MacOS – How does a program modify /usr but I am unable to even with admin privileges

macossipx11xquartz

I have just installed latest Xquartz and FSL imaging software. I noticed that there is a new symbolic link in /usr (i.e. /usr/X11R6) to /opt/X11. My understanding was that only Apple software could be certified/signed to modify /usr under the new SIP in El Capitan. I am certainly unable to modify /usr directly with sudo so SIP is turned on.

It definitely is new – I had a previous xquartz install with a /usr/X11 symlink created prior to El Capitan upgrade which remained in place. However, FSL needs a /usr/X11R6 symlink which I tried to create manually to no avail because of SIP.

After upgrading to latest Xquartz now I have both /usr/X11 and /usr/X11R6 symlinks. It's not a 'problem' but I'm not clear how it got there.

Can someone explain how this works?

Best Answer

SIP disables everything (including the kernel) from modifying the specified directories. Disable it if you want to modify /usr.

Related Solutions

MacOS – How to reenable admin privileges without an administrative user

You can try whether sudo -s still works (which would allow you to add yourself to the admin group again), but probably it won't.

Do the following

Reboot into Single User mode by keeping Cmd-S pressed during reboot
/sbin/mount -uw /
rm /var/db/.AppleSetupDone
reboot

This will trick your Mac into behaving like a new installation (but with your data still intact). Follow the setup without migrating any data etc., near the end you will have the option to create a new user with admin privileges. Make sure to pick a new username here to avoid any conflicts.

MacOS – Why does OS X require admin privileges to unmount a drive from the terminal using `umount` but not when using Finder

umount is a UNIX command that adheres to the traditional UNIX perspective that unmounting a filesystem is a system administration task.

The rationale behind is that unmounting a filesystem, if poorly planned or executed, could be disruptive, even destructive, especially on a multiuser system. So regular users are protected from this potentially dangerous command and only root or a privileged user is allowed to execute it.

This makes a lot of sense when UNIX is used as a server operating system, but a UNIX-based desktop OS (for example, OS X or Ubuntu) has other needs: any user should be able to unmount flash drives, removable harddrives, etc.

The Finder and diskutil (see man diskutil for more information) work this way. For example, I can open Terminal and successfully run:

$ diskutil unmount /Volumes/Untitled
Volume Untitled on disk2s2 unmounted

whereas umount fails:

$ umount /Volumes/Untitled
umount: unmount(/Volumes/Untitled): Operation not permitted

What is the Finder or diskutil doing differently? Behind the scenes, they send a request to a daemon called com.apple.SecurityServer (see man page for more information), which grants the right to unmount the filesystem:

$ tail -f /var/log/system.log
Feb  6 16:57:37 avallone.local com.apple.SecurityServer[17]: Succeeded authorizing right 'system.volume.removable.unmount' by client '/System/Library/CoreServices/Finder.app' [171] for authorization created by '/System/Library/CoreServices/Finder.app' [171] (100013,0)
Feb  6 16:57:37 avallone.local com.apple.SecurityServer[17]: Succeeded authorizing right 'system.volume.removable.unmount' by client '/usr/sbin/diskarbitrationd' [18] for authorization created by '/System/Library/CoreServices/Finder.app' [171] (100002,0)
Feb  6 17:01:46 avallone.local com.apple.SecurityServer[17]: Succeeded authorizing right 'system.volume.removable.unmount' by client '/usr/sbin/diskutil' [646] for authorization created by '/usr/sbin/diskutil' [646] (100013,0)
Feb  6 17:01:46 avallone.local com.apple.SecurityServer[17]: Succeeded authorizing right 'system.volume.removable.unmount' by client '/usr/sbin/diskarbitrationd' [18] for authorization created by '/usr/sbin/diskutil' [646] (100002,0)

This allows any user to unmount a drive without requiring additional authentication. (Ubuntu has a similar philosophy. If you are interested, take a look at this answer on AskUbuntu.)

To support the behavior explained above the Finder and diskutil use several Apple frameworks:

$ otool -L $(which diskutil) | grep Disk
/System/Library/PrivateFrameworks/DiskManagement.framework/Versions/A/DiskManagement (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration (compatibility version 1.0.0, current version 1.0.0)
$ otool -L /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder | grep Disk
/System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration (compatibility version 1.0.0, current version 1.0.0)
/System/Library/PrivateFrameworks/DiskImages.framework/Versions/A/DiskImages (compatibility version 1.0.8, current version 344.0.0)
/System/Library/PrivateFrameworks/DiskManagement.framework/Versions/A/DiskManagement (compatibility version 1.0.0, current version 1.0.0)

umount, on the other side, is only linked to this dynamic library:

$ otool -L $(which umount) 
/sbin/umount:
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 169.3.0)

(/usr/lib/libSystem.B.dylib uses several other libraries, but isn't linked to any framework.)

Best Answer

Related Solutions

MacOS – How to reenable admin privileges without an administrative user

MacOS – Why does OS X require admin privileges to unmount a drive from the terminal using `umount` but not when using Finder

Related Question