/usr/local SIP restricted upon NetBoot with included package NBI creation
Originator: | eholtam | ||
Number: | rdar://33967043 | Date Originated: | 8/18/17 |
Status: | Resolved | Resolved: | 17A352a |
Product: | 10.13 | Product Version: | 17A344b |
Classification: | Installation/Setup/Migration | Reproducible: | Always |
Description of the problem: Creating a NetBoot image and including a pkg to install using System Image Utility on 17A344b results in a NBI dmg that has /usr/local/ restricted by SIP. This directory is very common for 3rd party tools to install into. Having it restricted blocks any attempts at installing tools. In testing this seems to only happen when a pkg with a payload that ends up in /usr/local on the target volume is added to the SIU process to install into the DMG. A stock SIU run with just the beta6 installer does not have /usr/local/ restricted. This issue is a show stopper for us rolling out High Sierra to 1,500 Macs in the company. It is essential we have access to install tools to /usr/local/. Step-by-step reproduction 1) Download the full beta 6 High Sierra installer 2) Acquire a pkg that has a payload that installs to /usr/local. I used https://github.com/munki/munki/releases/download/v3.0.3/munkitools-3.0.3.3352.pkg 3) Launch SIU 4) Choose the Sierra installer as the Source 5) Choose to create a NetBoot Image 6) Agree to the terms 7) Create an admin 8) At the "Add Configuration Profiles, Packages, and Post-Install Scripts" section drop the munki installer downloaded in step 2 to the window. 9) Leave System Configuration, Directory Servers, Image Settings, Supported Computer Models, and Filter Clients by MAC Address settings default 10) Save the image to the Desktop 11) Once complete, find the Netboot.dmg and mount it 12) Using Terminal issue `ls -lO /Volumes/Netboot/usr/` Repeat the steps above and not include a package at step 8 to see the that the NBI without an additional pkg does not have /usr/local/ restricted. Expected results The NBI would be created, and /usr/local/ would not be SIP protected. Actual results /usr/local/ on the output volume is SIP protected causing issues with installing On the NBI that had the package installed I see: hs13:~ eholtam$ ls -lO /Volumes/NetBoot/usr/ total 0 drwxr-xr-x 975 eholtam staff restricted 33150 Aug 18 11:53 bin drwxr-xr-x 291 eholtam staff restricted 9894 Aug 18 11:53 lib drwxr-xr-x 233 eholtam staff restricted 7922 Aug 18 11:53 libexec drwxr-xr-x 3 eholtam staff restricted 102 Aug 18 11:56 local drwxr-xr-x 247 eholtam staff restricted 8398 Aug 18 11:58 sbin drwxr-xr-x 46 eholtam staff restricted 1564 Aug 18 11:53 share drwxr-xr-x 5 eholtam staff restricted 170 Aug 10 22:13 standalone hs13:~ eholtam$ ls -l /Volumes/NetBoot/usr/local/ total 0 drwxr-xr-x 16 eholtam staff 544 Aug 18 11:56 munki On the NBI that did not have a pkg installed I see the following: hs13:~ eholtam$ ls -lO /Volumes/NetBoot/usr/ total 0 drwxr-xr-x 975 eholtam staff restricted 33150 Aug 18 13:00 bin drwxr-xr-x 291 eholtam staff restricted 9894 Aug 18 13:00 lib drwxr-xr-x 233 eholtam staff restricted 7922 Aug 18 13:00 libexec drwxr-xr-x 2 eholtam staff sunlnk 68 Aug 8 16:45 local drwxr-xr-x 247 eholtam staff restricted 8398 Aug 18 13:05 sbin drwxr-xr-x 46 eholtam staff restricted 1564 Aug 18 13:00 share drwxr-xr-x 5 eholtam staff restricted 170 Aug 10 22:13 standalone hs13:~ eholtam$ ls -l /Volumes/NetBoot/usr/local/ hs13:~ eholtam$
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!