- Jamf Nation Community
- Products
- Jamf Pro
- Packaging up Apple packages with rootless mode in ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Packaging up Apple packages with rootless mode in 10.11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-01-2015 08:50 AM
One of the common methods that I've used to package up some software is to add them as resources in a package and call them via a postinstall script. I don't do this super often but sometimes I do this because it ensures that I can run that one installer and all the components will be there for the installation to take place. Comes in handy when I don't want to rely on Casper and just want to do something by hand. The packages do not have payload. I picked this technique up after reading @rtrouton 's blog on creating up to date Office installers.
I was doing some testing this morning and it seems to work fine for the most part in 10.11, but there's one interesting scenario in which it won't work. From what I understand, if a package is signed by Apple then the package can place files in paths that would otherwise be restricted (rootless mode kicking in). However, if you take that same package (unmodified) and add it as part of a resource and then call it in a postinstall script, the package fails to install. The package in question I was trying this with was the Java 6 for OS X update 2015-001.
If run by itself, the pkg installs fine whether its using the GUI or CLI. I would have thought that the package would install since it's still signed by Apple if it got packaged up using the method I described earlier too. But it doesn't. I'm guessing that because there is already a package installing (the main packaging wrapping the additional resources) the OS is essentially blocking any other installers from writing to protected paths. Does this sound about right to others?
Here's the log in question:
Oct 1 07:56:18 Mac Installer[3152]: LSExceptions [0x7ff21041dd20] loaded
Oct 1 07:56:18 Mac Installer[3152]: @(#)PROGRAM:Install PROJECT:Install-1000
Oct 1 07:56:18 Mac Installer[3152]: @(#)PROGRAM:Installer PROJECT:Installer-853
Oct 1 07:56:18 Mac Installer[3152]: Hardware: VMware7,1 @ 2.38 GHz (x 2), 4096 MB RAM
Oct 1 07:56:18 Mac Installer[3152]: Running OS Build: Mac OS X 10.11 (15A284)
Oct 1 07:56:18 Mac Installer[3152]: Env: TMPDIR=/var/folders/61/b74mrgx12wn2vs_q_9nd0j8h0000gn/T/
Oct 1 07:56:18 Mac Installer[3152]: Env: __CF_USER_TEXT_ENCODING=0x1F5:0x0:0x0
Oct 1 07:56:18 Mac Installer[3152]: Env: SHELL=/bin/bash
Oct 1 07:56:18 Mac Installer[3152]: Env: HOME=/Users/admin
Oct 1 07:56:18 Mac Installer[3152]: Env: Apple_PubSub_Socket_Render=/private/tmp/com.apple.launchd.rRW1OBQy22/Render
Oct 1 07:56:18 Mac Installer[3152]: Env: SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.Y1kDHLnILh/Listeners
Oct 1 07:56:18 Mac Installer[3152]: Env: PATH=/usr/bin:/bin:/usr/sbin:/sbin
Oct 1 07:56:18 Mac Installer[3152]: Env: LOGNAME=admin
Oct 1 07:56:18 Mac Installer[3152]: Env: XPC_SERVICE_NAME=com.apple.installer.1952
Oct 1 07:56:18 Mac Installer[3152]: Env: USER=admin
Oct 1 07:56:18 Mac Installer[3152]: Env: XPC_FLAGS=0x0
Oct 1 07:56:18 Mac Installer[3152]: IBM_Sametime_9_OSX678910_20151001 Installation Log
Oct 1 07:56:18 Mac Installer[3152]: Opened from: /Users/admin/Desktop/IBM Sametime/build/IBM_Sametime_9_OSX678910_20151001.pkg
Oct 1 07:56:19 Mac Installer[3152]: Referenced component packages (1) trustLevel=100
Oct 1 07:56:20 Mac Installer[3152]: InstallerStatusNotifications plugin loaded
Oct 1 07:56:24 Mac Installer[3152]: Administrator authorization granted.
Oct 1 07:56:24 Mac Installer[3152]: ================================================================================
Oct 1 07:56:24 Mac Installer[3152]: User picked Standard Install
Oct 1 07:56:24 Mac Installer[3152]: Choices selected for installation:
Oct 1 07:56:24 Mac Installer[3152]: Upgrade: "IBM_Sametime_9_OSX678910_20151001"
Oct 1 07:56:24 Mac Installer[3152]: IBM_Sametime_9_OSX678910_20151001.pkg : com.company.pkg.ibm.sametime : 1.0
Oct 1 07:56:24 Mac Installer[3152]: ================================================================================
Oct 1 07:56:24 Mac Installer[3152]: It took 0.00 seconds to summarize the package selections.
Oct 1 07:56:24 Mac Installer[3152]: -[IFPKGDerivedDocument sortedPackageLocations]: result = (
"file://localhost"
)
Oct 1 07:56:24 Mac Installer[3152]: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: location = file://localhost
Oct 1 07:56:24 Mac Installer[3152]: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: file://localhost/Users/admin/Desktop/IBM%20Sametime/build/IBM_Sametime_9_OSX678910_20151001.pkg
Oct 1 07:56:24 Mac Installer[3152]: Set authorization level to root for session
Oct 1 07:56:24 Mac Installer[3152]: Will use PK session
Oct 1 07:56:24 Mac Installer[3152]: Using authorization level of root for IFPKInstallElement
Oct 1 07:56:24 Mac Installer[3152]: Starting installation:
Oct 1 07:56:24 Mac Installer[3152]: Configuring volume "Macintosh HD"
Oct 1 07:56:24 Mac Installer[3152]: Preparing disk for local booted install.
Oct 1 07:56:24 Mac Installer[3152]: Free space on "Macintosh HD": 88.56 GB (88560304128 bytes).
Oct 1 07:56:24 Mac Installer[3152]: Create temporary directory "/var/folders/61/b74mrgx12wn2vs_q_9nd0j8h0000gn/T//Install.3152f3ObzM"
Oct 1 07:56:24 Mac Installer[3152]: IFPKInstallElement (1 packages)
Oct 1 07:56:24 Mac installd[212]: PackageKit: Adding client PKInstallDaemonClient pid=3152, uid=501 (/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer)
Oct 1 07:56:24 Mac Installer[3152]: PackageKit: Enqueuing install with framework-specified quality of service (utility)
Oct 1 07:56:24 Mac installd[212]: PackageKit: ----- Begin install -----
Oct 1 07:56:24 Mac installd[212]: PackageKit: request=PKInstallRequest <1 packages, destination=/>
Oct 1 07:56:24 Mac installd[212]: PackageKit: packages=(
"PKLeopardPackage <file://localhost/Users/admin/Desktop/IBM%20Sametime/build/IBM_Sametime_9_OSX678910_20151001.pkg>"
)
Oct 1 07:56:24 Mac installd[212]: PackageKit: Will do receipt-based obsoleting for package identifier com.company.pkg.ibm.sametime (prefix path=)
Oct 1 07:56:26 Mac installd[212]: PackageKit: Extracting file://localhost/Users/admin/Desktop/IBM%20Sametime/build/IBM_Sametime_9_OSX678910_20151001.pkg (destination=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/97AE0CA6-6FB6-4FD9-90CD-980EE3F7DE12.activeSandbox/Root, uid=0)
Oct 1 07:56:26 Mac installd[212]: PackageKit: prevent user idle system sleep
Oct 1 07:56:26 Mac installd[212]: PackageKit: suspending backupd
Oct 1 07:56:26 Mac installd[212]: PackageKit: Using trashcan path /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/PKInstallSandboxTrash/97AE0CA6-6FB6-4FD9-90CD-980EE3F7DE12.sandboxTrash for sandbox /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/97AE0CA6-6FB6-4FD9-90CD-980EE3F7DE12.activeSandbox
Oct 1 07:56:26 Mac installd[212]: PackageKit: Shoving /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/97AE0CA6-6FB6-4FD9-90CD-980EE3F7DE12.activeSandbox/Root (0 items) to /
Oct 1 07:56:26 Mac installd[212]: PackageKit: Executing script "./postinstall" in /private/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM
Oct 1 07:56:26 Mac installd[212]: ./postinstall: ++ dirname /tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/postinstall
Oct 1 07:56:26 Mac install_monitor[3156]: Temporarily excluding: /Applications, /Library, /System, /bin, /private, /sbin, /usr
Oct 1 07:56:26 Mac installd[212]: ./postinstall: + install_dir=/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM
Oct 1 07:56:26 Mac installd[212]: ./postinstall: + SametimeClientInstaller=sametime-connect.mpkg
Oct 1 07:56:26 Mac installd[212]: ./postinstall: + SametimeHotfixInstaller=sametime-connect-hotfix.pkg
Oct 1 07:56:26 Mac installd[212]: ./postinstall: + Java6Installer=Java2015-001_6u65_OSX7891011.pkg
Oct 1 07:56:26 Mac installd[212]: ./postinstall: + echo 'Java 6 is being installed'
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Java 6 is being installed
Oct 1 07:56:26 Mac installd[212]: ./postinstall: + /usr/sbin/installer -dumplog -verbose -pkg /tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg -target / -allowUntrusted
Oct 1 07:56:26 Mac installer[3159]: Product archive /tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg trustLevel=501
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Debug>: Product archive /tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg trustLevel=501
Oct 1 07:56:26 Mac installer[3159]: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: location = file://localhost
Oct 1 07:56:26 Mac installer[3159]: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaEssentials.pkg
Oct 1 07:56:26 Mac installer[3159]: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaForOSX.pkg
Oct 1 07:56:26 Mac installer[3159]: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaMDNS.pkg
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Debug>: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: location = file://localhost
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Debug>: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaEssentials.pkg
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Debug>: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaForOSX.pkg
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Debug>: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaMDNS.pkg
Oct 1 07:56:26 Mac installer[3159]: Set authorization level to root for session
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Debug>: Set authorization level to root for session
Oct 1 07:56:26 Mac installer[3159]: Administrator authorization granted.
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Info>: Administrator authorization granted.
Oct 1 07:56:26 Mac installer[3159]: Will use PK session
Oct 1 07:56:26 Mac installer[3159]: Using authorization level of root for IFPKInstallElement
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Debug>: Will use PK session
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Debug>: Using authorization level of root for IFPKInstallElement
Oct 1 07:56:26 Mac installer[3159]: Starting installation:
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Info>: Starting installation:
Oct 1 07:56:26 Mac installer[3159]: Configuring volume "Macintosh HD"
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Notice>: Configuring volume "Macintosh HD"
Oct 1 07:56:26 Mac installer[3159]: Preparing disk for local booted install.
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Info>: Preparing disk for local booted install.
Oct 1 07:56:26 Mac installer[3159]: Free space on "Macintosh HD": 88.29 GB (88294203392 bytes).
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Notice>: Free space on "Macintosh HD": 88.29 GB (88294203392 bytes).
Oct 1 07:56:26 Mac installer[3159]: Create temporary directory "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//Install.3159HwehO2"
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Notice>: Create temporary directory "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//Install.3159HwehO2"
Oct 1 07:56:26 Mac installer[3159]: IFPKInstallElement (3 packages)
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Notice>: IFPKInstallElement (3 packages)
Oct 1 07:56:26 Mac installer[3159]: PackageKit: Enqueuing install with framework-specified quality of service (utility)
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Notice>: PackageKit: Enqueuing install with framework-specified quality of service (utility)
Oct 1 07:56:26 Mac installer[3159]: PackageKit: ----- Begin install -----
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Critical>: PackageKit: ----- Begin install -----
Oct 1 07:56:26 Mac installer[3159]: PackageKit: request=PKInstallRequest <3 packages, destination=/>
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Info>: PackageKit: request=PKInstallRequest <3 packages, destination=/>
Oct 1 07:56:26 Mac installer[3159]: PackageKit: packages=(
"PKLeopardPackage <file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaEssentials.pkg>",
"PKLeopardPackage <file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaForOSX.pkg>",
"PKLeopardPackage <file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaMDNS.pkg>"
)
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Info>: PackageKit: packages=(
Oct 1 07:56:26 Mac installd[212]: ./postinstall: "PKLeopardPackage <file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaEssentials.pkg>",
Oct 1 07:56:26 Mac installd[212]: ./postinstall: "PKLeopardPackage <file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaForOSX.pkg>",
Oct 1 07:56:26 Mac installd[212]: ./postinstall: "PKLeopardPackage <file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaMDNS.pkg>"
Oct 1 07:56:26 Mac installd[212]: ./postinstall: )
Oct 1 07:56:26 Mac installer[3159]: PackageKit: Extracting file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaEssentials.pkg (destination=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root, uid=0)
Oct 1 07:56:26 Mac installd[212]: ./postinstall: Oct 1 07:56:26 installer[3159] <Info>: PackageKit: Extracting file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaEssentials.pkg (destination=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root, uid=0)
Oct 1 07:56:27 Mac installd[212]: ./postinstall: installer: Package name is Java for OS X 2015-001
Oct 1 07:56:27 Mac installd[212]: ./postinstall: installer: Installing at base path /
Oct 1 07:56:27 Mac installd[212]: ./postinstall: installer: Preparing for installation….....
Oct 1 07:56:27 Mac installd[212]: ./postinstall: installer: Preparing the disk….....
Oct 1 07:56:27 Mac installd[212]: ./postinstall: installer: Preparing Java for OS X 2015-001….....
Oct 1 07:56:27 Mac installd[212]: ./postinstall: installer: Waiting for other installations to complete….....
Oct 1 07:56:27 Mac installer[3159]: PackageKit: Extracting file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaForOSX.pkg (destination=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root, uid=0)
Oct 1 07:56:27 Mac installd[212]: ./postinstall: #Oct 1 07:56:27 installer[3159] <Info>: PackageKit: Extracting file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaForOSX.pkg (destination=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root, uid=0)
Oct 1 07:56:27 Mac installd[212]: ./postinstall: installer: Writing files….....
Oct 1 07:56:28 Mac installd[212]: ./postinstall: #
Oct 1 07:56:28 Mac installd[212]: ./postinstall: installer: Writing files….....
Oct 1 07:56:28 Mac Installer[3152]: LSExceptions [0x7ff21041dd20] unloaded
Oct 1 07:56:28 Mac installd[212]: ./postinstall: #
Oct 1 07:56:28 Mac installd[212]: ./postinstall: installer: Writing files….....
Oct 1 07:56:29 Mac installer[3159]: PackageKit: Extracting file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaMDNS.pkg (destination=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root, uid=0)
Oct 1 07:56:29 Mac installd[212]: ./postinstall: #Oct 1 07:56:29 installer[3159] <Info>: PackageKit: Extracting file://localhost/tmp/PKInstallSandbox.GyoWNo/Scripts/com.company.pkg.ibm.sametime.5uOgGM/Java2015-001_6u65_OSX7891011.pkg#JavaMDNS.pkg (destination=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root, uid=0)
Oct 1 07:56:29 Mac installer[3159]: PackageKit: update_dyld_shared_cache -overlay /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root
Oct 1 07:56:29 Mac installd[212]: ./postinstall: Oct 1 07:56:29 installer[3159] <Info>: PackageKit: update_dyld_shared_cache -overlay /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root
Oct 1 07:56:29 Mac installd[212]: ./postinstall: installer: Writing files….....
Oct 1 07:56:29 Mac installd[212]: ./postinstall: #
Oct 1 07:56:29 Mac installd[212]: ./postinstall: installer: Optimizing system for installed software….....
Oct 1 07:56:30 Mac installd[212]: ./postinstall: #
Oct 1 07:56:30 Mac installd[212]: ./postinstall: installer: Optimizing system for installed software….....
Oct 1 07:56:30 Mac installd[212]: ./postinstall: #
Oct 1 07:56:30 Mac installd[212]: ./postinstall: installer: Optimizing system for installed software….....
Oct 1 07:56:31 Mac installd[212]: ./postinstall: #
Oct 1 07:56:31 Mac installd[212]: ./postinstall: installer: Optimizing system for installed software….....
Oct 1 07:56:31 Mac installd[212]: ./postinstall: #
Oct 1 07:56:31 Mac installd[212]: ./postinstall: installer: Optimizing system for installed software….....
Oct 1 07:56:32 Mac installd[212]: ./postinstall: #
Oct 1 07:56:32 Mac installd[212]: ./postinstall: installer: Optimizing system for installed software….....
Oct 1 07:56:32 Mac installer[3159]: PackageKit: Using system content trashcan path /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Trashes for sandbox /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox
Oct 1 07:56:32 Mac installd[212]: ./postinstall: #Oct 1 07:56:32 installer[3159] <Info>: PackageKit: Using system content trashcan path /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Trashes for sandbox /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox
Oct 1 07:56:32 Mac installer[3159]: PackageKit: Shoving /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root (4 items) to /
Oct 1 07:56:32 Mac installd[212]: ./postinstall: Oct 1 07:56:32 installer[3159] <Info>: PackageKit: Shoving /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root (4 items) to /
Oct 1 07:56:32 Mac shove[3161]: [src=nonrestricted] /System/Library/CoreServices/Jar Launcher.app/Contents/_CodeSignature/CodeResources: unable to remove flag 0x80000 (error 1)
Oct 1 07:56:32 Mac shove[3161]: [source=file] failed _RelinkFile(/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root/System/Library/CoreServices/Jar Launcher.app/Contents/_CodeSignature/CodeResources, /System/Library/CoreServices/Jar Launcher.app/Contents/_CodeSignature/CodeResources): Operation not permitted
Oct 1 07:56:32 Mac shove[3161]: srcPath = /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root/System/Library/CoreServices/Jar Launcher.app/Contents/_CodeSignature/CodeResources NSFileOwnerAccountID=0 NSFileHFSTypeCode=0 NSFileSystemFileNumber=918028 NSFileExtensionHidden=0 NSFileSystemNumber=16777218 NSFileSize=1860 NSFileGroupOwnerAccountID=0 NSFileOwnerAccountName=root NSFileCreationDate=2015-07-14 13:41:47 +0000 NSFilePosixPermissions=420 NSFileHFSCreatorCode=0 NSFileType=NSFileTypeRegular NSFileGroupOwnerAccountName=wheel NSFileReferenceCount=1 NSFileModificationDate=2015-07-14 13:41:47 +0000
Oct 1 07:56:32 Mac shove[3161]: dstPath = /System/Library/CoreServices/Jar Launcher.app/Contents/_CodeSignature/CodeResources NSFileOwnerAccountID=0 NSFileHFSTypeCode=0 NSFileSystemFileNumber=644895 NSFileExtensionHidden=0 NSFileSystemNumber=16777218 NSFileSize=26968 NSFileGroupOwnerAccountID=0 NSFileOwnerAccountName=root NSFileCreationDate=2015-09-17 07:09:33 +0000 NSFilePosixPermissions=420 NSFileHFSCreatorCode=0 NSFileType=NSFileTypeRegular NSFileGroupOwnerAccountName=wheel NSFileReferenceCount=1 NSFileModificationDate=2015-09-17 07:09:33 +0000
Oct 1 07:56:32 Mac shove[3161]: dstParentPath = /System/Library/CoreServices/Jar Launcher.app/Contents/_CodeSignature NSFileOwnerAccountID=0 NSFileSystemFileNumber=644894 NSFileExtensionHidden=0 NSFileSystemNumber=16777218 NSFileSize=102 NSFileGroupOwnerAccountID=0 NSFileOwnerAccountName=root NSFileCreationDate=2015-08-23 02:00:35 +0000 NSFilePosixPermissions=493 NSFileType=NSFileTypeDirectory NSFileGroupOwnerAccountName=wheel NSFileReferenceCount=3 NSFileModificationDate=2015-08-23 02:00:35 +0000
Oct 1 07:56:32 Mac installd[212]: ./postinstall: Operation not permitted
Oct 1 07:56:32 Mac installer[3159]: PackageKit: Install Failed: Error Domain=PKInstallErrorDomain Code=120 "An unexpected error occurred while moving files to the final destination." UserInfo={NSUnderlyingError=0x7f917be6f5a0 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}, NSLocalizedDescription=An unexpected error occurred while moving files to the final destination., arguments=(
"-f",
"-s",
"/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root",
"/"
)} {
NSLocalizedDescription = "An unexpected error occurred while moving files to the final destination.";
NSUnderlyingError = "Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"";
arguments = (
"-f",
"-s",
"/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root",
"/"
);
}
Oct 1 07:56:32 Mac installd[212]: ./postinstall: Oct 1 07:56:32 installer[3159] <Error>: PackageKit: Install Failed: Error Domain=PKInstallErrorDomain Code=120 "An unexpected error occurred while moving files to the final destination." UserInfo={NSUnderlyingError=0x7f917be6f5a0 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}, NSLocalizedDescription=An unexpected error occurred while moving files to the final destination., arguments=(
Oct 1 07:56:32 Mac installd[212]: ./postinstall: "-f",
Oct 1 07:56:32 Mac installd[212]: ./postinstall: "-s",
Oct 1 07:56:32 Mac installd[212]: ./postinstall: "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root",
Oct 1 07:56:32 Mac installd[212]: ./postinstall: "/"
Oct 1 07:56:32 Mac installd[212]: ./postinstall: )} {
Oct 1 07:56:32 Mac installd[212]: ./postinstall: NSLocalizedDescription = "An unexpected error occurred while moving files to the final destination.";
Oct 1 07:56:32 Mac installd[212]: ./postinstall: NSUnderlyingError = "Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"";
Oct 1 07:56:32 Mac installd[212]: ./postinstall: arguments = (
Oct 1 07:56:32 Mac installd[212]: ./postinstall: "-f",
Oct 1 07:56:32 Mac installd[212]: ./postinstall: "-s",
Oct 1 07:56:32 Mac installd[212]: ./postinstall: "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root",
Oct 1 07:56:32 Mac installd[212]: ./postinstall: "/"
Oct 1 07:56:32 Mac installd[212]: ./postinstall: );
Oct 1 07:56:32 Mac installd[212]: ./postinstall: }
Oct 1 07:56:32 Mac installer[3159]: install:didFailWithError:Error Domain=PKInstallErrorDomain Code=120 "An unexpected error occurred while moving files to the final destination." UserInfo={NSUnderlyingError=0x7f917be6f5a0 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}, NSLocalizedDescription=An unexpected error occurred while moving files to the final destination., arguments=(
"-f",
"-s",
"/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root",
"/"
)}
Oct 1 07:56:32 Mac installd[212]: ./postinstall: Oct 1 07:56:32 installer[3159] <Debug>: install:didFailWithError:Error Domain=PKInstallErrorDomain Code=120 "An unexpected error occurred while moving files to the final destination." UserInfo={NSUnderlyingError=0x7f917be6f5a0 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}, NSLocalizedDescription=An unexpected error occurred while moving files to the final destination., arguments=(
Oct 1 07:56:32 Mac installd[212]: ./postinstall: "-f",
Oct 1 07:56:32 Mac installd[212]: ./postinstall: "-s",
Oct 1 07:56:32 Mac installd[212]: ./postinstall: "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager-SystemSoftware/7CD09337-22DC-4737-81C5-2B349E8BB197.activeSandbox/Root",
Oct 1 07:56:32 Mac installd[212]: ./postinstall: "/"
Oct 1 07:56:32 Mac installd[212]: ./postinstall: )}
Oct 1 07:56:33 Mac installd[212]: ./postinstall: installer: Optimizing system for installed software….....
Oct 1 07:56:33 Mac installer[3159]: Install failed: The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.
Oct 1 07:56:33 Mac installd[212]: ./postinstall: #Oct 1 07:56:33 installer[3159] <Error>: Install failed: The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.
Oct 1 07:56:33 Mac installd[212]: ./postinstall: installer: The install failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)
Oct 1 07:56:33 Mac installd[212]: ./postinstall: + exit 0
Oct 1 07:56:33 Mac installd[212]: PackageKit: Writing receipt for com.company.pkg.ibm.sametime to /
Oct 1 07:56:33 Mac installd[212]: Installed "IBM_Sametime_9_OSX678910_20151001" ()
Oct 1 07:56:33 Mac install_monitor[3156]: Re-included: /Applications, /Library, /System, /bin, /private, /sbin, /usr
Oct 1 07:56:33 Mac installd[212]: PackageKit: releasing backupd
Oct 1 07:56:33 Mac installd[212]: PackageKit: allow user idle system sleep
Oct 1 07:56:33 Mac installd[212]: PackageKit: ----- End install -----
Oct 1 07:56:33 Mac installd[212]: PackageKit: 8.7s elapsed install time
Oct 1 07:56:33 Mac installd[212]: PackageKit: Removing client PKInstallDaemonClient pid=3152, uid=501 (/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer)
Oct 1 07:56:33 Mac installd[212]: PackageKit: Running idle tasks
Oct 1 07:56:33 Mac installd[212]: PackageKit: Done with sandbox removals
Oct 1 07:56:33 Mac Installer[3152]: Removing temporary directory "/var/folders/61/b74mrgx12wn2vs_q_9nd0j8h0000gn/T//Install.3152f3ObzM"
Oct 1 07:56:33 Mac Installer[3152]: Finalize disk "Macintosh HD"
Oct 1 07:56:33 Mac Installer[3152]: Notifying system of updated components
Oct 1 07:56:33 Mac Installer[3152]: **** Summary Information ****
Oct 1 07:56:33 Mac Installer[3152]: Operation Elapsed time
Oct 1 07:56:33 Mac Installer[3152]: -----------------------------
Oct 1 07:56:33 Mac Installer[3152]: zero 0.02 seconds
Oct 1 07:56:33 Mac Installer[3152]: disk 0.03 seconds
Oct 1 07:56:33 Mac Installer[3152]: install 9.06 seconds
Oct 1 07:56:33 Mac Installer[3152]: -total- 9.10 seconds
Oct 1 07:56:34 Mac Installer[3152]: IFDInstallController 1050E6F0 state = 5
Oct 1 07:56:34 Mac Installer[3152]: Displaying 'Install Succeeded' UI.
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-01-2015 10:16 AM
The following paths are completely off limits with SIP (rootless) turned on. Not root, not applications, not with sudo access, nothing. It doesn't matter if the installer is signed.
/System
/bin
/sbin
/usr (/usr/local/ is okay though)
The only exception are signed kext files. But that's the only exception that I know.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-01-2015 10:21 AM
I think @bpavlov is already aware of that. He's saying he was installing an existing Apple signed package and it threw this error. Its possible it was because it was being run in a postinstall script and not directly with either installer command line or Installer.app, as suggested.
I wonder if you'd see the same errors if you simply dropped the installer pkgs in question into a local directory, like /private/tmp/ or /private/var/ and then used a separate script that ran after the main installation (to put the pkgs into place) exited that used 'installer' command line to do the installations. I'm wondering if only Apple's Installer.app (GUI) has the ability to bypass the rootless functionality and not the command line installer tool? I'm guessing that can't be it though since how would any background install processes work from say, the Mac App Store?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-01-2015 10:25 AM
@cwaldrip As @mm2270 mentioned, I'm already aware of SIP. However SIP does not apply to Apple, specifically Apple signed packages. In fact the package in question will install successfully via the GUI and via the CLI.
@mm2270 I'll give that a try. Perhaps put the installer in /tmp as part of the payload of the package and then call it with the postinstall script. I suspect I might get the same behavior. I would test it with Casper to make use of an after script, but we're not on 9.81 at the moment so I can't really test it out.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-01-2015 10:31 AM
@bpavlov If the package in question will install successfully via the GUI and via the CLI, then I would say dropping them on disk, then exiting the installation that places them there and running a separate script run in "After" mode to install them should work, but its kind of a bummer we will need to go to those lengths to get them to install. But it should work I would imagine, since running 'installer' from the CLI is no different than if its called in a script.
EDIT: Acknowledged you're not on 9.81 yet. Neither are we so I can't test it out either.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-01-2015 10:34 AM
With SIP:
If you cannot install in /System, how do you install in /System/Library/User Templates? Or is it a limit to /System and not the subfolders?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-01-2015 10:45 AM
@pblake That could perhaps be a whole discussion in and of itself. But one way would be to place the files you need while the OS is not running. SIP only protects the OS volume its own when the OS is running. In other words, if the machine you want to modify SIP protected paths on is not booted but rather seen as an external drive (target disk mode or in a netbook environment) you should be able to write to those paths.
However, I've read that while /System is protected, there are some specific areas that aren't. But that may have changed or perhaps I read wrong and it was never the case. Anyways, the only way to find out is to test it yourself. El Capitan is out. Download it and see for yourself how much of your current workflow breaks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-01-2015 11:50 AM
@pblake /System/Library/User Templates is accessible with SIP enabled
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-01-2015 11:56 AM
I'd be curious to see if the "nested installer" (i.e. installation places Apple-signed pkg into /tmp, with a postinstall script that calls installer -pkg /tmp/pkgname.pkg -target /) approach fails as well. Could be tricky if it does.
@charles.hitch thanks for validating what I'd seen in my testing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-01-2015 12:06 PM
Minor update: placing the installing in /tmp in the payload and then calling it with the postinstall does not work. But that was expected. So the only way to run Apple-signed installers that put files in SIP paths is to call the installer on its own. At least that's what it seems like. Perhaps someone else may figure out another way.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-01-2015 12:35 PM
System Integrity Protection Guide - Introduction
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-01-2015 01:24 PM
@charles.hitch I was just coming back here to post that. I thought I might have turned SIP off and did a bunch of tests. Dockutil works as expected as well.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-03-2015 02:04 PM
You can see which directories are protected with SIP using this.
ls -laO
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-03-2015 07:44 PM
Not sure if this makes a difference, but remember the /tmp folder is actually a link to /private/tmp.
If you use the ls command @jquinones provided, you'll see something interesting.
ls -laO /
...
lrwxr-xr-x@ 1 root wheel restricted,hidden 11 Sep 30 23:00 tmp -> private/tmp
...
ls -laO /private
...
drwxrwxrwt 15 root wheel - 510 Oct 3 21:38 tmp
...When accessing the /tmp link, the location is restricted but when accessing the /private/tmp folder, it's not restricted.
