[OpenAFS-port-darwin] El Capitan
Teddy Thomas
tthoma24@mit.edu
Tue, 18 Aug 2015 10:04:22 -0400
--Apple-Mail=_BE14F551-F425-48B4-A5ED-121A4324B07E
Content-Type: multipart/alternative;
boundary="Apple-Mail=_66489C6B-CFEC-4673-937F-68780BAEF130"
--Apple-Mail=_66489C6B-CFEC-4673-937F-68780BAEF130
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
The issue is that Apple has introduced a new security feature called =
System Integrity Protection (aka =E2=80=9CRootless=E2=80=9D) in 10.11. =
It is supposed to prevent unauthorized modifications of system files, =
which is why /usr is no longer writable, even as root. (I believe =
/usr/local is still okay, but I=E2=80=99m a bit fuzzy on that). If =
anyone is curious, they might want to read more here: =
https://developer.apple.com/library/prerelease/mac/releasenotes/MacOSX/Wha=
tsNewInOSX/Articles/MacOSX10_11.html#//apple_ref/doc/uid/TP40016227-DontLi=
nkElementID_17
and here: https://en.wikipedia.org/wiki/System_Integrity_Protection
While we=E2=80=99re waiting for the YFS installer, I managed to get AFS =
working with the YFS installer by disabling System Integrity Protection =
(aka =E2=80=9CRootless) by booting into Recovery and choosing the =
Security Configuration utility. You might need a firmware update in =
order to do so; before I did the Firmware Update, I got a weird IOKit =
error when trying to change the setting.
-Teddy
> On Aug 18, 2015, at 9:56 AM, Daria Brashear <shadow@gmail.com> wrote:
>=20
> The OpenAFS installers since time immemorial install into /usr; in =
10.11, /usr is not writable.
>=20
> The installers YFS produces have been modified to be ready for 10.11 =
but as it is not released finally yet, we
> are not yet distributing one for it.
>=20
>=20
>=20
> On Tue, Aug 18, 2015 at 8:28 AM, Christer Grafstr=C3=B6m =
<christer.grafstrom@ltu.se <mailto:christer.grafstrom@ltu.se>> wrote:
> Hello=20
>=20
> I have upgraded to El Capitan on my test-mac and openafs stopped =
working. I have tried to install it but no luck.
> The kext file is loaded so thats fine, but when i try to install the =
pkg I hade on my Mac OS X 10.10 the installation failed.
>=20
> This I have from system.log : sandboxd[123] ([1732]): shove(1732) =
System Policy: deny file-write-create /usr/bin/aklog=20
> This I can understand and I can recompile and move aklog to another =
file path.
>=20
> Has someone else tried this and managed to install openafs on El =
Capitan?
>=20
> Regards
> Christer Grafstrom
> IT-Service
> Lulea University of Technology
>=20
>=20
>=20
>=20
>=20
> --=20
> Daria Phoebe Brashear
> Your File System, Inc.
--Apple-Mail=_66489C6B-CFEC-4673-937F-68780BAEF130
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=utf-8
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">The issue is that Apple has introduced a new security feature =
called System Integrity Protection (aka =E2=80=9CRootless=E2=80=9D) in =
10.11. It is supposed to prevent unauthorized modifications of system =
files, which is why /usr is no longer writable, even as root. (I believe =
/usr/local is still okay, but I=E2=80=99m a bit fuzzy on that). If =
anyone is curious, they might want to read more here: <a =
href=3D"https://developer.apple.com/library/prerelease/mac/releasenotes/Ma=
cOSX/WhatsNewInOSX/Articles/MacOSX10_11.html#//apple_ref/doc/uid/TP4001622=
7-DontLinkElementID_17" =
class=3D"">https://developer.apple.com/library/prerelease/mac/releasenotes=
/MacOSX/WhatsNewInOSX/Articles/MacOSX10_11.html#//apple_ref/doc/uid/TP4001=
6227-DontLinkElementID_17</a><div class=3D"">and here: <a =
href=3D"https://en.wikipedia.org/wiki/System_Integrity_Protection" =
class=3D"">https://en.wikipedia.org/wiki/System_Integrity_Protection</a><b=
r class=3D""><div class=3D""><br class=3D""></div><div class=3D"">While =
we=E2=80=99re waiting for the YFS installer, I managed to get AFS =
working with the YFS installer by disabling System Integrity Protection =
(aka =E2=80=9CRootless) by booting into Recovery and choosing the =
Security Configuration utility. You might need a firmware update in =
order to do so; before I did the Firmware Update, I got a weird IOKit =
error when trying to change the setting.</div><div class=3D""><br =
class=3D""></div><div class=3D"">-Teddy</div><div class=3D""><br =
class=3D""></div><div class=3D""><br class=3D""><div><blockquote =
type=3D"cite" class=3D""><div class=3D"">On Aug 18, 2015, at 9:56 AM, =
Daria Brashear <<a href=3D"mailto:shadow@gmail.com" =
class=3D"">shadow@gmail.com</a>> wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div dir=3D"ltr" =
class=3D""><div class=3D""><div class=3D"">The OpenAFS installers since =
time immemorial install into /usr; in 10.11, /usr is not writable.<br =
class=3D""><br class=3D""></div>The installers YFS produces have been =
modified to be ready for 10.11 but as it is not released finally yet, =
we<br class=3D""></div>are not yet distributing one for it.<br =
class=3D""><br class=3D""><br class=3D""><div class=3D"gmail_extra"><br =
class=3D""><div class=3D"gmail_quote">On Tue, Aug 18, 2015 at 8:28 AM, =
Christer Grafstr=C3=B6m <span dir=3D"ltr" class=3D""><<a =
href=3D"mailto:christer.grafstrom@ltu.se" target=3D"_blank" =
class=3D"">christer.grafstrom@ltu.se</a>></span> wrote:<br =
class=3D""><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style=3D"word-wrap:break-word" class=3D"">
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
Hello </div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
<br class=3D"">
</div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
I have upgraded to El Capitan on my test-mac and openafs stopped =
working. I have tried to install it but no luck.</div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
The kext file is loaded so thats fine, but when i try to install the pkg =
I hade on my Mac OS X 10.10 the installation failed.</div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
<br class=3D"">
</div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
This I have from system.log : <span =
style=3D"font-family:Menlo;font-size:11px" class=3D"">sandboxd[123] =
([1732]): shove(1732) System Policy: deny file-write-create =
/usr/bin/aklog</span> </div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
This I can understand and I can recompile and move aklog to another file =
path.</div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
<br class=3D"">
</div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
Has someone else tried this and managed to install openafs on El =
Capitan?</div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
<br class=3D"">
</div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
Regards</div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
Christer Grafstrom</div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
IT-Service</div>
<div class=3D""><span style=3D"line-height:16px;text-align:center" =
class=3D"">Lulea University of Technology</span></div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
<br class=3D"">
</div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
<br class=3D"">
</div>
<div style=3D"font-size: 14px; font-family: Calibri, sans-serif;" =
class=3D"">
<div class=3D""></div>
</div>
</div>
</blockquote></div><br class=3D""><br clear=3D"all" class=3D""><br =
class=3D"">-- <br class=3D""><div class=3D"gmail_signature"><div =
dir=3D"ltr" class=3D"">Daria Phoebe Brashear<br class=3D""></div><div =
class=3D"">Your File System, Inc.<br class=3D""></div></div>
</div></div>
</div></blockquote></div><br class=3D""></div></div></body></html>=
--Apple-Mail=_66489C6B-CFEC-4673-937F-68780BAEF130--
--Apple-Mail=_BE14F551-F425-48B4-A5ED-121A4324B07E
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIDxjCCA8Iw
ggMroAMCAQICEQCVHMwCHMNObkOD9qHe8ljCMA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNVBAYTAlVT
MRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4wLAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0
ZSBvZiBUZWNobm9sb2d5MRUwEwYDVQQLEwxDbGllbnQgQ0EgdjEwHhcNMTUwODAxMDQwNTQ2WhcN
MTYwODAxMDQwNTQ2WjCBqTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxLjAs
BgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxFTATBgNVBAsTDENs
aWVudCBDQSB2MTEaMBgGA1UEAxMRVGhlb2RvcmUgSiBUaG9tYXMxHzAdBgkqhkiG9w0BCQEWEHR0
aG9tYTI0QE1JVC5FRFUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsp/bVJ5HwKrxc
ie6x7aBqpvSY+AQkuiNj4Nt9fWX8ajZtxvpacWrxTxFwW2w3XZbGDz5XiB2sQIzjPRkaOI8GWaya
DgE+aleaeJDpxnXQs/G9pVBMHfRJtiC3ymMkcatqltM8/yiHfNrshxRrRCFkBDAmMrus+Bs8/3xA
/EdqUdYgm+Iox4y71WVkNmyzAwJ+pCvFPXLth6+4+zqMD87ZkwxO+SvFYQ0n88ebJWDNAeBEl1ai
v5zY25wkUQWELPmOgZYIFxWj4X5H0TyxMdayV961Qj3w/YfUFaDlXb6UtwIFGFu9S18OTWAz9NDA
h6ohGWsLhKarw9XeA/k9CDUTAgMBAAGjgaEwgZ4wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQU
74rhuxI0UoOJwXPwA1X8fCVEmG4wMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NhLm1pdC5lZHUv
Y2EvbWl0Y2xpZW50LmNybDANBgkqhkiG9w0BAQUFAAOBgQCE2P/EdZeAxI6Iq4QzjdKbJnszNR/j
ntq+Hz/DW70VDbtkiikf6DDhealSsrom/DvydizsIxU1t5hyDeSY7rVbXV02ZiyJmGn2z/5a4Fox
y7H7x3BVN0irQ5pvKF6KBfbNvIw2c13Vjl+JvCuuXrWCQ26SWAWMb3b1Sh5KR3424TGCAzYwggMy
AgEBMIGBMGwxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4wLAYDVQQKEyVN
YXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MRUwEwYDVQQLEwxDbGllbnQgQ0Eg
djECEQCVHMwCHMNObkOD9qHe8ljCMAkGBSsOAwIaBQCgggGJMBgGCSqGSIb3DQEJAzELBgkqhkiG
9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE1MDgxODE0MDQyM1owIwYJKoZIhvcNAQkEMRYEFJheTrmm
P3ORObdcUVVTHhQPUEKQMIGSBgkrBgEEAYI3EAQxgYQwgYEwbDELMAkGA1UEBhMCVVMxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxLjAsBgNVBAoTJU1hc3NhY2h1c2V0dHMgSW5zdGl0dXRlIG9mIFRl
Y2hub2xvZ3kxFTATBgNVBAsTDENsaWVudCBDQSB2MQIRAJUczAIcw05uQ4P2od7yWMIwgZQGCyqG
SIb3DQEJEAILMYGEoIGBMGwxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMS4w
LAYDVQQKEyVNYXNzYWNodXNldHRzIEluc3RpdHV0ZSBvZiBUZWNobm9sb2d5MRUwEwYDVQQLEwxD
bGllbnQgQ0EgdjECEQCVHMwCHMNObkOD9qHe8ljCMA0GCSqGSIb3DQEBAQUABIIBAD7uga82TZoQ
Gnb0wE0WTd0C+DrMBZVWMrkmfW3hOqLI8LtyMRMpWBX9EAWmkVgoHZLop/1p/z66wFxtzwNTHFbX
zBJjHXIeuek6oSj8BBvttTNZ3HY5qAGhYg/DuGHSWMoF5Hwwdr1i09kGddt5jMxflOAlQwJdvHyg
Tsr1Ku1ppkAFqUsrNu2nz+PLZ2uGcL+gMjT/5o2eptiYgc4CXf8o2p1FT6oqucGophXY8YNqnj4l
Msb7/aeMVoh5h/3LEVp9BHHnp+uzTvh3gxINdXlZi0XOSw9K2QOYn+iZmd6sUhqQD1wymKHa2V9F
pEU+dpUFgVgqQf0N60+AkJoaH8UAAAAAAAA=
--Apple-Mail=_BE14F551-F425-48B4-A5ED-121A4324B07E--