Opened 9 years ago

Closed 7 years ago

#49815 closed defect (fixed)

gdb: "rootless" El Capitan prevents required edit of /System/Library/LaunchDaemons/com.apple.taskgated.plist

Reported by: sjc999 Owned by:
Priority: Normal Milestone:
Component: ports Version: 2.3.4
Keywords: elcapitan Cc: mkae (Marko Käning), paxperscientiam (Chris)
Port: gdb

Description

After installing gdb (ggdb) you are required to edit the file /System/Library/LaunchDaemons/com.apple.taskgated.plist and add the -p option to /usr/libexec/taskgated, i.e. edit the options line in that file to read <string>-sp</string>. That was easy enough until El Capitan introduced the "rootless" (System Integrity Protection) which means, even with sudo you can't edit files in /System. Any ideas out I can add the -p option where required to make ggdb work, or some other way to get ggdb to do it's thing? [I've found ways to reboot into recovery mode and turn off SIP - do I really need to do that to add one character to one file?].

Change History (10)

comment:1 Changed 9 years ago by ryandesign (Ryan Carsten Schmidt)

Keywords: elcapitan added
Owner: changed from macports-tickets@… to stuartwesterman@…
Port: gdb added

comment:2 Changed 9 years ago by ryandesign (Ryan Carsten Schmidt)

Apple does not want you to edit system files, like those in /System. System Integrity Protection prevents you from editing system files, like those in /System. The MacPorts project recommends you leave System Integrity Protection enabled, however that would mean you cannot follow the gdb instructions to edit that system file. I don't know if there is an alternative that allows gdb to function without editing that file.

comment:3 Changed 9 years ago by soulne4ny (Alexey Luchko)

It is possible to disable System Integrity Protection by csrutil.

http://osxdaily.com/2015/10/05/disable-rootless-system-integrity-protection-mac-os-x/

comment:4 Changed 9 years ago by raimue (Rainer Müller)

gdb needs to be codesigned. See upstream information at https://sourceware.org/gdb/wiki/BuildingOnDarwin

comment:5 Changed 8 years ago by ryandesign (Ryan Carsten Schmidt)

Yes, I see that the method used by the portfile is, according to that documentation, "strongly unrecommended if you are using Mac OS X 10.6 (Snow Leopard) or later"

comment:6 Changed 8 years ago by mkae (Marko Käning)

Cc: mk@… added

Cc Me!

comment:7 Changed 8 years ago by gthb (Gunnlaugur Thor Briem)

Seems like the notice “You will need to make sure /System/Library/LaunchDaemons/com.apple.taskgated.plist has the '-p' option” should be removed from the gdb port ... because doing so is:

  • strongly unrecommended” by the upstream documentation
  • actively prevented by Apple's SIP (though there are workarounds for that)
  • documented as no longer supported in man taskgated: “Procmod and procview support (-p) was removed in 10.11.”

Instead, the upstream documentation says the “most up to date and secure method” is to code-sign gdb, and it has instructions for doing so. Those worked for me, eventually, when I found a workaround for the codesign command segfaulting, see: https://forums.developer.apple.com/message/204823#204823

In any case, it seems reasonable to update the gdb port instructions to match what upstream recommends.

comment:8 Changed 8 years ago by mf2k (Frank Schima)

Owner: stuartwesterman deleted
Status: newassigned

comment:9 Changed 8 years ago by mf2k (Frank Schima)

Cc: paxperscientiam added

has duplicate #53294.

comment:10 Changed 7 years ago by raimue (Rainer Müller)

Resolution: fixed
Status: assignedclosed

gdb notes hint at codesigning as of [380ef99dde4cec0516cba66797d478ff0d97239d/macports-ports] (#54217).

Note: See TracTickets for help on using tickets.