Opened 9 years ago
Closed 7 years ago
#49815 closed defect (fixed)
gdb: "rootless" El Capitan prevents required edit of /System/Library/LaunchDaemons/com.apple.taskgated.plist
| Reported by: | sjc999 | Owned by: | |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | 2.3.4 |
| Keywords: | elcapitan | Cc: | mkae (Marko Käning), paxperscientiam (Chris) |
| Port: | gdb |
Description
After installing gdb (ggdb) you are required to edit the file /System/Library/LaunchDaemons/com.apple.taskgated.plist and add the -p option to /usr/libexec/taskgated, i.e. edit the options line in that file to read <string>-sp</string>. That was easy enough until El Capitan introduced the "rootless" (System Integrity Protection) which means, even with sudo you can't edit files in /System. Any ideas out I can add the -p option where required to make ggdb work, or some other way to get ggdb to do it's thing? [I've found ways to reboot into recovery mode and turn off SIP - do I really need to do that to add one character to one file?].
Change History (10)
comment:1 Changed 9 years ago by ryandesign (Ryan Carsten Schmidt)
| Keywords: | elcapitan added |
|---|---|
| Owner: | changed from macports-tickets@… to stuartwesterman@… |
| Port: | gdb added |
comment:2 Changed 9 years ago by ryandesign (Ryan Carsten Schmidt)
comment:3 Changed 9 years ago by soulne4ny (Alexey Luchko)
It is possible to disable System Integrity Protection by csrutil.
http://osxdaily.com/2015/10/05/disable-rootless-system-integrity-protection-mac-os-x/
comment:4 Changed 9 years ago by raimue (Rainer Müller)
gdb needs to be codesigned. See upstream information at https://sourceware.org/gdb/wiki/BuildingOnDarwin
comment:5 Changed 8 years ago by ryandesign (Ryan Carsten Schmidt)
Yes, I see that the method used by the portfile is, according to that documentation, "strongly unrecommended if you are using Mac OS X 10.6 (Snow Leopard) or later"
comment:7 Changed 8 years ago by gthb (Gunnlaugur Thor Briem)
Seems like the notice “You will need to make sure /System/Library/LaunchDaemons/com.apple.taskgated.plist has the '-p' option” should be removed from the gdb port ... because doing so is:
- “strongly unrecommended” by the upstream documentation
- actively prevented by Apple's SIP (though there are workarounds for that)
- documented as no longer supported in
man taskgated: “Procmod and procview support (-p) was removed in 10.11.”
Instead, the upstream documentation says the “most up to date and secure method” is to code-sign gdb, and it has instructions for doing so. Those worked for me, eventually, when I found a workaround for the codesign command segfaulting, see: https://forums.developer.apple.com/message/204823#204823
In any case, it seems reasonable to update the gdb port instructions to match what upstream recommends.
comment:8 Changed 8 years ago by mf2k (Frank Schima)
| Owner: | stuartwesterman deleted |
|---|---|
| Status: | new → assigned |
comment:9 Changed 8 years ago by mf2k (Frank Schima)
| Cc: | paxperscientiam added |
|---|
has duplicate #53294.
comment:10 Changed 7 years ago by raimue (Rainer Müller)
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
gdb notes hint at codesigning as of [380ef99dde4cec0516cba66797d478ff0d97239d/macports-ports] (#54217).
Apple does not want you to edit system files, like those in /System. System Integrity Protection prevents you from editing system files, like those in /System. The MacPorts project recommends you leave System Integrity Protection enabled, however that would mean you cannot follow the gdb instructions to edit that system file. I don't know if there is an alternative that allows gdb to function without editing that file.