If anyone wants to experiment with this, it is possible to selectively enable and disable specifics parts of SIP:
https://eclecticlight.co/2016/05/03/sip-and-rootless-protecting-more-than-just-system-files/ https://forums.developer.apple.com/thread/17452 To enable SIP but without filesystem protection: csrutil enable --without fs That would be safer than disabling SIP entirely. You can play with the options and see if they make any difference. The option above is the only one I can see that might affect gnucash, but who knows, some kexts (signed and unsigned) might also affect permissions (again, unlikely). That type of behaviour (selectively enable, disable) is like some secure systems (SELinux extensions is one type) used elsewhere. Don't forget to clear and enable when done: # csrutil clear # csrutil enable (or not, or whatever option you like) Gordon On Sun, Jan 26, 2020 at 5:53 PM GWB <g...@2realms.com> wrote: > > Apple OS X combined two types of kernels, bsd and mach, but is > (according to some FreeBSD kernel developers) progressively removing > the mach kernel components. This may be due to their possible shift > to ARM processors for computers (same family of processors as their > other devices). But Apple does not, that I can see, adhere to any > particular kind of standards for directories, user or otherwise. > "/opt" on OS X is often a hack to get alternative package managers to > work (like brew and others). This also applies to the use of > permissions. A very limited exposure to Catalina leads me to believe > they have attempted to secure and harden their permissions scheme, but > I can't tell if they (and SIP) follow the pattern of bsd's, vax/vms, > solaris, etc. As you point out, disabling SIP is probably a bad idea, > but nice of Apple to provide csrutil anyway. > > So give Apple time and they may more closely resemble bsd's ("other > bsd's"? who knows) at some point. Apple, like FreeBSD, is POSIX > compliant, but FreeBSD has a compatibility layer that handles linux > binaries (pretty simple: kldload linux, kldload linux64, ten necessary > libraries). I don't think Apple makes it that easy. > > Does Catalina no longer provide a disk utility option to "fix" the > permissions? Or does SIP obviate that? I notice that Catalina (maybe > back to El Capitan) has (characteristically) changed to a disk > container system without calling it lvm2. > > Blame AT&T for the less than clear descent into unix, bsd, solaris, > linux, etc. They litigated against BSD, the University of Califorina > Regents fought them off, and now, technically, only AT&T and licensees > can use "unix" as a name. BSD (same code base) went on to start the > wonderful world of OS's we see now. > > Gordon > > On Sun, Jan 26, 2020 at 1:16 PM John Ralls <jra...@ceridwen.us> wrote: > > > > Not only that, while Darwin (the underlying unix core of all Apple > > operating systems) is BSD Unix, it is *not* Linux and doesn't subscribe to > > the Linux Foundation or Free Desktop standards. > > > > Not that that matters. I just created /opt on my Mac running Catalina, > > changed the privs to 777, and saved-as then loaded a book with GnuCash. I > > had at first set GnuCash to have full-disk access, but revoked it and was > > still able to load the file, so whatever the OP's problem is it isn't > > having the file in /opt, nor is it about SIP which I leave enabled. > > Disabling SIP is only needed as a last resort when doing something that > > requires changing the library load paths (e.g. using $DYLD_LIBRARY_PATH) > > with a system program (e.g. bash). It's vastly safer to copy the system > > program into a user directory (I use ~/.local/bin) so that SIP won't mess > > with it. Regardless, it has nothing at all to do with users running GnuCash. > > > > A far more likely cause of the OP's problem is that permissions on /opt > > have gotten changed so that he no longer can write to the directory. I > > would expect that if he knows how to create /opt he also knows how to fix > > that as well as to ensure that it's backed up with Time Machine and > > whatever cloud backup service he uses. > > > > Regards, > > John Ralls > > > > P.S. Bruce Schuck, when you reply to a digest please remember to change the > > subject back to the original for the particular message to which you're > > replying. > > > > > On Jan 26, 2020, at 9:58 AM, Adrien Monteleone > > > <adrien.montele...@lusfiber.net> wrote: > > > > > > But /opt isn’t for user data files according to that standard. The user’s > > > own data should still be under their /users tree. > > > > > > For example, you could build LibreOffice and store it in /opt, but your > > > individual documents would be under /users. (/home in the linux tree) > > > > > > I’d say the simpler and safer solution (rather than disabling SIP) is to > > > relocate the data files to the /Users area where there are no permissions > > > issues. > > > > > > Regards, > > > Adrien > > > > > >> On Jan 26, 2020 w5d26, at 11:46 AM, Bruce Schuck > > >> <bsch...@asgard-systems.com> wrote: > > >> > > >> On 1/26/20 09:00, D <sunfis...@yahoo.com> wrote: > > >> > > >>> And yet, still unanswered is why a user would put their data files into > > >>> /opt in the first place... > > >> > > >> Because OSX is under the hood is very similar to *Nix and BSD systems. > > >> Those who are putting their data files under /opt are probably doing so > > >> to follow the Linux Hierarchy Standard. As a long time *Nix geek (first > > >> introduced to Unix on Gould computers running Gould UTX and AT&T 3B2 > > >> systems running AT&T Sys V sometime around 1986/1987). Simple answer, > > >> because they can and they want to. :) > > >> > > >> See http://refspecs.linuxfoundation.org/FHS_3.0/fhs/index.html for > > >> reference. > > >> > > >> I mentioned trying "csrutil disable" because I have not yet updated to > > >> Catalina. Seems it breaks a few things at the office, mainly Cisco > > >> Anyconnect. Worth a shot I thought. But as someone else mentioned, Apple > > >> has added layer of filesystem complexity that could be affecting access > > >> to /opt. I found this: > > >> https://apple.stackexchange.com/questions/367158/whats-system-volumes-data/367159#367159 > > >> and https://nektony.com/duplicate-finder-free/folders-permission > > >> > > >> - Bruce S. > > > > > > _______________________________________________ > > > gnucash-user mailing list > > > gnucash-user@gnucash.org > > > To update your subscription preferences or to unsubscribe: > > > https://lists.gnucash.org/mailman/listinfo/gnucash-user > > > If you are using Nabble or Gmane, please see > > > https://wiki.gnucash.org/wiki/Mailing_Lists for more information. > > > ----- > > > Please remember to CC this list on all your replies. > > > You can do this by using Reply-To-List or Reply-All. > > > > _______________________________________________ > > gnucash-user mailing list > > gnucash-user@gnucash.org > > To update your subscription preferences or to unsubscribe: > > https://lists.gnucash.org/mailman/listinfo/gnucash-user > > If you are using Nabble or Gmane, please see > > https://wiki.gnucash.org/wiki/Mailing_Lists for more information. > > ----- > > Please remember to CC this list on all your replies. > > You can do this by using Reply-To-List or Reply-All. _______________________________________________ gnucash-user mailing list gnucash-user@gnucash.org To update your subscription preferences or to unsubscribe: https://lists.gnucash.org/mailman/listinfo/gnucash-user If you are using Nabble or Gmane, please see https://wiki.gnucash.org/wiki/Mailing_Lists for more information. ----- Please remember to CC this list on all your replies. You can do this by using Reply-To-List or Reply-All.
