-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to uninstall? #6
Comments
To see if the kernel is loaded you can use kextstat
You should get a result that look like that:
and to unload I think (not sure is the right way) you can use kextunload
But again not sure, I found these commands by googling «mac unload/list kext» |
Many thanks for your reply, I could verify the loaded kext, but it would be great to now, how this installation could be undone correctly. |
I think to remove it completely you can unloaded first then:
or backup it
|
But would that also remove autoloader for that extension that's provided with NG or it will just autoload any extension that someone would later put in |
Yes removing the kext will rebuild the cache (see issue #5) and for the second part of the question: Yes if it conform to a valid signing kernel extension. |
I guess the question Marqin has if we added a magic autoloader that will load whatever extension is installed in /Library/Extensions/SUIDGuardNG.kext <-- the later is not the case. Extensions autoload under certain conditions, e.g. when they are designed to do it by using IOKit. This is what we did in the binary package (make it look like an IOKit driver) and that is also the technique LittleSnitch uses (???). So we did not install some magic autoloader when you install the extension. It is just that the extension itself was changed a bit from the public source code to make it autoload by default. |
Thank you all very much for all these explanations! I've now uninstalled it as described above, as Apple has fix this issue with OS X 10.10.5. |
From APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006
|
There is this misinformation spread that SUIDGuard is just a fix for DYLD_PRINT_TO_FILE. SUIDGuard is a mitigation that stops a class of vulnerabilities (and soon more). If you uninstall SUIDGuard because you upgraded to 10.10.5 you are still vulnerable to other exploits people know and that Apple was informed about as far as I know and that are not fixed in 10.10.5 or in 10.11. |
Again many thanks for all the help! Yes, this was a real misunderstatement and thank you for clearing it up. I reinstalled it now. |
It's a little off-topic but I have just found out the phantomjs is blocked by SUIDguard, i.e. if I remove SUIDguard as described above, I could use phantomjs again. Is this a security flaw in phantomjs? Or perhaps in nodejs? |
Do you see any message from SUIDGuard in your /var/log/system.log when you try to use phantomjs ? |
@stefanesser Yes, I do.
|
How can I see, if the package is loaded after reboot? And how can it be uninstalled, if Apple fixes the security hole themselves?
The text was updated successfully, but these errors were encountered: