doing to my system besides just putting an app into the applications folder.
I'm with you on that feeling.
The only exceptions to that rule are genuine Apple Applications. I trust them not to install a keylogger, etc.
See subject & this https://tech.slashdot.org/comments.pl?sid=11559309&cid=55857689/ & https://tech.slashdot.org/comments.pl?sid=11559309&cid=55858697/ + you've yet to show you've done better in code (you can't, you're a useless douche troll, lol).
* By the way - Windows IS the most used OS there is on both desktops + servers combined dolt - the others? They're the toys (in smartphones & tablets)... lol!
APK
P.S.=> ... & you KNOW it "ne'er-do-well" UNIDENTIFIABLE trolling stalker that you are - thanks for proving who the RETARD is here (I strongly suspect now you've been called that a LOT in life seeing as you PROJECT IT in your constant stalking of myself)... apk
but the content censorship needs to go
No it doesn’t.
SIP is there for your protection and the protection of OSX.
If you really want to get rid of the app, here is how to enable/disable SIP.
Apple is trying to clean things up under the covers. They have a new modern filesystem (APFS) added SIP back in El Cap which was a solid security move. I realize things have been a bit shaky lately, but I blame on moving 12,000 people into the new spaceship campus . I am surprised all the developers haven't quit.
As the space ship establishes a new workplace morphology, things will get better. Maybe the ex-NSA'ers will head to Apple and bolster security even more.
It is a malware target, same as the similar feature in windows... There is plenty of windows malware that uses the system protection features to make removal difficult.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Yes it does.
I know, I'm late to the party, and I'm sure no-one will answer this.. But why can a third-party application access SIP *at all*? Is it just that it managed to installed a KEXT? If so, why didn't the user get a "do you really want to install this KEXT?" alert once or twice before it was allowed to do that in the first place?