SIP and /System/Library/User Template

Privacy & Security General
blackholemac OP
Created Sep ’15
Replies 1
Boosts 0
Views 869
Participants 2

I'm not an actual developer so this may sound like a dumb question but will the System Integrity Protection feature in El Capitan block me from adding items to the User Template? I have long done this as the administrator of our org. Given that SIP is designed to block writing to /System in general, will the User Template be exempted from that? Same for kernel extensions. Many times developers will release shoddy packages, but at least offer signed kernel extensions as part of their product. Will I be able to construct an installer package that re-packages a developer's shoddy installer that happens to also contain a kernel extension?


thank you in advance to anyone who answers,

blackholemac

Replies  1
Boosts  0
Views  869
Participants  2
DTS Engineer OP
Apple
Sep ’15

will the System Integrity Protection feature in El Capitan block me from adding items to the User Template?

Like you, I expected that this would cause problems (because the directory is under 

/System
) but it seems that SIP has a special case here. 
$ csrutil status
$ sudo -s
# echo "echo foo" > /System/Library/User\ Template/English.lproj/.profile
# exit
$
$ # Create new use via Users & Groups preferences panel.
$
$ login mrgumby
Password: ********
foo
$ logout
$

Neat-o!

Will I be able to construct an installer package that re-packages a developer's shoddy installer that happens to also contain a kernel extension?

KEXTs are typically placed in 

/Library/Extensions
and thus don’t cause problems for SIP.

ps Mac-on-Mac virtualisation makes it easy to test stuff like this. I find it especially useful when doing potentially destructive testing, for example:

  • when debugging code that runs on the authorisation path (where, if it goes wrong, you can’t log in)

  • when messing around with kernel extensions

I recommend you check it out.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
SIP and /System/Library/User Template
First post date Last post date
 
 
Q