Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
sgjohnson 9 hours ago

> Here’s our first problem, as those are located in the Signed System Volume (SSV), so we can’t change them in any way. The same applies to the other 417 LaunchDaemons and 460 LaunchAgents that account for most of the processes listed by Activity Monitor. In the days before the SSV it was possible to edit their property lists to prevent them from being launched, but that isn’t possible any more when running modern macOS.

SSV can be disabled. It would be ill-advised to do so, but Apple intentionally allows you to do that. In fact you can strip away every single security layer of macOS, including allowing unsigned kernel extensions to be loaded. This document is a bit outdated, but it should still be possible to do all of that. https://gist.github.com/macshome/15f995a4e849acd75caf14f2e50...

Feels like the article is just a cheap dunk on macOS. Has Apple perhaps baked in a bit too much into the SSV? Definitely. Even the Chess.app is in there.

Does it really matter? Almost certainly no.

AceJohnny2 8 hours ago | parent | next [-]

> Feels like the article is just a cheap dunk on macOS.

That blog, Howard Oakley at eclecticlight.co, is consistently the most informative on the internet about macOS behaviors and internals, that Apple does not explain. He is also the author of several useful tools [1] to help observe and understand some of its underlying details. It's maybe the closest we have to a SysInternals for macOS.

[1] https://eclecticlight.co/free-software-menu/

sbuk 7 hours ago | parent | next [-]

It is. Add we all have off days. Perhaps Howard has had one here. I mean, he is defining what type of OS it is by how it's configuted. Which is just wierd.

Moto7451 6 hours ago | parent [-]

I got a chuckle out of that for my own reasons as a long time Mac user as “Mac OS X is Unix” was the brand back in the 10.0-10.3 days, to the point I believe they got a Unix certification by someone, and then again with macOS 15 they got an Open Group UNIX certification.

https://www.osnews.com/story/140868/macos-15-0-now-unix-03-c...

I can’t say this affects me in any way I’m aware of, but the perception presented here is interesting.

sgjohnson 6 hours ago | parent [-]

Funnily enough, they had no certification and weren’t compliant in 10.0-10.3 days, so what they were doing was trademark infringement, hence the lawsuit from the Open Group. 10.4 was the first compliant version. And oh boy they really milked it for several years afterwards.

https://www.quora.com/What-goes-into-making-an-OS-to-be-Unix...

sgjohnson 8 hours ago | parent | prev [-]

That just highlights my point about this article being a cheap dunk?

Because I was very disappointed with it ending at “SSV doesn’t let you”. SSV can be disabled, and the author should have known (almost certainly knows) that.

AceJohnny2 7 hours ago | parent [-]

Disabling SSV may have been beyond the scope of the experiment the author was attempting. I suppose he could've been more explicit about that.

From one of his comments on his post:

> I wish whoever takes that project on, every success, even more so at working out how those processes can be disabled completely while keeping the SSV intact.

jabwd 2 hours ago | parent [-]

The thing I find disappointing about the article is that nothing else seems to have been explored. Now no options might exist, but then again, isn't the point of such a write up to find the ones that.... do...?

A lot of people know that modern macOS is a bit of a let down when it comes to modifying it unless you disable a bunch of security layers. So the information gained is basically 0.

Edit: I should clarify that some of the ways they analyze how services are launched etc. are quite interesting, though I hope my prior thought makes sense to some.

catoc 8 hours ago | parent | prev | next [-]

Eclecticlight and ‘cheap dunk’ ?

No.

This site is a class of its own, in quality of discussions, in quality of software, and in dedication… many years long, consistent quality

sgjohnson 8 hours ago | parent [-]

I didn’t claim that eclecticlight writes cheap dunk.

But this article, which starts with

> That’s a question I’m asked repeatedly, which this article tries to answer.

doesn’t actually _try_ to answer the question. It just stops at SSV and draws a meaningless comparision with macOS 9. It also has several factual inaccuracies in there. Notably, the claim that macOS is not UNIX, and the implication that Unix systems must somehow be free and open-source (virtually all Unixes of the day were proprietary & closed source).

catoc 7 hours ago | parent [-]

> I didn’t claim that eclecticlight writes cheap dunk

Thanks - then we agree (also on the part of the argumentation about macOS being a certified UNIX OS)

zbentley 3 hours ago | parent | prev | next [-]

I suspect that Oakley could have explained that, but the thesis stands even without the asterisk, and explaining it would have an issue:

This is going to piss off some Linux folks, but when communicating from a big pulpit about how to bypass parts of MacOS, it's important to be aware that the vast majority of MacOS users are casual, nontechnical users. As such, a popular blog posting "here's how to bypass SIP/SSV lock/whatever" would lead to a wave of users disabling it for less-than-great reasons (aesthetics, conviction that e.g. a given service was causing their system slowness when that service's resource usage was actually symptomatic of something else orchestrated by MacOS going wrong). Those decisions have side effects:

- Folks brick or break their computers, potentially in a way that voids the warranty or support contracts (I hope that software bypasses don't trigger this, but I am cynical).

- Folks chasing a "cleanliness vibe" leave a lot of the system security off once they're done. Someone else in this thread pointed out that without SSV the security of MacOS is on par with most Linux, but MacOS users are a lot bigger attack risk than Linux users: there are more of them, they're wealthier and thus identified as targets of choice by malware/people, and, again--they're casual users and don't have good security spider sense. This isn't a blanket endorsement of every restriction/security feature with no opt-out that MacOS has, just an observation that its userbase is at higher risk for attack than some others--lower than windows, but higher than Linux users.

- Folks induce breakage that bricks their computers on a delay, e.g. during the next system update something chokes after encountering a totally unauthorized/unexpected service geometry and crashes hard enough to cause data loss.

I'm not saying that stuff like SSV-rw should be secret, just that it's probably for the best to not discuss it front and center in a widely-read informational blog whose content is geared towards (power) users rather than technicians. To phrase it with a different example: if someone Googles "how to disable XProtect (antimalware)", great, go nuts. But it's probably for the best that a popular article about "can you reduce resource usage by shutting down system launchd services" doesn't have a "here's how to elevate your permissions and disable whatever you like" blurb, and instead settles for an answer of "no, that's not supported."

userbinator 34 minutes ago | parent | prev | next [-]

Does it really matter? Almost certainly no.

...until they start including things you don't want (remember the CSAM scanning debacle?)

sneak 7 hours ago | parent | prev [-]

Disabling SSV puts your system security on par with any stock linux distro. Most OSes don’t do a cryptographically verified read only root.

sgjohnson 6 hours ago | parent [-]

The bigger problem with disabling SSV and making changes to it is entirely practical - any macOS update will overwrite them.

Which can be worked around by writing a provisioning script, but in either case will be a significant headache if one would come to rely on the modifications they were to make to the volume.