Slashdot Mirror
The 'App' You Can't Trash: How SIP is Broken in Apple's High Sierra OS (eclecticlight.co)
A reader shares a blog post that talks about why Mac running High Sierra 10.13.2 (and other versions near it) refuses to let users uninstall some third-party applications easily. For instance, when users attempt to uninstall BlueStacks, an Android emulator, the Finder shows this warning: "The operation can't be completed because you don't have the necessary permission." The blog post looks into the subject: The moment that we see the word permission, all becomes clear: it's a permissions problem. So the next step is to select the offending item in the Finder, press Command-I to bring up the Get Info dialog, and change the permissions. It does, though, leave the slight puzzle as to why the Finder didn't simply prompt for authentication instead of cussedly refusing. Sure enough, after trying that, the app still won't go and the error message is unchanged. Another strange thing about this 'app' is that it's not an app at all. Tucked away in a mysterious folder, new to High Sierra, in /Library/StagedExtensions/Applications, its icon is defaced to indicate that the user can't even run it. Neither did the user install it there. Trying to remove it using a conventional Terminal command sudo rm -rf /Library/StagedExtensions/Applications/BlueStacks.app also fails, with the report Operation not permitted.
High Sierra leaves the user wondering what has happened. There's nothing in Apple's scant documentation to explain how this strange situation has arisen, and seemingly nothing more that the user can do to discover what is wrong, or to do anything about it. The clue comes from probing around in Terminal, specifically using a command like ls -lO /Library Try that in High Sierra, and you'll see drwxr-xr-x@ 4 root wheel restricted 128 2 Jan 13:03 StagedExtensions
There are two relevant pieces of information revealed: the @ sign shows that directory has extended attributes (xattrs), and the word restricted that it is protected by System Integrity Protection (SIP). A quick peek inside /Library/StagedExtensions/Applications/BlueStacks.app shows that it is a stub of an app, lacking any main code, but it does contain a kernel extension (KEXT) which is also protected by SIP, by virtue of being inside a SIP-protected folder. > ls -lO /Library/StagedExtensions/Applications
drwxr-xr-x 3 root wheel restricted 96 2 Jan 13:03 BlueStacks.app So how did this third-party kernel extension end up in this mysterious folder, complete with SIP protection?
High Sierra leaves the user wondering what has happened. There's nothing in Apple's scant documentation to explain how this strange situation has arisen, and seemingly nothing more that the user can do to discover what is wrong, or to do anything about it. The clue comes from probing around in Terminal, specifically using a command like ls -lO /Library Try that in High Sierra, and you'll see drwxr-xr-x@ 4 root wheel restricted 128 2 Jan 13:03 StagedExtensions
There are two relevant pieces of information revealed: the @ sign shows that directory has extended attributes (xattrs), and the word restricted that it is protected by System Integrity Protection (SIP). A quick peek inside /Library/StagedExtensions/Applications/BlueStacks.app shows that it is a stub of an app, lacking any main code, but it does contain a kernel extension (KEXT) which is also protected by SIP, by virtue of being inside a SIP-protected folder. > ls -lO /Library/StagedExtensions/Applications
drwxr-xr-x 3 root wheel restricted 96 2 Jan 13:03 BlueStacks.app So how did this third-party kernel extension end up in this mysterious folder, complete with SIP protection?
Please STOP using existing acronym. SIP has already been in use by something else:
https://en.wikipedia.org/wiki/Session_Initiation_Protocol
By the headline, I was expecting an article to be about how SIP softphones were broke in MAC OS.
On Windows 10 you can't kill Cortana. So I just take the route of blocking all access to microsoft's Bing because that is what I found Cortana using to phone home.
I warn about that one. ..." ... but I think I used an chmod or chown before that ... don't remember what I actually needed to do to remove it.
It asks for privileges to install (Mac OS X Applications usually don't need privileges, you just copy them with drag and drop into the Applications folder), then tries to install (with a warning) a "Yahoo Toolbar" and silently installs "Mac Keeper" a mal ware.
But it is easy to remove with sudo "rm
There was a background process running, watching the killing of the Mac Keeper process, so you needed to kill that first, remove the exe of that process and then kill Mac Keeper and remove the "Andy" programm.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
So you go to security in preferences, and turn it off. That's also where you'll find your kernel extension which will not have been granted rights to run until you approve it in that preference pane.
Using preferences is hard now?
with imac pro you can't remove storage to remove it offline as well. Coming soon in mac os more lock down and down the road limited drivers for GPU's in TB docs. rootless = no updating build in ATI drivers and no NVIDIA ktexts
Use the kextunload to unload a kernel extension. It can then be deleted.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
does apple need an installer / uninstaller system? Like windows MSI?
It has one. It uses packages, similar to many other UNIX systems. However, there is no enforcement for apps to use them and there is no default package manager. Frankly, I avoid packages since they can do things like install kernel extensions.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
I've stayed on El Capitan (tried Sierra - twice - and eventually rolled back to El Capitan - twice). Unfortunately it will stop getting security updates sometime this summer, though... at which point I'll have to pick my poison and "upgrade".
#DeleteChrome
A unix system is what you want, a unix system is what you get.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Also they don't always clean up very nicely once you remove them, probably due to not everything being kept within their bundle directory. Too much smoke and mirrors, like 'specially' named directories. As parent mentions, there is not one standard way to install. Sometimes you run an executable, sometimes you copy a file into the app directory. Sometimes there are strange folders inside the install screen. It's kind of a mess.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
My rule of thumb is to avoid anything but "drag the app into your apps folder". Means I don't get to use Flash or Java, but I'll manage.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Windows has had something very similar since the XP days, where if one blows away a DLL, Windows silently copies it back.
Did you mean Sergei Mikhailovich Eisenstein or did you write Albert Einstein's name wrong in an attempt to make your post double-funny?
#DeleteFacebook
One more reason to stay with 10.9.5
The unreadable thing gray fonts of the latest versions being the primary reason.
#DeleteFacebook
It has a packaging system, or one just copies the app to the Applications folder. However, uninstalling is a completely different matter. macOS has no real standard way to uninstall packages, other than to drag the application to the trash, or click the x when the icons wiggle in the Launcher.
macOS really needs a better packaging system. What would be ideal is not just one that can handle installs and clean uninstalls, but to be able to back off updates without reinstalling, similar to AIX's installp. It also would be nice to have a repair mechanism so that a damaged install can be backed out completely. Other package managers are transactional, but it would be nice to have a cleanup process to find broken, not completed installs and remove them.
As an added bonus, if signatures and such are done right, SIP could be used to protect the integrity of one program from another, as a way to mitigate rootkits.
SIP can be disabled. Generally, you don't want to, because it does what it says: protects the integrity of the system, by preventing the user from modifying system files. If you really want to, then reboot into recovery mode, disable SIP, and then reboot into normal mode. This is no different from the procedure for lowering the default securelevel on a BSD system (reboot to single-user mode, tweak the config file, boot to multiuser), does that mean that when you use FreeBSD then the FreeBSD project owns your computer?
I am TheRaven on Soylent News
The reason SIP was protecting the kext is because it was loaded into the actively running kernel. Unload the kext with "kextunload kextfile" and it is no longer protected by SIP and can be removed.
Yes, Apple could make this easier do so without using a shell. Ex: By putting a button in Preferences>Security that pops up a window displaying loaded kexts in a list & a button to unload them.
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
Back in the good old days you could force delete even OS stuff that would wreck the OS, and open files that would crash the computer. This made it easy to get rid of viruses.
Whether they changed this to stop OS problems, or to stop viruses from using it to install themselves, it made virus removal harder as virus writers coopted it to prevent their own removal, when the OS people no doubt thought they had the upper hand.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Apple has a standard .pkg format and a standard tool for installing, but no standard way of uninstalling. Most apps are just bundles (folders that appear to be single files in the GUI unless you right-click and say 'show contents') and so are uninstalled by simply deleting them (and are installed by just dragging them to where you want them to live), so this isn't a problem for most things. It is annoying for other things though, and sufficiently annoying that there are third-party tools that will read the manifest from a .pkg file and delete everything for you (.pkg files install a plist containing all of the things that they've installed in /Library/Receipts).
Most things installed from .pkg files can be uninstalled by running 'lsbom -pf /Library/Receipts/{installer name} | xargs rm -rf ', but that doesn't help you if it ran some post-install script that put files elsewhere.
I am TheRaven on Soylent News
And, immediately after posting that, I discovered the pkgutil tool, so you should replace the lsbom command with 'pkgutil --files {bundle identifier}'. It still doesn't include an uninstall command (though it does allow you to repair and verify installed packages).
I am TheRaven on Soylent News
Clearly the issue is you're uninstalling it wrong!
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Stop it people! Stop Insignificant postings!!
WARNING: Smartphones have side effects--most of them undocumented.
Aside: When did links stop working?
Based on the curly quotes and en.m.wikipedia.org hostname I see on that link's href attribute value in View Source, links in your comments stopped working roughly when you enabled automatic curly quotes on your iPhone or iPad or upgraded your iPhone or iPad to a version of iOS that enabled automatic curly quotes by default. Quoted attribute values in HTML5 must use Basic Latin quotation marks, be they single or double.
That is for operating system files, not applications.
The problem here is that the application includes a kext (kernel module) for some purpose, and applications that include a kext cannot be distributed through Mac App Store.
As is SIP, it's just that somehow the app was marked as a system file (technically, installed to a system directory). That latter part is the problem: seems like a malware magnet. It makes sense for parts of the kernel, but for apps?
Socialism: a lie told by totalitarians and believed by fools.
Mac app store has content censorship and to much sand boxing
No, software needs to not rely on installers / uninstallers. I'm automatically suspicious of any bit of software that comes with an installer (on a Mac OS system), because most software doesn't need it: you copy the app to your applications folder (or, for that matter, anywhere you want) and that's it. That's all normal user applications should need. Anything that wants to "install" itself makes me wonder what kind of wonky shit it's doing to my system besides just putting an app into the applications folder.
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
You unload the kernel extension, if not, boot into single user mode. How did the thing get there: you or your user installed it with an admin password. It's not a standard app that comes with OS X so there is no other way it got installed.
Custom electronics and digital signage for your business: www.evcircuits.com
Great word to use when describing apple os.
damaged by dogma
As any seasoned Unix sysadmin knows: it's called single user mode. It avoids SIP, Gatekeeper and pretty much all kernel extensions. You can then kextunload or simply delete the file and (optionally) rebuild the kernel cache.
Custom electronics and digital signage for your business: www.evcircuits.com
The Department of Redundancy Department has been made redundant. If you have any questions please consult the Office of Superfluous Offices.
How come Slashdot never gets Slashdotted?
Did World Wildlife Fund sue Zynga over Words With Friends or something?
Oddly, that's exactly what the post reference link says.
Glad you read it.
Too bad others didn't.
---- Teach Peace. It's Cheaper Than War.
Why does an android emulator need to install a kernel module?
mac os classic like BS no system wide uninstall system.
Back then windows had the windows installer + 3rd party ones. and the system wide uninstall list.
Most "apps" are just directories that are self contained; drag it out of the install media to the install location, and to uninstall you drag it to the trash or delete from the command line.
The few apps that don't fit into that model are the ones that require a package method (ie, files go into both application and library folders). This is reasonably straight forward to install though, but the uninstall is difficult. I often find there's a readme file or a web support page describing how to uninstall and clean up. Otherwise you search the usual suspected directories for remnants to clean up (libraries, documents, application support).
So this new problems seems to be some applications that have loaded kernel extensions which is difficult for the average user to know how to undo. And that's where having a good uninstall script will help, but there's no standard Apple way to do this.
There are the special cases though. Ie, an older version of Office kept the Windows model of having a "common" directory. Other apps have non trivial files that have to go into "/Library/Application Support". Apple's own products often have a really complicated web of stuff that happens (ie, xcode-select).
Apple should have added some standard way to uninstall though, and I suspect they don't because it would mean acknowledging that not everything fits into the user-friendly application bundle model.
I'm using some eclipse based tools from vendors that are application bundles that do have Java JRE underneath. It does mean a separate copy of JRE for each application which is bulky. It also means that they almost always have an older version of JRE so that the tools are dreadfully slow.
Do lots of users use the Apple Store for applications on a Mac? I know the iphone users do, but it seems somewhat rare on the Mac in my experience. So many tools I use are not on the store anyway, the store requires you to have an Apple ID, and it doesn't fit well into a corporate environment.
You can dream, but at the end of the day, lather, rinse repeat and it's still just Apple.
Oh, like no other OS has had the occasional weird permissions issue?
Gimme a break!
No, software needs to not rely on installers / uninstallers. I'm automatically suspicious of any bit of software that comes with an installer (on a Mac OS system), because most software doesn't need it: you copy the app to your applications folder (or, for that matter, anywhere you want) and that's it. That's all normal user applications should need. Anything that wants to "install" itself makes me wonder what kind of wonky shit it's doing to my system besides just putting an app into the applications folder.
I'm with you on that feeling.
The only exceptions to that rule are genuine Apple Applications. I trust them not to install a keylogger, etc.
but the content censorship needs to go
SIP is there for your protection and the protection of OSX.
If you really want to get rid of the app, here is how to enable/disable SIP.
Apple is trying to clean things up under the covers. They have a new modern filesystem (APFS) added SIP back in El Cap which was a solid security move. I realize things have been a bit shaky lately, but I blame on moving 12,000 people into the new spaceship campus . I am surprised all the developers haven't quit.
As the space ship establishes a new workplace morphology, things will get better. Maybe the ex-NSA'ers will head to Apple and bolster security even more.
It is a malware target, same as the similar feature in windows... There is plenty of windows malware that uses the system protection features to make removal difficult.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
At which?
Err.... No, OS X is a BSD.
I know, I'm late to the party, and I'm sure no-one will answer this.. But why can a third-party application access SIP *at all*? Is it just that it managed to installed a KEXT? If so, why didn't the user get a "do you really want to install this KEXT?" alert once or twice before it was allowed to do that in the first place?