Slashdot Mirror
The 'App' You Can't Trash: How SIP is Broken in Apple's High Sierra OS (eclecticlight.co)
A reader shares a blog post that talks about why Mac running High Sierra 10.13.2 (and other versions near it) refuses to let users uninstall some third-party applications easily. For instance, when users attempt to uninstall BlueStacks, an Android emulator, the Finder shows this warning: "The operation can't be completed because you don't have the necessary permission." The blog post looks into the subject: The moment that we see the word permission, all becomes clear: it's a permissions problem. So the next step is to select the offending item in the Finder, press Command-I to bring up the Get Info dialog, and change the permissions. It does, though, leave the slight puzzle as to why the Finder didn't simply prompt for authentication instead of cussedly refusing. Sure enough, after trying that, the app still won't go and the error message is unchanged. Another strange thing about this 'app' is that it's not an app at all. Tucked away in a mysterious folder, new to High Sierra, in /Library/StagedExtensions/Applications, its icon is defaced to indicate that the user can't even run it. Neither did the user install it there. Trying to remove it using a conventional Terminal command sudo rm -rf /Library/StagedExtensions/Applications/BlueStacks.app also fails, with the report Operation not permitted.
High Sierra leaves the user wondering what has happened. There's nothing in Apple's scant documentation to explain how this strange situation has arisen, and seemingly nothing more that the user can do to discover what is wrong, or to do anything about it. The clue comes from probing around in Terminal, specifically using a command like ls -lO /Library Try that in High Sierra, and you'll see drwxr-xr-x@ 4 root wheel restricted 128 2 Jan 13:03 StagedExtensions
There are two relevant pieces of information revealed: the @ sign shows that directory has extended attributes (xattrs), and the word restricted that it is protected by System Integrity Protection (SIP). A quick peek inside /Library/StagedExtensions/Applications/BlueStacks.app shows that it is a stub of an app, lacking any main code, but it does contain a kernel extension (KEXT) which is also protected by SIP, by virtue of being inside a SIP-protected folder. > ls -lO /Library/StagedExtensions/Applications
drwxr-xr-x 3 root wheel restricted 96 2 Jan 13:03 BlueStacks.app So how did this third-party kernel extension end up in this mysterious folder, complete with SIP protection?
High Sierra leaves the user wondering what has happened. There's nothing in Apple's scant documentation to explain how this strange situation has arisen, and seemingly nothing more that the user can do to discover what is wrong, or to do anything about it. The clue comes from probing around in Terminal, specifically using a command like ls -lO /Library Try that in High Sierra, and you'll see drwxr-xr-x@ 4 root wheel restricted 128 2 Jan 13:03 StagedExtensions
There are two relevant pieces of information revealed: the @ sign shows that directory has extended attributes (xattrs), and the word restricted that it is protected by System Integrity Protection (SIP). A quick peek inside /Library/StagedExtensions/Applications/BlueStacks.app shows that it is a stub of an app, lacking any main code, but it does contain a kernel extension (KEXT) which is also protected by SIP, by virtue of being inside a SIP-protected folder. > ls -lO /Library/StagedExtensions/Applications
drwxr-xr-x 3 root wheel restricted 96 2 Jan 13:03 BlueStacks.app So how did this third-party kernel extension end up in this mysterious folder, complete with SIP protection?
Please STOP using existing acronym. SIP has already been in use by something else:
https://en.wikipedia.org/wiki/Session_Initiation_Protocol
By the headline, I was expecting an article to be about how SIP softphones were broke in MAC OS.
On Windows 10 you can't kill Cortana. So I just take the route of blocking all access to microsoft's Bing because that is what I found Cortana using to phone home.
I warn about that one. ..." ... but I think I used an chmod or chown before that ... don't remember what I actually needed to do to remove it.
It asks for privileges to install (Mac OS X Applications usually don't need privileges, you just copy them with drag and drop into the Applications folder), then tries to install (with a warning) a "Yahoo Toolbar" and silently installs "Mac Keeper" a mal ware.
But it is easy to remove with sudo "rm
There was a background process running, watching the killing of the Mac Keeper process, so you needed to kill that first, remove the exe of that process and then kill Mac Keeper and remove the "Andy" programm.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Use the kextunload to unload a kernel extension. It can then be deleted.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Turn what off? SIP? You can't, there is no option to disable it. It's always on as part of Apple's continued effort to boil the frog until no one notices OS X is now iOS X.
You can, but I wouldn't recommend it. Just use the kextunload command to turn off a kernel extension, it can then be deleted.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
no, SIP is Apple's own invention
buy Apple, get Apple weirdness.
still, we were given choice and I like the mac I have from my employer more than windows box I could have had.
One more reason to stay with 10.9.5
The unreadable thing gray fonts of the latest versions being the primary reason.
#DeleteFacebook
What? Informative information on kernels in a Slashdot post!?! I'd thought that had left along with Taco...
To find the list of loaded kexts use "kextfind -loaded".
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
It has a packaging system, or one just copies the app to the Applications folder. However, uninstalling is a completely different matter. macOS has no real standard way to uninstall packages, other than to drag the application to the trash, or click the x when the icons wiggle in the Launcher.
macOS really needs a better packaging system. What would be ideal is not just one that can handle installs and clean uninstalls, but to be able to back off updates without reinstalling, similar to AIX's installp. It also would be nice to have a repair mechanism so that a damaged install can be backed out completely. Other package managers are transactional, but it would be nice to have a cleanup process to find broken, not completed installs and remove them.
As an added bonus, if signatures and such are done right, SIP could be used to protect the integrity of one program from another, as a way to mitigate rootkits.
SIP can be disabled. Generally, you don't want to, because it does what it says: protects the integrity of the system, by preventing the user from modifying system files. If you really want to, then reboot into recovery mode, disable SIP, and then reboot into normal mode. This is no different from the procedure for lowering the default securelevel on a BSD system (reboot to single-user mode, tweak the config file, boot to multiuser), does that mean that when you use FreeBSD then the FreeBSD project owns your computer?
I am TheRaven on Soylent News
The reason SIP was protecting the kext is because it was loaded into the actively running kernel. Unload the kext with "kextunload kextfile" and it is no longer protected by SIP and can be removed.
Yes, Apple could make this easier do so without using a shell. Ex: By putting a button in Preferences>Security that pops up a window displaying loaded kexts in a list & a button to unload them.
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
SIP is basically the flags part of BSD securelevel 1. At securelevel 1 you can set the user and system immutable flags, but you can't remove them. If you want to, you need to reboot at securelevel 0 (or -1), use chflags to remove the relevant flags, and then delete the files (you can always increase the securelevel, you can't lower it without a reboot). On most BSD systems, securelevel 1 comes with some other restrictions related to opening certain devices, which are not enforced by XNU for SIP. This functionality dates back to 4.4BSD.
I am TheRaven on Soylent News
Aside: When did links stop working?
Based on the curly quotes and en.m.wikipedia.org hostname I see on that link's href attribute value in View Source, links in your comments stopped working roughly when you enabled automatic curly quotes on your iPhone or iPad or upgraded your iPhone or iPad to a version of iOS that enabled automatic curly quotes by default. Quoted attribute values in HTML5 must use Basic Latin quotation marks, be they single or double.
Try cleaning up a Windows app that installed device drivers and crap in the registry, and whose uninstaller didn't clean-up these up properly. There's no need to get frothy mouthed about Apple when it's easy enough to contrive similar situations on other platforms. This kind of thing probably happens more frequently on other platforms.
SIP is there for your protection and the protection of OSX.
If you really want to get rid of the app, here is how to enable/disable SIP.
Apple is trying to clean things up under the covers. They have a new modern filesystem (APFS) added SIP back in El Cap which was a solid security move. I realize things have been a bit shaky lately, but I blame on moving 12,000 people into the new spaceship campus . I am surprised all the developers haven't quit.
As the space ship establishes a new workplace morphology, things will get better. Maybe the ex-NSA'ers will head to Apple and bolster security even more.