Mac OS X 10.11 (15A263e): SIP has undocumented exception for creating, modifying and deleting /usr/sbin/jamf

Number:rdar://22395084 Date Originated:23-Aug-2015 05:01 PM
Status:Closed Resolved:
Product:OS X Product Version:Mac OS X 10.11 (15A263e)
Classification:Security Reproducible:Always

The /usr directory is listed as a protected directory in /System/Library/Sandbox/rootless.conf as of OS X 10.11 (15A263e). 

It appears that there is an undocumented exception in SIP for "/usr/sbin/jamf". This exception does not appear in /System/Library/Sandbox/rootless.conf as of OS X 10.11 (15A263e). 

Steps to Reproduce:

Run the following command with root privileges:

touch /usr/sbin/jamf

Expected Results:

Receive the following error message:

touch: /usr/sbin/jamf: Operation not permitted

Actual Results:

/usr/sbin/jamf file created


Ran the following commands and received the expected results:

touch /usr/sbin/jamff
touch /usr/sbin/jam
touch /usr/sbin/munki
touch /usr/sbin/puppet

In all cases, I receive error messages similar to those shown below:

touch: /usr/sbin/jamff: Operation not permitted
touch: /usr/sbin/jam: Operation not permitted
touch: /usr/sbin/munki: Operation not permitted
touch: /usr/sbin/puppet: Operation not permitted


I've attached a screenshot showing that SIP is enabled, via running the following command:

csrutil status

The screenshot also shows the output of running the various touch commands listed above.


Exception file located in /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths

Never mind, I found where /usr/sbin/jamf is getting its exception from: /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths

Forum post with additional information:

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!