{"id":309,"date":"2015-11-01T23:40:28","date_gmt":"2015-11-01T23:40:28","guid":{"rendered":"http:\/\/tomas.papp.me.uk\/?p=309"},"modified":"2015-11-03T14:49:22","modified_gmt":"2015-11-03T14:49:22","slug":"strace-na-macos-sip","status":"publish","type":"post","link":"https:\/\/tomas.papp.me.uk\/?p=309","title":{"rendered":"&#8220;strace&#8221; na MacOS &#038; SIP"},"content":{"rendered":"<p>..sa vola dtrace<\/p>\n<p>\/usr\/sbin\/dtrace a ma niekolko uskali<\/p>\n<p>1;) vyzaduje root-a, odporucam sudo dtrace sudo -u myuser traced_command<\/p>\n<p>2;) existuje nieco ako SIP<\/p>\n<p>As you may now Apple released their new OS X revision 10.11 this year with a great security feature built-in:\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/System_Integrity_Protection\">System Integrity Protection<\/a>. In a nutshell, this mechanism protects any system data and important filesystem components (like\u00a0<code>\/System<\/code>\u00a0or\u00a0<code>\/usr<\/code>) from being modified by user; even if they are\u00a0<em>root<\/em>. SIP also disables any use of code-injection and debugging techniques for third-party software, so some of your favorite hacks may not work anymore. &#8211; ;))<\/p>\n<p>mile od Applu Anyway:<\/p>\n<h3 id=\"the-solutions\">Completely disable SIP<\/h3>\n<p>Although not recommended by Apple, you can entirely disable System Integrity Protection on you Mac. Here&#8217;s how:<\/p>\n<ol>\n<li>Boot your Mac into Recovery Mode: reboot it and hold cmd+R until a progress bar appears.<\/li>\n<li>Choose the language and go to Utilities menu. Choose Terminal there.<\/li>\n<li>Enter this command to disable System Integrity Protection:\n<div class=\"sourceCode\">\n<pre class=\"sourceCode bash\"><code class=\"sourceCode bash\">$ <span class=\"kw\">csrutil<\/span> disable<\/code><\/pre>\n<\/div>\n<\/li>\n<li>It will ask you to reboot \u2014 do so and you&#8217;re free from SIP!<\/li>\n<\/ol>\n<h5 id=\"the-good\">The Good<\/h5>\n<p>You&#8217;re able to do anything you want with the OS, yay! \u0669(\u2e1d\u2e1d\u2e1d\u25d5\u0e31 \u0bf0 \u25d5\u0e31\u2e1d\u2e1d\u2e1d )\u0648<\/p>\n<h5 id=\"the-bad\">The Bad<\/h5>\n<p><em>You&#8217;re not safe<\/em>: there&#8217;re plenty of rootkits in a wild which can infect your system. Actually, you&#8217;re as safe as on OS X 10.10 or 10.9, so judge for yourself.<\/p>\n<h3 id=\"partially-disable-sip\">Partially disable SIP<\/h3>\n<p>Fortunately, SIP is not monolithic: it&#8217;s built from many different modules we can disable\/enable separately. Let&#8217;s take a look at a typical\u00a0<code>csrutil status<\/code>\u00a0output:<\/p>\n<div class=\"sourceCode\">\n<pre class=\"sourceCode bash\"><code class=\"sourceCode bash\">$ <span class=\"kw\">csrutil<\/span> status\r\n<span class=\"kw\">System<\/span> Integrity Protection status: enabled\r\n\r\n<span class=\"kw\">Configuration<\/span>:\r\n    <span class=\"kw\">Apple<\/span> Internal: enabled\r\n    <span class=\"kw\">Kext<\/span> Signing: enabled\r\n    <span class=\"kw\">Filesystem<\/span> Protections: enabled\r\n    <span class=\"kw\">Debugging<\/span> Restrictions: enabled\r\n    <span class=\"kw\">DTrace<\/span> Restrictions: enabled\r\n    <span class=\"kw\">NVRAm<\/span> Protections: enabled<\/code><\/pre>\n<\/div>\n<p>I can count 6 different subsystems out here. Here&#8217;s the way to selectively disable any of them:<\/p>\n<ol>\n<li>Repeat steps 1 and 2 from \u00abCompletely disable SIP\u00bb section above.<\/li>\n<li>Now in Terminal enter these commands:\n<div class=\"sourceCode\">\n<pre class=\"sourceCode bash\"><code class=\"sourceCode bash\">$ <span class=\"kw\">csrutil<\/span> clear <span class=\"co\"># restore the default configuration first<\/span>\r\n$ <span class=\"kw\">csrutil<\/span> enable --without dtrace <span class=\"co\"># disable dtrace restrictions *only*<\/span><\/code><\/pre>\n<\/div>\n<p>That&#8217;s it: use\u00a0<code>csrutil enable<\/code>\u00a0+\u00a0<code>--without<\/code>\u00a0flag with a name of a module you want to disable:<\/p>\n<div class=\"sourceCode\">\n<pre class=\"sourceCode bash\"><code class=\"sourceCode bash\">$ <span class=\"kw\">csrutil<\/span> enable --without kext\r\n$ <span class=\"kw\">csrutil<\/span> enable --without fs\r\n$ <span class=\"kw\">csrutil<\/span> enable --without debug\r\n$ <span class=\"kw\">csrutil<\/span> enable --without dtrace\r\n$ <span class=\"kw\">csrutil<\/span> enable --without nvram\r\n<span class=\"co\"># this one below is different, not sure why. Don't encourage you to disable it anyways\u2026<\/span>\r\n$ <span class=\"kw\">csrutil<\/span> enable --no-internal<\/code><\/pre>\n<\/div>\n<\/li>\n<li>Reboot and enjoy your OS again.<\/li>\n<\/ol>\n<h5 id=\"the-good-1\">The Good<\/h5>\n<p>If you only disable\u00a0<code>dtace<\/code>\u00a0module you&#8217;re still quite safe: SIP will keep an eye on your filesystem and kernel extensions as well as on any software trying to inject code.<\/p>\n<h5 id=\"the-bad-1\">The Bad<\/h5>\n<p>You&#8217;re\u00a0<em>still unable<\/em>\u00a0to attach dtrace to restricted processes<\/p>\n<div class=\"sourceCode\">\n<p class=\"sourceCode bash\"><code class=\"sourceCode bash\">$ <span class=\"kw\">sudo<\/span> dtruss echo <span class=\"st\">\"demo\"<\/span> <span class=\"kw\">dtrace<\/span>: failed to execute echo: dtrace cannot control executables signed with restricted entitlements <\/code><\/p>\n<p><code class=\"sourceCode bash\"><\/code><\/div>\n<div class=\"sourceCode\"><\/div>\n<p class=\"sourceCode\"><code class=\"sourceCode bash\">alebo spusti vo virtualke <\/code><\/p>\n<p class=\"sourceCode\"><code class=\"sourceCode bash\">( http:\/\/internals.exposed\/blog\/dtrace-vs-sip.html )<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>..sa vola dtrace \/usr\/sbin\/dtrace a ma niekolko uskali 1;) vyzaduje root-a, odporucam sudo dtrace sudo -u myuser traced_command 2;) existuje nieco ako SIP As you may now Apple released their new OS X revision 10.11 this year with a great security feature built-in:\u00a0System Integrity Protection. In a nutshell, this mechanism protects any system data and [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-309","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/tomas.papp.me.uk\/index.php?rest_route=\/wp\/v2\/posts\/309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tomas.papp.me.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tomas.papp.me.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tomas.papp.me.uk\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tomas.papp.me.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=309"}],"version-history":[{"count":4,"href":"https:\/\/tomas.papp.me.uk\/index.php?rest_route=\/wp\/v2\/posts\/309\/revisions"}],"predecessor-version":[{"id":313,"href":"https:\/\/tomas.papp.me.uk\/index.php?rest_route=\/wp\/v2\/posts\/309\/revisions\/313"}],"wp:attachment":[{"href":"https:\/\/tomas.papp.me.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tomas.papp.me.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tomas.papp.me.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}