Saturday, October 24, 2015

And now for something completely different: El Crapitan sucks (or why SIP will make me go Linux if they keep this crap up)

ObTenFourFox news: 38.4 goes to build next week when Mozilla drops build tags on ESR with a couple more fixes too. Watch for it. Recommended.

Yes, I confess I actually do own two Intel Macs, an old 2007 Core 2 Duo Mac mini running 10.6 which mostly serves as a test machine, and a 2014 i7 MacBook Air which I use for taxes and Master's program homework. The MBA reminds me regularly of why I preferred the New World Power Mac days, and why my daily drivers are still all Tiger PowerPC. Lately every year when Apple issues their annual update I get a bit nervous because their quality assurance seems to have gone right down the pot -- I think the beta testers just twiddle a couple buttons and call it good for golden master, and never mind when everyone's machines explode because they might actually have customized it a bit, or something similarly empowering that Apple doesn't want you doing with your overpriced appliances. (More on that when we get to my overall gripe at the end.)

Part of what makes my trepidation more acute is that I actually do write software that can run on a current Intel Mac from time to time, despite my reputation as a Power Mac-clinging troglodyte. Now, this software is still truly Universal in the strictest sense of the term -- I build on my G5 against the 10.4 universal SDK to make applications that generally run on any Mac OS from 10.4 till now, on any Power Mac and on any Intel Mac, and I even found a version of SDL 1.2 (1.2.14) that happily runs in the same environments on all systems without tripping any deprecation warnings so far. I'll be talking about one particular app in the very near future because not only is it Universal ppc/i386, it also includes AltiVec support, so it's actually 750/7400/i386. Keep an eye out for that column. Fortunately El Capitan didn't break the ones I write based on that environment.

Next, I turned to GopherVR and Mosaic-CK, my rebuilds of two venerable Motif-based X11 applications (the GopherVR client, allowing you to view gopherspace graphically, and an updated port of NCSA Mosaic that doesn't immediately barf on newer pages). These use a special launcher program to install a Dock icon and transfer control to the binary under X11. They both crashed immediately. I looked in the console and found that they were unable to run OpenMotif, which they should have detected, but I said no problem and got out my installer of IST OpenMotif 10.5+ which worked perfectly in Yosemite. On El Cap, it wouldn't install.

Why? Blame the new System Integrity Protection, which amongst other things blocks write access to certain directories, in this case /usr, even if you're root ("rootless protection"). OpenMotif expects to install itself to (more or less) /usr/OpenMotif. El Crap won't let it.

Now, you can keep your superior security snark out of my comments, thanks. I get why SIP exists, because users are stupid, and SIP saves them (somewhat) from themselves. At least so far, unless some gaping kernel hole is discovered, it looks pretty hard to toast an SIP-locked installation other than via hardware failure, and yes, if you're willing to jump through a couple hoops, you can turn it off. But you don't have to be particularly clairvoyant to realize Apple won't let you do that forever, and even now it's mostly all or nothing unless you turn SIP off and tinker with its configuration file. Frankly, making users go to all that trouble isn't a good way to distribute software.

So the first thing I did was patch OpenMotif to run from /Applications, which isn't protected (yes, /Library might be more appropriate, but I had to patch a couple paths embedded in the libraries in place and the length matched better), by changing all the linkages to the new path with a Perl script I dashed off and doing a couple direct binary changes. It looked sane, so I put it in /Applications/OpenMotif21 and rebuilt the apps on the G5 to link against that. It worked fine on 10.4 and 10.6, but on the 10.11 MBA they still crashed.

This time, the OpenMotif libraries could be found, but they were linking against /usr/X11R6, because that's where the universal X11 libraries are in the 10.4 universal SDK and every version of OS X from 10.5 to 10.10 had a symlink to /usr/X11 so it all just worked. Guess what new version of OS X doesn't? And guess what version prevents you from modifying /usr to add that link because of SIP?

I toyed with a couple solutions, but the simplest was to lipo a second i386 binary from the main one (since all Power Macs will run the original binary pointing to /usr/X11R6 fine) at the time the app package is built and rewrite all its linkages to /usr/X11 instead. Then, when the launcher starts, it figures out which binary to run depending if /usr/X11R6 exists or not, and transfers control to that. It's ugly and it bloats the app by about 25%, but it's transparent to the user, at least, and it doesn't require the user to have developer tools installed or I'd just have the launcher do the stripping and rewriting on the fly.

After that, I fixed a couple more bugs (including the original one where I had a short-circuit in the prerequisites detector) and packed everything up for distribution, and now you can use GopherVR and Mosaic-CK once again. Make sure you have X11 or XQuartz installed first, and then grab my patched OpenMotif from SourceForge (choose the 10.4 package for Tiger, or the 10.5 package for Leopard through El Capitan). Just drag the folder to /Applications without changing the name or any of the contents, and then run either GopherVR and Mosaic-CK's launcher app, and it should "just work" on any 10.4+ Mac just as it did before.

Why does SIP annoy me most, though, aside from making my binaries more complex and my headache larger? Simply put, I don't like the feeling I don't own my computer, and I'm getting that feeling more and more from Apple. I feel this much less on my Tiger boxes because I can patch them up manually and improve their security and functionality, or alter the way the OS is laid out to suit my taste and needs and how things are installed and activated, and I'm quite sure Apple has great concerns about allowing that on what they consider to be an "appliance." In fact, the irrepressible cynic in me suspects part of SIP's purpose is not just security -- it also has the (to Apple) desirable side effect of forcing most systems to exist in a specific uniform state so that installations and upgrades are more deterministic instead of allowing a (dangerously?) clueful user to muck about at will. While predictions that Gatekeeper would become locked in stone and unsigned apps would be never be allowed to run even by request have not yet come to pass, a lot fewer people will be inconvenienced by SIP than by Gatekeeper except for nutbag tinkerers and hackers like me, and Apple has little downside to making it permanent in a future version of OS X. That means one day you may not be able to change the OS at all except through those changes Apple authorizes, and that would really suck. It would also drive me to Linux on commodity hardware, because if system limitations mean I can't find a way to run my custom apps on a current Mac that run just fine on my G5 daily driver, then why have a current Mac? As it turns out, I'm not the only one thinking about that. What's Apple going to break next year, my legs?

Geez, Tim.

9 comments:

  1. Or you can stop violating the FHS and use /usr/local or /opt, like a good Unix citizen. Security is a good thing (and you can disable it if you must) - and well-behaved package mangers like homebrew and Fink shouldn't have problems.

    ReplyDelete
  2. Thanks for the anonymous craven sharpshooting!

    ReplyDelete
  3. I'm staying tuned for the day Cameron Kaiser buys non-Apple, commodity hardware.

    That said: everything I've seen about El Cap is basically that SIP doesn't really hurt any of its functionality as a UNIX box, unless you're doing things that the UNIX vendors have been saying you shouldn't do for ten to twenty years.

    El Cap is actually really exciting to me, because it's the first release of Mac OS X since 10.3 or so that speeds up hardware I already owned. It cleans up a lot of the problems I've had with memory management on every OS X Mac I've ever owned (all the way back to the TiBook) and makes every Mac I've put it on feel speedy.

    The only real snag so far is that I'm a heavy user of Office and the problems with Office 2011 and 2016 were a bit of a bummer.

    People have been saying for almost fifteen years (basically, since the first releases of Mac OS X) that Apple is going to lock everything down, and if you're developing your own code or if you're a commercial software developer porting classic code to, say, the console or X11 environment, the world is going to end shortly.

    From the perspective of somebody who is interested in both sides of those thing,s I haven't been able to find anything that 10.11 can't do or can't somehow be made to do. It's possible it's there, but even Mosaic and GopherVR work without too much effort.

    And, tthe FHS that the anon above mentions appears to be from 2004, so it's not exactly something new. I bet that the differences between it and the previous version, from 2002, are minimal. A laptop that has long sent almost every other reasonable user-facing UNIX system to /dev/null should be given software that conforms to the standards that were used on its predecessors.

    I don't think that this new security measure, which you worked around by re-compiling your code to conform with standards, is a bad thing or that it reduces the amount of control you have over your box. Ultimately, the point of the FHS is that end users (and intrepid system administrators) were never really meant to be in control of the directories that SIP now protects, because those directories are the vendor's area.

    ReplyDelete
  4. The missing /usr/X11R6 symlink is a bug that can be fixed without disabling SIP (there's an exception in SIP for it). You can fix it by running "/usr/libexec/x11-select /opt/X11". This command was supposed to be executed by the OS' postinstall script, but for some reason it doesn't happen for several people.

    Apple's mailing list archiver didn't pick up the message from the XQuartz maintainer about this, but you can see the command quoted in a follow-up message at http://prod.lists.apple.com/archives/x11-users/2015/Oct/msg00008.html

    You can also upgrade to XQuartz 2.7.8, whose postinstall script will execute that command as well.

    FWIW: I completely sympathise with your feelings about Apple locking down (Mac) OS X more and more. I had to add a note for our application about having to right click and select "open" when 10.7 came out, with as explanation "This workaround is required because we don't pay Apple 79 euro per year, which would prove you can trust us."

    ReplyDelete
    Replies
    1. Yup, that seems to work. For the next version I'll drop the double binary approach and have the Motif launcher detect the situation and instruct them what to do. Still, that's really annoying. Chalk that up to another QA failure. Thanks for the heads up.

      I see SIP as having more likelihood of becoming unconditional than Gatekeeper simply because many fewer users will encounter it, so many fewer users will complain. That'll be a dark day. Meanwhile, I'm in the same boat about signatures and I've started telling people almost exactly the same thing you are.

      Delete
  5. To be honest, Windows had a similar feature since Win2000 I think.

    ReplyDelete
  6. To be honest, Windows had a similar feature since Win2000 I think.

    ReplyDelete
  7. Am teaching an internet security course this coming week and this issue is really a bother. One one hand, it has always been cool to say "you are on a Mac, they are quite safe". But the reality is that it has only been because the "Evil Doers" were not looking their way as much.

    The retro-Mac community, in particular have largely been very cool and honest in their desires to simply keep our old machines going. BUT, all that would have been required to do some serious harm would have been say, a package that offers the Chromium Browser, with official-looking artwork, to the PPC crowd with a hidden line saying something like:

    do shell script "rm -R ~/"

    or a mal-intended usage of curl, to copy user-info to an offsite address. We are all so hungry for new software, that the desire for new, could easily overpower even the most savvy user's better judgement.

    Things like GateKeeper are more and more proving themselves essential. A recent list of security flaws in El Capitan, have merely shown existing weaknesses in a new light.

    Things like not checking sub-components of app-bundles, or downloaded dependencies for MD5 or signatures are very big problems.

    The best thing going for Android is how tough (even as root) it is to damage the system. So let people do what they want as long as there is a 'No-Go' zone that cannot be easily breached.

    As Macs are more and more seen as status-symbols of people with money, the system must become more difficult to change, and people making open-source software likely need to either pay for a Mac signature, or move-on to Linux as well.

    Personally, I feel that a tinker-friendly, open-source, community cannot exist without people who know what to watch for, so they will be vigilant. The casual user, who is scared of command line, probably isn't smart, or knowledgeable enough any longer to dabble outside the safety of the herd.

    ReplyDelete
  8. Apple has transitioned from think different to think only of themselves.

    The Apple spirit that appealed to all of us years, or even decades ago, is long dead. I have been a steady Mac user since 1991, and have never been so disgusted with them as I have been the last few years. It's truly shameful.

    ReplyDelete

Due to an increased frequency of spam, comments are now subject to moderation.