umount
is a UNIX command that adheres to the traditional UNIX perspective that unmounting a filesystem is a system administration task.
The rationale behind is that unmounting a filesystem, if poorly planned or executed, could be disruptive, even destructive, especially on a multiuser system. So regular users are protected from this potentially dangerous command and only root or a privileged user is allowed to execute it.
This makes a lot of sense when UNIX is used as a server operating system, but a UNIX-based desktop OS (for example, OS X or Ubuntu) has other needs: any user should be able to unmount flash drives, removable harddrives, etc.
The Finder and diskutil
(see man diskutil for more information) work this way. For example, I can open Terminal and successfully run:
$ diskutil unmount /Volumes/Untitled
Volume Untitled on disk2s2 unmounted
whereas umount
fails:
$ umount /Volumes/Untitled
umount: unmount(/Volumes/Untitled): Operation not permitted
What is the Finder or diskutil
doing differently? Behind the scenes, they send a request to a daemon called com.apple.SecurityServer (see man page for more information), which grants the right to unmount the filesystem:
$ tail -f /var/log/system.log
Feb 6 16:57:37 avallone.local com.apple.SecurityServer[17]: Succeeded authorizing right 'system.volume.removable.unmount' by client '/System/Library/CoreServices/Finder.app' [171] for authorization created by '/System/Library/CoreServices/Finder.app' [171] (100013,0)
Feb 6 16:57:37 avallone.local com.apple.SecurityServer[17]: Succeeded authorizing right 'system.volume.removable.unmount' by client '/usr/sbin/diskarbitrationd' [18] for authorization created by '/System/Library/CoreServices/Finder.app' [171] (100002,0)
Feb 6 17:01:46 avallone.local com.apple.SecurityServer[17]: Succeeded authorizing right 'system.volume.removable.unmount' by client '/usr/sbin/diskutil' [646] for authorization created by '/usr/sbin/diskutil' [646] (100013,0)
Feb 6 17:01:46 avallone.local com.apple.SecurityServer[17]: Succeeded authorizing right 'system.volume.removable.unmount' by client '/usr/sbin/diskarbitrationd' [18] for authorization created by '/usr/sbin/diskutil' [646] (100002,0)
This allows any user to unmount a drive without requiring additional authentication. (Ubuntu has a similar philosophy. If you are interested, take a look at this answer on AskUbuntu.)
To support the behavior explained above the Finder and diskutil
use several Apple frameworks:
$ otool -L $(which diskutil) | grep Disk
/System/Library/PrivateFrameworks/DiskManagement.framework/Versions/A/DiskManagement (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration (compatibility version 1.0.0, current version 1.0.0)
$ otool -L /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder | grep Disk
/System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration (compatibility version 1.0.0, current version 1.0.0)
/System/Library/PrivateFrameworks/DiskImages.framework/Versions/A/DiskImages (compatibility version 1.0.8, current version 344.0.0)
/System/Library/PrivateFrameworks/DiskManagement.framework/Versions/A/DiskManagement (compatibility version 1.0.0, current version 1.0.0)
umount
, on the other side, is only linked to this dynamic library:
$ otool -L $(which umount)
/sbin/umount:
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 169.3.0)
(/usr/lib/libSystem.B.dylib
uses several other libraries, but isn't linked to any framework.)
Best Answer
SIP disables everything (including the kernel) from modifying the specified directories. Disable it if you want to modify
/usr
.