[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] El Capitan and Sandbox

On 6/23/16 3:21 PM, Kolja Kauder wrote:
> Since the machine is a visible server, that won't be a secure
> long-term solution. It would however allow me to edit the Sandbox

I fail to see how this follows. SIP offers no protection against remote
attacks and essentially no local protection given how easy it is to
exploit privileged binaries.

> settings. Do I guess correctly that I only need to add a file called
> condor_procd.sb containing
> (allow mach-priv-task-port
>        (*) )
> ? (I didn't expect to ever use LISP outside .emacs :)

My understanding is that changes to protected areas will be undone when
you enable SIP. There may be ways around this but you'll have to go
digging into the csrutil man pages to find them.

Rich Pieri <ratinox@xxxxxxx>
MIT Laboratory for Nuclear Science