Why “sudo nano” can bypass csrutil / SIP when enabled and other apps can't?

apple.stackexchange https://apple.stackexchange.com/questions/401588

  •  29-05-2021
  •  | 
  •  

Question

Initial statement

I was installing open source ntfs-3g on my mac (Catalina). At some point, while crsutil was enabled (i.e. System Integrity Protection was on) , I had to modify one line in the ntfs-3g package and I couldn't write on the file due to the crsutil protection (I was using vim).

However, I found this answer https://superuser.com/a/1518414/1220896. With nano, I could modify the "protected" file without any reboot nor switching crsutil to disable.

And now, I am still trying to figure out how sudo nano can bypass SIP while sudo vim or any other text editor can't (update by the author: here I make the mistake of assuming it was SIP related).

Complete command:

sudo nano /usr/local/sbin/mount_ntfs

/usr/local/sbin/mount_ntfs is a soft link to /usr/local/Cellar/ntfs-3g/2017.3.23_3/sbin/mount_ntfs. In order to create the soft link, I had performed the csrutil disable/enable.

output of ls -ls /usr/local/sbin/mount_ntfs

0 lrwxr-xr-x  1 user  admin  45 Sep 18 16:33 /usr/local/sbin/mount_ntfs -> ../Cellar/ntfs-3g/2017.3.23_3/sbin/mount_ntfs

output of ls -ls /usr/local/Cellar/ntfs-3g/2017.3.23_3/sbin/mount_ntfs

8 -r-xr-xr-x  1 user  admin  613 Sep 19 14:17 mount_ntfs

Any idea ?

Update

The problem doesn't come from SIP as pointed out by the contributors to this question. I mark this question as solved and will try to find out why sudo vim could only access the file in readonly despite the permissions being well set.

I thank you all for your input.

As a personal not, i would say that sometimes being on the wrong path doesn't mean you can't learn from it --- consider this when replying to someone misleaded like I was.

Was it helpful?

Solution

/usr/local is Writable

The file path /usr/local/sbin/mount_ntfs is not protected on macOS. If a specific tool or application can not write to this file, that tool or application is at fault.

/usr/local is not protected by macOS's System Integrity Protection:

About System Integrity Protection on your Mac

...

System Integrity Protection includes protection for these parts of the system:

  • /System
  • /usr
  • /bin
  • /sbin
  • /var
  • Apps that are pre-installed with OS X

Paths and apps that third-party apps and installers can continue to write to include:

  • /Applications
  • /Library
  • /usr/local

OTHER TIPS

SIP doesn’t matter so much on Catalina. The system volume is read only / protected.

When you say crsutil was enabled, that is meaningless. That tool is always enabled and can run. You would need to report the full status it reports and then reboot the Mac and then specify the full path to a specific file you attempted to modify for someone to be able to check your work.

I would just set aside all the history and ask a follow on question showing your precise vim failure. That’s quick for people to answer whereas trying to teach anyone how SIP works takes about 2 hours and constant feedback to cover all the nuances. Far too broad for a question here other than the idea to ask a follow up question that documents the specifics.

Licensed under: CC-BY-SA with attribution
Not affiliated with apple.stackexchange
scroll top