Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number

Establishing a beachhead and acquiring privileges on a Mac-mini

by Aldebaran (Curate)
on Apr 21, 2023 at 06:05 UTC ( [id://11151810]=perlquestion: print w/replies, xml ) Need Help??

Aldebaran has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks,

I bit off a couple implementation problems with approximating geological problems with highway data that I can now address better, as I have upgraded my hosting situation to include a new machine:

mymac@Merrills-Mini ~ % sw_vers ProductName: macOS ProductVersion: 13.3 BuildVersion: 22E252 mymac@Merrills-Mini ~ %

I use perl to explore the new environment:

#!/usr/bin/perl use warnings; use strict; use File::Find; use Cwd; =pod =head1 DESCRIPTION This is a pretty good first attempt at figuring out where your modules + are. It is meant to follow the development of _Intermediate Perl_, a +nd I will adhere to the idioms. =cut my $current = cwd; find( \&pm_beneath, $current, ); sub pm_beneath { use File::Basename; my $basename = basename($File::Find::name); return unless $basename =~ /\.pm$/; print "$File::Find::name\n"; my $access_age = -A $basename; print " $basename\n"; printf "access age in days: %.2f\n", $access_age; } __END__

and then I change the find line to:

find( \&pm_beneath, "/", );

I was a bit shocked to see the output, as it looked very different than what I might call "usual." I usually develop on Debian-based linux, and am redeveloping a rapport with the terminal as I can't do a whole lot otherwise, missing in particular the ability to right-click. But I'm trying to get the hang of doing things "the Mac way," for example, using zsh instead of bash. That hasn't killed me yet.

My strategy with installing perl was going to be to march in the front door as root and type cpan. Well, that failed.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! ERROR: Can't create '/usr/bin' Do not have write permissions on '/usr/bin' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! at -e line 1.

Similar failures followed. I noticed that the places I could not write to were in the wheel group and prodded further with:

Merrills-Mini:Library root# grep '^wheel:.*$' /etc/group | cut -d: -f4 root

My next idea was to add myself to the wheel group:

sudo dseditgroup -o edit -a mymac -t user wheel

That didn't move the needle. Then I realized that the reason nothing can write to /usr is a newer security layer that we shouldn't trespass against:

Merrills-Mac-mini:~ root# ls -lO /System /usr /System: total 0 -rw-r--r-- 10 root wheel restricted 0 Apr 1 10:46 .localized drwxr-xr-x 43 root wheel restricted 1376 Apr 1 10:46 Applications drwxr-xr-x 4 root wheel restricted 128 Apr 1 10:46 Cryptexes drwxr-xr-x@ 2 root wheel restricted 64 Apr 1 10:46 Developer drwxr-xr-x 5 root wheel restricted 160 Apr 1 10:46 DriverKit drwxr-xr-x 145 root wheel restricted 4640 Apr 1 10:46 Library drwxr-xr-x 14 root wheel restricted 448 Apr 1 10:46 Volumes drwxr-xr-x 5 root wheel restricted 160 Apr 1 10:46 iOSSupport /usr: total 0 lrwxr-xr-x 1 root wheel restricted 25 Apr 1 10:46 X11 -> ../p +rivate/var/select/X11 lrwxr-xr-x 1 root wheel restricted 25 Apr 1 10:46 X11R6 -> .. +/private/var/select/X11 drwxr-xr-x 936 root wheel restricted 29952 Apr 1 10:46 bin drwxr-xr-x 32 root wheel restricted 1024 Apr 1 10:46 lib drwxr-xr-x 347 root wheel restricted 11104 Apr 1 10:46 libexec drwxr-xr-x 4 root wheel sunlnk 128 Apr 19 20:26 local drwxr-xr-x 230 root wheel restricted 7360 Apr 1 10:46 sbin drwxr-xr-x 42 root wheel restricted 1344 Apr 1 10:46 share drwxr-xr-x 5 root wheel restrexity icted 160 Apr 1 10:46 standalone

I changed tack and put git to work:

mkdir brew cd brew git clone homebrew

And then:

brew install perl

I rather like the notion of "bottling" an application, and the export to the envelope seems right:

mymac@Merrills-Mac-mini ~ % env | grep perl PATH=/Users/mymac/perl5/bin:/opt/homebrew/bin:/opt/homebrew/sbin:/usr/ +local/bin:/System/Cryptexes/ ... PERL5LIB=/Users/mymac/perl5/lib/perl5 PERL_LOCAL_LIB_ROOT=/Users/mymac/perl5 PERL_MB_OPT=--install_base "/Users/mymac/perl5" PERL_MM_OPT=INSTALL_BASE=/Users/mymac/perl5 mymac@Merrills-Mac-mini ~ %

I'm still not sure how we are supposed to elevate privileges or forego a dialog window asking for one more auth. If I bump my head into the architecture, I'm inclined to trust the architect in this case, "knowing" as I did some of the innovators of BSD from my days in comp.lang.c, including Chris Torek. I wonder if he still lives in Salt Lake. If I'm indistinguishable from malware, I present a problem to my system. I think the filesystem a strength of this platform, and it is me that needs to conform.

sudo grep -R Torek "/"

Q1) Does any of this makes sense? Do I need to walk back any of this?

Q2) What's the deal with wheel?

As I was pitching about being unable to even install anything, I thought of installing perlbrew, which wasn't available. Then it occured to me that perlbrew might have been a backformation from homebrew.(?)

bash-3.2$ brew info perl ==> perl: stable 5.36.0 (bottled), HEAD Highly capable, feature-rich programming language (2,494 files, 67MB) * Poured from bottle using the API on 2023-04-20 at 1 +6:17:27 From: +.rb ... ==> Analytics install: 513 (30 days), 28,031 (90 days), 348,514 (365 days) install-on-request: 159 (30 days), 7,746 (90 days), 91,325 (365 days) build-error: 0 (30 days) bash-3.2$

Q3) It looks like the homebrew people are keeping primitive stats on downloads, including failures. Is that the case?


Replies are listed 'Best First'.
Re: Establishing a beachhead and acquiring privileges on a Mac-mini
by 1nickt (Canon) on Apr 21, 2023 at 10:05 UTC

    You must have heard this before: don't use the system Perl on Mac; it's for the system. Install Perlbrew from and install your own Perl that you can mess with to your heart's desire. No idea what "not available" means.

    Also, bash works fine on Mac. Do chsh -s /bin/bash to change.

    Hope this helps!

    The way forward always starts with a minimal test.
      You must have heard this before: don't use the system Perl on Mac; it's for the system.

      Yeah, but it goes in one eye and out the other until I actually have a Mac. Here's output from the above scripts:

      /System/Library/Perl/5.30/ access age in days: 30.07 /System/Library/Perl/5.30/ access age in days: 30.07 /System/Library/Perl/5.30/

      I was fine with perl being 5.30, and the truth of the matter is that I do not know the perl command to update itself. I'm left to surmise that it's implementation-dependent. hippo polled the question: why don't you have the latest perl, and my answer was that I have to change architecture to change perl. I get the system up to snuff by getting the perl up to snuff first, so that I can understand where the hell am I on a new box, real or virtual. It is clear that a lot of OS X's architecture looks like this rather than being contained places typical for linux.

      Install Perlbrew from and install your own Perl that you can mess with to your heart's desire.

      I'm trying another thesis here, namely homebrew, and I see a possible conflict with layering perlbrew. I'm hoping that I have it on "set and forget."

      Also, bash works fine on Mac. Do chsh -s /bin/bash to change.

      I was ready to make this change back. Things have gotten better for me as a whole system since I bit the bullet and got a trackpad. So I'm not jones'ing for a right-click anymore. I've even done my first iMovie. Yes, part of the reason I want to be able to do all of this is to be able to make a TikTok video. Phones are too small for me, and I wanted to match architecture for the phone, where I have again rejoined the apple-verse to flee google and android. (Out of the frying pan, into the fire....)

      I don't think I've got the install right until I can get cpanm, though, and I seem to be stuck:

      (CPAN::Version........v5.5003) 459 subroutines redefined cpan shell -- CPAN exploration and modules installation (v2.33) Enter 'h' for help. cpan[3]> install cpanm + Warning: Cannot install cpanm, don't know what it is. Try the command i /cpanm/ to find objects with matching identifiers. cpan[4]>

      What's the deal? Is cpanm a bad idea for Macs, or am I missing something obvious to the more-experienced?


        G'day Aldebaran,

        "... I do not know the perl command to update itself."

        Having been advised against using the system Perl on Mac, you wouldn't be doing this even if Perl had such a command. Correct?

        I used Perlbrew on Mac for about nine years and never had any problems. I changed to Cygwin on Win10 about five years ago; still using Perlbrew and still having no problems.

        Following links from Perlbrew, you'll eventually get to CPAN: perlbrew. Here you'll find documentation for perlbrew commands; in the context of the current discussion, the most pertinent are probably install, upgrade-perl, and install-cpanm.

        Once you have Perlbrew installed, you can easily switch between whatever versions of Perl you have; e.g.

        $ perl -v | head -2 | tail -1 This is perl 5, version 36, subversion 0 (v5.36.0) built for cygwin-th +read-multi $ perlbrew switch perl-5.32.0 $ perl -v | head -2 | tail -1 This is perl 5, version 32, subversion 0 (v5.32.0) built for cygwin-th +read-multi $ perlbrew switch perl-5.36.0 $ perl -v | head -2 | tail -1 This is perl 5, version 36, subversion 0 (v5.36.0) built for cygwin-th +read-multi

        I recommend using the following shebang in your scripts.

        #!/usr/bin/env perl

        This means that the script will use whatever Perl version is current.

        $ cat #!/usr/bin/env perl print $^V; $ ./ v5.36.0 $ perlbrew switch perl-5.33.5 $ perl -v | head -2 | tail -1 This is perl 5, version 33, subversion 5 (v5.33.5) built for cygwin-th +read-multi $ ./ v5.33.5

        — Ken

Re: Establishing a beachhead and acquiring privileges on a Mac-mini
by bliako (Monsignor) on Apr 21, 2023 at 12:01 UTC

    root or otherwise, you are not allowed access to /usr/bin and lots of other locations and operations which traditionally root had, in *nix. There is a way to bypass this (with something called "bypassing the SIP", not sure if you will ever be 100% root though!). Which I have not tried and do not recommend. Just get used to the fact that the notion of my computer is well behind us at least with Apple and Microsoft. To me, it seems their difference is that while MS trusts the security of its OS to illiterate IT operators brainmassaged sufficiently with """MS Engineer""" (top oxymoron) courses aspiring to that particular moustache style, Apple trusts no one but its own breed at cupertino.

    I faced more problems, like code signing. And that homebrew does not support older OSX versions (and works 50-50 edit: for my 10-year hardware not allowed any more OS upgrades). And that you need that dreaded XCode for anything to be compiled. And the system becomes unworkable for the average bloke once the hardware's age forbids software upgrades. I personally use my old macbook for watching the occassional movie. And even that presents a challenge...

    For some binaries, Homebrew refuses to install them in locations which shadow the system default. That's another caveat you need to juggle.

    Q3: brew analytics off - though this is your least of the privacy problems as Apple keeps phoning home more than a butterboy in summer camp. (hint: pay Lulu a visit pronto and learn how to ban ip addresses using /etc/hosts)

      «…I have not tried and do not recommend.»

      That's almost like saying: I don't know but I can't recommend it. In general, the whole argumentation is too much propaganda for me. I am actually also sure that there are reasonable, practicable solutions for the problems mentioned. You will have to search for them a bit. But Apple's documentation is not bad. In fact, it is mostly excellent. But many don't know that or don't want to admit it.

      «The Crux of the Biscuit is the Apostrophe»

        The reason I have not tried and do not recommend this is because I don't know the consequences of this action and do not trust Apple, or any other profit-maximising corporation, to tell me exactly what these consequences will be.

        I am primarily concerned that this action may unlock back-doors or activate some bug which may decrease OS security in other, undocumented, ways additionally to what Apple states in the link about SIP (which you posted). I am also afraid that this bypassing the SIP could be a "challenge" to lure those still seeking Absolute Freedom in OS into trying it out and then Apple opening a huge backdoor on them and on top of that lecturing them with a "I told you so" as the cherry in the pwned pie.

        The OS I trust, use and recommend is Linux. For Linux, I have done and recommended things equivalent to bypassing the SIP. But I will not do that for Apple. It's not FUD, it's not propaganda. It's just like refusing candy from a stranger, or an apple from the serpent. As simple as that.

        bw, bliako

Re: Establishing a beachhead and acquiring privileges on a Mac-mini
by karlgoethebier (Abbot) on Apr 21, 2023 at 18:16 UTC

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://11151810]
Approved by GrandFather
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (3)
As of 2024-04-20 13:15 GMT
Find Nodes?
    Voting Booth?

    No recent polls found