Mac OS X 10.11.1: Can delete /usr/local but not create it

Originator:Nate.Walck
Number:rdar://23093676 Date Originated:13-Oct-2015 11:56 AM
Status:Open Resolved:
Product:OS X Product Version:Mac OS X 10.11.1 (15B17c)
Classification:Serious Bug Reproducible:Not Applicable
 
Summary:
On 10.11.1 (and possibly prior versions), you can delete /usr/local but not create it.

Steps to Reproduce:
1. Be on OS X 10.11.1 (or possible 10.11.0)
2. In terminal, run 'sudo rm -rf /usr/local'
3. In terminal, run 'sudo mkdir /usr/local'

This applies to other SIP locations as well, such as /usr/libexec/cups:

sudo rm -rf /usr/libexec/cups
mkdir /usr/libexec/cups
mkdir: /usr/libexec/cups: Operation not permitted

Expected Results:
You should either be prevented from deleting the whole /usr/local directory or you should be able to create it. This seems to apply to any SIP location that is whitelisted with a * in /System/Library/Sandbox/rootless.conf

Actual Results:
After /usr/local is deleted, you get the following message:
mkdir: /usr/local: Operation not permitted

Regression:
This happens on 10.11.1 15B17c for sure, could happen on previous various of 10.11 as this is a SIP issue.

Notes:
None

Comments

This has been fixed by com.apple.pkg.SystemIntegrityProtectionConfig.14U2076

This is the relevant catalog entry. 

        <key>031-40358</key>
        <dict>
            <key>ServerMetadataURL</key>
            <string>http://swcdn.apple.com/content/downloads/53/38/031-40358/y7sn2l7yvfxb73myuiufqin8fp2sqyetvl/SystemIntegrityProtectionConfig.smd</string>
            <key>Packages</key>
            <array>
                <dict>
                    <key>Digest</key>
                    <string>7ea4c74931632d0a874cf046c1d5444c160acb5b</string>
                    <key>MetadataURL</key>
                    <string>https://swdist.apple.com/content/downloads/53/38/031-40358/y7sn2l7yvfxb73myuiufqin8fp2sqyetvl/SystemIntegrityProtectionConfig.pkm</string>
                    <key>URL</key>
                    <string>http://swcdn.apple.com/content/downloads/53/38/031-40358/y7sn2l7yvfxb73myuiufqin8fp2sqyetvl/SystemIntegrityProtectionConfig.pkg</string>
                    <key>Size</key>
                    <integer>11628</integer>
                </dict>
            </array>
            <key>PostDate</key>
            <date>2015-10-21T17:33:00Z</date>
            <key>Distributions</key>
            <dict>
                <key>English</key>
                <string>https://swdist.apple.com/content/downloads/53/38/031-40358/y7sn2l7yvfxb73myuiufqin8fp2sqyetvl/031-40358.English.dist</string>
            </dict>
        </dict>

It will install Compatibility.bundle version 12, which adds /usr/local to /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths amongst a few other changes.

It should be installed automatically if you have "Install system data files and security updates" enabled in your App Store preferences.

By ilovezfs at Oct. 28, 2015, 4:27 p.m. (reply...)

Also tested this by re-creating /usr/local in Recovery without disabling SIP and rebooting:

Steps to reproduce: 1. Be on OS X 10.11 14A284

  1. With SIP Enabled and while in the booted OS, run 'sudo rm -rf /usr/local'

  2. Reboot to recovery

  3. run mkdir '/Volumes/Macintosh HD/usr/local'

  4. Boot back to the main OS and try to create folders within /usr/local.

Expected Results: Now that /usr/local exists again, you would expect to be able to write to directories within it as it is whitelisted in SIP.

Actual Results: You cannot write to any sub-directories within /usr/local

sudo mkdir /usr/local/bin mkdir: /usr/local/bin: Operation not permitted

sudo mkdir /usr/local/foo mkdir: /usr/local/bin: Operation not permitted

mkdir -m 700 /usr/local/bin mkdir: /usr/local/bin: Operation not permitted

mkdir -m 755 /usr/local/bin mkdir: /usr/local/bin: Operation not permitted

By Nate.Walck at Oct. 16, 2015, 7:05 p.m. (reply...)

But wait, there is more!

Even if you re-create the /usr/local dir with SIP disabled, after you re-enable SIP, you cannot write /usr/local/foo

Steps to reproduce:

  1. Be on OS X 10.11 14A284
  2. With SIP Enabled, run 'sudo rm -rf /usr/local'
  3. Reboot to recovery, disable SIP
  4. Now that SIP is disabled, run 'sudo mkdir /usr/local'
  5. Reboot to recovery, enable SIP
  6. Now that SIP is enabled, run 'sudo mkdir /usr/local/bin' or 'sudo mkdir /usr/local/foo'

Expected Results: Now that /usr/local exists again, you would expect to be able to write to directories within it as it is whitelisted in SIP.

Actual Results: You cannot write to any sub-directories within /usr/local

sudo mkdir /usr/local/bin mkdir: /usr/local/bin: Operation not permitted

sudo mkdir /usr/local/foo mkdir: /usr/local/bin: Operation not permitted

mkdir -m 700 /usr/local/bin mkdir: /usr/local/bin: Operation not permitted

mkdir -m 755 /usr/local/bin mkdir: /usr/local/bin: Operation not permitted

By Nate.Walck at Oct. 15, 2015, 7:32 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!