Mac OS X 10.11.1: Can delete /usr/local but not create it
Originator: | Nate.Walck | ||
Number: | rdar://23093676 | Date Originated: | 13-Oct-2015 11:56 AM |
Status: | Open | Resolved: | |
Product: | OS X | Product Version: | Mac OS X 10.11.1 (15B17c) |
Classification: | Serious Bug | Reproducible: | Not Applicable |
Summary: On 10.11.1 (and possibly prior versions), you can delete /usr/local but not create it. Steps to Reproduce: 1. Be on OS X 10.11.1 (or possible 10.11.0) 2. In terminal, run 'sudo rm -rf /usr/local' 3. In terminal, run 'sudo mkdir /usr/local' This applies to other SIP locations as well, such as /usr/libexec/cups: sudo rm -rf /usr/libexec/cups mkdir /usr/libexec/cups mkdir: /usr/libexec/cups: Operation not permitted Expected Results: You should either be prevented from deleting the whole /usr/local directory or you should be able to create it. This seems to apply to any SIP location that is whitelisted with a * in /System/Library/Sandbox/rootless.conf Actual Results: After /usr/local is deleted, you get the following message: mkdir: /usr/local: Operation not permitted Regression: This happens on 10.11.1 15B17c for sure, could happen on previous various of 10.11 as this is a SIP issue. Notes: None
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
This has been fixed by com.apple.pkg.SystemIntegrityProtectionConfig.14U2076
This is the relevant catalog entry.
It will install Compatibility.bundle version 12, which adds /usr/local to /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths amongst a few other changes.
It should be installed automatically if you have "Install system data files and security updates" enabled in your App Store preferences.
Also tested this by re-creating /usr/local in Recovery without disabling SIP and rebooting:
Steps to reproduce: 1. Be on OS X 10.11 14A284
With SIP Enabled and while in the booted OS, run 'sudo rm -rf /usr/local'
Reboot to recovery
run mkdir '/Volumes/Macintosh HD/usr/local'
Boot back to the main OS and try to create folders within /usr/local.
Expected Results: Now that /usr/local exists again, you would expect to be able to write to directories within it as it is whitelisted in SIP.
Actual Results: You cannot write to any sub-directories within /usr/local
sudo mkdir /usr/local/bin mkdir: /usr/local/bin: Operation not permitted
sudo mkdir /usr/local/foo mkdir: /usr/local/bin: Operation not permitted
mkdir -m 700 /usr/local/bin mkdir: /usr/local/bin: Operation not permitted
mkdir -m 755 /usr/local/bin mkdir: /usr/local/bin: Operation not permitted
But wait, there is more!
Even if you re-create the /usr/local dir with SIP disabled, after you re-enable SIP, you cannot write /usr/local/foo
Steps to reproduce:
Expected Results: Now that /usr/local exists again, you would expect to be able to write to directories within it as it is whitelisted in SIP.
Actual Results: You cannot write to any sub-directories within /usr/local
sudo mkdir /usr/local/bin mkdir: /usr/local/bin: Operation not permitted
sudo mkdir /usr/local/foo mkdir: /usr/local/bin: Operation not permitted
mkdir -m 700 /usr/local/bin mkdir: /usr/local/bin: Operation not permitted
mkdir -m 755 /usr/local/bin mkdir: /usr/local/bin: Operation not permitted