<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Oct 3, 2015, at 14:41, Brandon Allbery <<a href="mailto:allbery.b@gmail.com" class="">allbery.b@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="gmail_extra"><div class="gmail_quote">On Sat, Oct 3, 2015 at 2:39 PM, Clemens Lang <span dir="ltr" class=""><<a href="mailto:cal@macports.org" target="_blank" class="">cal@macports.org</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">> Same thing, but as seen in the 2nd case, no com.apple.rootless attribute, no<br class="">
> restricted (or hidden) flags. :-)<br class="">
<br class="">
</span>Mounts are a nice idea, but not possible without root privileges, and that leaves<br class="">
out everybody that uses a user-only installation of MacPorts. So this could only<br class="">
be done as an optimization, and I'm not sure it's worth it then. Cache<br class="">
invalidation would definitely be easier with it, though…</blockquote></div><br class="">...but at some point the NFS server must access the file, in the original filesystem where all of those exist and will be enforced.</div><div class="gmail_extra"><div class=""><br class=""></div></div></div></div></blockquote><br class=""></div><div><br class=""></div><div>But it's so easy to test that theory: :-)</div><div><div style="margin: 0px; font-size: 18px; line-height: normal; font-family: 'Andale Mono'; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">sh-3.2# dtruss /bin/sh</div><div style="margin: 0px; font-size: 18px; line-height: normal; font-family: 'Andale Mono'; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">dtrace: failed to execute /bin/sh: dtrace cannot control executables signed with restricted entitlements</div><div style="margin: 0px; font-size: 18px; line-height: normal; font-family: 'Andale Mono'; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">sh-3.2# dtruss /net/localhost/bin/sh</div><div style="margin: 0px; font-size: 18px; line-height: normal; font-family: 'Andale Mono'; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">sh-3.2# SYSCALL(args) <span class="Apple-tab-span" style="white-space:pre"> </span> = return</div><div style="margin: 0px; font-size: 18px; line-height: normal; font-family: 'Andale Mono'; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">thread_selfid(0x0, 0x0, 0x0)<span class="Apple-tab-span" style="white-space:pre"> </span> = 867702 0</div><div style="margin: 0px; font-size: 18px; line-height: normal; font-family: 'Andale Mono'; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">csops(0x0, 0x0, 0x7FFF563BF720)<span class="Apple-tab-span" style="white-space:pre"> </span> = 0 0</div><div style="margin: 0px; font-size: 18px; line-height: normal; font-family: 'Andale Mono'; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">issetugid(0x0, 0x0, 0x7FFF563BF720)<span class="Apple-tab-span" style="white-space:pre"> </span> = 0 0</div></div><br class=""></body></html>