New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not working on OS X 10.11 due to SIP #78

Open
Willian-Zhang opened this Issue Sep 6, 2015 · 22 comments

Comments

Projects
None yet
@Willian-Zhang

Willian-Zhang commented Sep 6, 2015

which error ?

generally it doesn't work.

version

$ brew info proxychains-ng
proxychains-ng: stable 4.10, HEAD
Hook preloader
https://sourceforge.net/projects/proxychains-ng/
/usr/local/Cellar/proxychains-ng/4.8.1 (8 files, 100K)
  Built from source
/usr/local/Cellar/proxychains-ng/4.10 (8 files, 88K) *
  Built from source
From: https://github.com/Homebrew/homebrew/blob/master/Library/Formula/proxychains-ng.rb
==> Options
--universal
    Build a universal binary
--HEAD
    Install HEAD version

testcase

Config

strict_chain
proxy_dns
remote_dns_subnet 224
tcp_read_time_out 15000
tcp_connect_time_out 8000
localnet 127.0.0.0/255.0.0.0

[ProxyList]
socks5 127.0.0.1 30039

Test

$ proxychains4 curl http://ifconfig.co/
[proxychains] config file found: /Users/User/.proxychains/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.10/lib/libproxychains4.dylib
{{an ip resulted from DIRECT accessed http://ifconfig.co/ }}

why does your proxychains not print version information ? (it should)

like [proxychains] DLL init: proxychains-ng 4.10 ?
on my non-el-capitan OS X, it does and it works

if that is so, someone needs to research which changes were introduced in 10.11 that breaks LD_PRELOAD and how to fix it.
possibly it's the guilt of this new "feature": https://en.wikipedia.org/wiki/System_Integrity_Protection

any idea how to fix it?

you could try to disable the system integrity protection (as described in the wikipedia article) temporarily to see if it makes proxychains work. if so, we can try to seek a permanent workaround.

yes, disabling it would led to success in working of proxy chains

Disabling SIP

Run csrutil disable in Recovery mode

@Willian-Zhang thanks for testing. now we can look if there's a way to disable the LD_PRELOAD "protection" "feature" for handpicked applications, in our case proxychains-ng.

@rofl0r any luck with this problem?

i haven't found any documentation about the LD_PRELOAD specific protection so far. we need to wait until more information is available (probably after the official release).

@Willian-Zhang

This comment has been minimized.

Show comment
Hide comment
@Willian-Zhang

Willian-Zhang Sep 6, 2015

Logs above are moved from #74

Willian-Zhang commented Sep 6, 2015

Logs above are moved from #74

@Willian-Zhang Willian-Zhang changed the title from Not working on OS X 10.11 due to LD_PRELOAD protection to Not working on OS X 10.11 due to SIP Sep 6, 2015

@tais9

This comment has been minimized.

Show comment
Hide comment
@tais9

tais9 Sep 8, 2015

It only happens if you execute a system binary using proxychains, e.g. proxychains4 ssh user@server. For now, a workaround is to copy the executable to another location (e.g. cp /usr/bin/ssh ~/XXX), and use it (e.g. proxychains4 ~/XXX/ssh user@server). You can modify the path variable so that ~/XXX/ssh is executed instead of /usr/bin/ssh, when you just type "ssh".

tais9 commented Sep 8, 2015

It only happens if you execute a system binary using proxychains, e.g. proxychains4 ssh user@server. For now, a workaround is to copy the executable to another location (e.g. cp /usr/bin/ssh ~/XXX), and use it (e.g. proxychains4 ~/XXX/ssh user@server). You can modify the path variable so that ~/XXX/ssh is executed instead of /usr/bin/ssh, when you just type "ssh".

@Pikaurd

This comment has been minimized.

Show comment
Hide comment
@Pikaurd

Pikaurd Sep 17, 2015

@tais9 worked of me
thanks

Pikaurd commented Sep 17, 2015

@tais9 worked of me
thanks

@kennel209

This comment has been minimized.

Show comment
Hide comment
@kennel209

kennel209 Oct 1, 2015

In OSX 10.11
something workaround is to turn off debug flag in SIP in recovery mode
csrutil enable --without debug

otherwise, proxychains cannot apply to /bin/* /usr/bin/* /System* ... unfortunately most script with #!/usr/bin/env XXX

kennel209 commented Oct 1, 2015

In OSX 10.11
something workaround is to turn off debug flag in SIP in recovery mode
csrutil enable --without debug

otherwise, proxychains cannot apply to /bin/* /usr/bin/* /System* ... unfortunately most script with #!/usr/bin/env XXX

@cache0928

This comment has been minimized.

Show comment
Hide comment
@cache0928

cache0928 Oct 12, 2015

I find that if you move the executable file(proxychains4) to your home folder(like ~/bin), and then you need to change the PATH value. If you do this, you don't have to disable the SIP, , it will works with no error @Willian-Zhang

cache0928 commented Oct 12, 2015

I find that if you move the executable file(proxychains4) to your home folder(like ~/bin), and then you need to change the PATH value. If you do this, you don't have to disable the SIP, , it will works with no error @Willian-Zhang

@wd

This comment has been minimized.

Show comment
Hide comment
@wd

wd Nov 4, 2015

If do not want to disalbe SIP, you can use pyenv to solve this. Use pyenv install a local python version(of cuz, you can install a python use make && make install from source).

And then run command like this
proxychains4 ~/.pyenv/versions/2.7.9/bin/python /usr/local/Cellar/youtube-dl/2015.10.24/bin/youtube-dl

wd commented Nov 4, 2015

If do not want to disalbe SIP, you can use pyenv to solve this. Use pyenv install a local python version(of cuz, you can install a python use make && make install from source).

And then run command like this
proxychains4 ~/.pyenv/versions/2.7.9/bin/python /usr/local/Cellar/youtube-dl/2015.10.24/bin/youtube-dl

@Willian-Zhang

This comment has been minimized.

Show comment
Hide comment
@Willian-Zhang

Willian-Zhang Dec 11, 2015

Update

Run csrutil disable in Recovery mode

For those who's disabling SIP to make it work:
There is no need to disable all SIP:debug mode will also work

Disabling partial SIP

Run csrutil enable --without debug in Recovery mode

Willian-Zhang commented Dec 11, 2015

Update

Run csrutil disable in Recovery mode

For those who's disabling SIP to make it work:
There is no need to disable all SIP:debug mode will also work

Disabling partial SIP

Run csrutil enable --without debug in Recovery mode

@arrchyy

This comment has been minimized.

Show comment
Hide comment
@arrchyy

arrchyy Jan 9, 2016

Nice. Disabling SIP's debug indeed works. Though it did complain and echo

requesting an unsupported configuration. This is likely to break in the future and leave your machine in an unknown state

For anyone who wanna have a better sense of what SIP does and how to configure it, you can read it up here (which I stumbled upon it while I was reading a SE post) or just check out the apple doc

arrchyy commented Jan 9, 2016

Nice. Disabling SIP's debug indeed works. Though it did complain and echo

requesting an unsupported configuration. This is likely to break in the future and leave your machine in an unknown state

For anyone who wanna have a better sense of what SIP does and how to configure it, you can read it up here (which I stumbled upon it while I was reading a SE post) or just check out the apple doc

@MatzFan

This comment has been minimized.

Show comment
Hide comment
@MatzFan

MatzFan Feb 22, 2016

For those like me who do not wish to disable SIP, note that it is possible to use proxychains-ng with Homebrew-installed executables (or linked dupes) as SIP doesn't cover /usr/local. E.g. to use Homebrew's curl (with Tor in the .conf file here):

$ brew install curl

Then:

$ proxychains4 /usr/local/bin/curl http://ifconfig.co/
[proxychains] config file found: /Users/me/.proxychains/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.11/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.11
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  188.113.88.193:80  ...  OK
171.25.193.132

Perhaps this could be added to the README section where this issue is mentioned?

MatzFan commented Feb 22, 2016

For those like me who do not wish to disable SIP, note that it is possible to use proxychains-ng with Homebrew-installed executables (or linked dupes) as SIP doesn't cover /usr/local. E.g. to use Homebrew's curl (with Tor in the .conf file here):

$ brew install curl

Then:

$ proxychains4 /usr/local/bin/curl http://ifconfig.co/
[proxychains] config file found: /Users/me/.proxychains/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.11/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.11
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  188.113.88.193:80  ...  OK
171.25.193.132

Perhaps this could be added to the README section where this issue is mentioned?

@rofl0r

This comment has been minimized.

Show comment
Hide comment
@rofl0r

rofl0r Feb 22, 2016

Owner

@MatzFan please elaborate on "linked dupes". is there a possibility to use e.g. ssh with a softlink or a hardlink ?

Owner

rofl0r commented Feb 22, 2016

@MatzFan please elaborate on "linked dupes". is there a possibility to use e.g. ssh with a softlink or a hardlink ?

@MatzFan

This comment has been minimized.

Show comment
Hide comment
@MatzFan

MatzFan Feb 22, 2016

Using the curl example you can do brew link --force curl which will use Homebrew's curl before system installed version (as Homebrew insists /usr/local/bin comes before /usr/bin in your $PATH). If you do that you can simply do $ proxychains4 curl http://ifconfig.co/. Generally not advised to override (dupe) system binaries like this - hence my example using path to the Homebrew Cellar. Homebrew call this Keg only I think.

Not tried ssh, but any Homebrew-installed binary should work with proxychains like this on El Cap., as SIP doesn't affect the directory where all brewed symlinks go.

MatzFan commented Feb 22, 2016

Using the curl example you can do brew link --force curl which will use Homebrew's curl before system installed version (as Homebrew insists /usr/local/bin comes before /usr/bin in your $PATH). If you do that you can simply do $ proxychains4 curl http://ifconfig.co/. Generally not advised to override (dupe) system binaries like this - hence my example using path to the Homebrew Cellar. Homebrew call this Keg only I think.

Not tried ssh, but any Homebrew-installed binary should work with proxychains like this on El Cap., as SIP doesn't affect the directory where all brewed symlinks go.

@MatzFan

This comment has been minimized.

Show comment
Hide comment
@MatzFan

MatzFan Feb 23, 2016

Homebrew openssh seems to work (using Tor in my .conf file):

$ brew install openssh
==> Installing openssh from homebrew/dupes
==> Downloading https://homebrew.bintray.com/bottles-dupes/openssh-7.1p2.el_capitan.bottle.tar.gz
Already downloaded: /Library/Caches/Homebrew/openssh-7.1p2.el_capitan.bottle.tar.gz
==> Pouring openssh-7.1p2.el_capitan.bottle.tar.gz
🍺  /usr/local/Cellar/openssh/7.1p2: 30 files, 3.9M
Macintosh:~ me$ which ssh
/usr/local/bin/ssh
Macintosh:~ me$ proxychains4 ssh -T git@github.com
[proxychains] config file found: /Users/me/.proxychains/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.11/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.11
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  192.30.252.130:22  ...  OK
Hi MatzFan! You've successfully authenticated, but GitHub does not provide shell access.

MatzFan commented Feb 23, 2016

Homebrew openssh seems to work (using Tor in my .conf file):

$ brew install openssh
==> Installing openssh from homebrew/dupes
==> Downloading https://homebrew.bintray.com/bottles-dupes/openssh-7.1p2.el_capitan.bottle.tar.gz
Already downloaded: /Library/Caches/Homebrew/openssh-7.1p2.el_capitan.bottle.tar.gz
==> Pouring openssh-7.1p2.el_capitan.bottle.tar.gz
🍺  /usr/local/Cellar/openssh/7.1p2: 30 files, 3.9M
Macintosh:~ me$ which ssh
/usr/local/bin/ssh
Macintosh:~ me$ proxychains4 ssh -T git@github.com
[proxychains] config file found: /Users/me/.proxychains/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.11/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.11
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  192.30.252.130:22  ...  OK
Hi MatzFan! You've successfully authenticated, but GitHub does not provide shell access.
@meritozh

This comment has been minimized.

Show comment
Hide comment
@meritozh

meritozh Mar 31, 2016

because of SIP, you can't use proxychains-ng to proxy a execute which is in system dir like /usr/bin. But /usr/local/bin can works. Something like youtube-dl with call python which is in /usr/bin, install a Homebrew python or others can solve it.

meritozh commented Mar 31, 2016

because of SIP, you can't use proxychains-ng to proxy a execute which is in system dir like /usr/bin. But /usr/local/bin can works. Something like youtube-dl with call python which is in /usr/bin, install a Homebrew python or others can solve it.

@zanjs

This comment has been minimized.

Show comment
Hide comment
@zanjs

zanjs Nov 18, 2016

$: proxychains4 /usr/local/bin/curl http://ifconfig.co/
[proxychains] config file found: /usr/local/Cellar/proxychains-ng/4.11/etc/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.11/lib/libproxychains4.dylib
proxychains can't load process....: No such file or directory

zanjs commented Nov 18, 2016

$: proxychains4 /usr/local/bin/curl http://ifconfig.co/
[proxychains] config file found: /usr/local/Cellar/proxychains-ng/4.11/etc/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.11/lib/libproxychains4.dylib
proxychains can't load process....: No such file or directory
@kakashisan

This comment has been minimized.

Show comment
Hide comment
@kakashisan

kakashisan Dec 2, 2016

Hello all, i'm not expert to fellow up but it seems i have a problem may be similar and related to this SIP, and i would be gratefull if someone could help.
i use proxychains4 in mac os sierra and have an issue with scp.
for ssh, i counter the problem by copying the ssh from /usr/bin to /User/mylaptop then use this to ssh :
proxychains4 /users/mylaptop/ssh user@host
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /opt/local/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.10
[proxychains] Strict chain .........
and i could connect to my host. but scp wont work.
i ran out of idea.

kakashisan commented Dec 2, 2016

Hello all, i'm not expert to fellow up but it seems i have a problem may be similar and related to this SIP, and i would be gratefull if someone could help.
i use proxychains4 in mac os sierra and have an issue with scp.
for ssh, i counter the problem by copying the ssh from /usr/bin to /User/mylaptop then use this to ssh :
proxychains4 /users/mylaptop/ssh user@host
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /opt/local/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.10
[proxychains] Strict chain .........
and i could connect to my host. but scp wont work.
i ran out of idea.

@rofl0r

This comment has been minimized.

Show comment
Hide comment
@rofl0r

rofl0r Dec 2, 2016

Owner

@kakashisan how about trying the things recommended here ?
and what is the error you get from scp ?

Owner

rofl0r commented Dec 2, 2016

@kakashisan how about trying the things recommended here ?
and what is the error you get from scp ?

@kakashisan

This comment has been minimized.

Show comment
Hide comment
@kakashisan

kakashisan Dec 2, 2016

Thank you for the fast reply here when i scp:
proxychains4 /Users/didisan/scp -vvv didi@host:.bashrc new.file
[proxychains] config file found: /private/etc/proxychains.conf
[proxychains] preloading /opt/local/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.10
Executing: program /usr/bin/ssh host user didi, command scp -v -f .bashrc
OpenSSH_7.2p2, LibreSSL 2.4.1
debug1: Reading configuration data /Users/didisan/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug2: resolving "host" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to host [host] port 22.
debug1: connect to address host port 22: Connection refused
ssh: connect to host host port 22: Connection refused

kakashisan commented Dec 2, 2016

Thank you for the fast reply here when i scp:
proxychains4 /Users/didisan/scp -vvv didi@host:.bashrc new.file
[proxychains] config file found: /private/etc/proxychains.conf
[proxychains] preloading /opt/local/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.10
Executing: program /usr/bin/ssh host user didi, command scp -v -f .bashrc
OpenSSH_7.2p2, LibreSSL 2.4.1
debug1: Reading configuration data /Users/didisan/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug2: resolving "host" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to host [host] port 22.
debug1: connect to address host port 22: Connection refused
ssh: connect to host host port 22: Connection refused

@rofl0r

This comment has been minimized.

Show comment
Hide comment
@rofl0r

rofl0r Dec 2, 2016

Owner

oh so the problem is that scp starts ssh from /usr/bin. maybe you can fix that by overriding PATH pointing to where your copy of the ssh binary is, for example:

PATH=/Users/didisan/ proxychains4 /Users/didisan/scp -vvv didi@host:.bashrc new.file

this assumes that "ssh" as well as "scp" are in /Users/didisan.

Owner

rofl0r commented Dec 2, 2016

oh so the problem is that scp starts ssh from /usr/bin. maybe you can fix that by overriding PATH pointing to where your copy of the ssh binary is, for example:

PATH=/Users/didisan/ proxychains4 /Users/didisan/scp -vvv didi@host:.bashrc new.file

this assumes that "ssh" as well as "scp" are in /Users/didisan.

@kakashisan

This comment has been minimized.

Show comment
Hide comment
@kakashisan

kakashisan Dec 3, 2016

i did it before by adding the path but it stills excecutes the binary one :
"Executing: program on /usr/bin/ssh"
i think even if i copied the scp from usr/bin to my local folder, it is still somehow (may be because of proxychains lib or smth) linked to the ssh of the bin and executed it. my ssh still works with this trick and connect through proxy.

kakashisan commented Dec 3, 2016

i did it before by adding the path but it stills excecutes the binary one :
"Executing: program on /usr/bin/ssh"
i think even if i copied the scp from usr/bin to my local folder, it is still somehow (may be because of proxychains lib or smth) linked to the ssh of the bin and executed it. my ssh still works with this trick and connect through proxy.

@JasonQSY

This comment has been minimized.

Show comment
Hide comment
@JasonQSY

JasonQSY Jan 18, 2017

For git, use sudo proxychains4 git clone works for me.

JasonQSY commented Jan 18, 2017

For git, use sudo proxychains4 git clone works for me.

@liftliftlift

This comment has been minimized.

Show comment
Hide comment
@liftliftlift

liftliftlift Mar 10, 2017

Acorrding to Apple we should use path like /usr/local instead of /usr or /usr/bin etc since OS X El Capitan. See https://support.apple.com/en-us/HT204899.
And my solved steps at OSX 10.11.6:

  1. Install Homebrew
  2. brew install proxychains-ng

==> Downloading https://homebrew.bintray.com/bottles/proxychains-ng-4.12_1.el_ca
Already downloaded: /Users/futeli/Library/Caches/Homebrew/proxychains-ng-4.12_1.el_capitan.bottle.tar.gz
==> Pouring proxychains-ng-4.12_1.el_capitan.bottle.tar.gz
🍺 /usr/local/Cellar/proxychains-ng/4.12_1: 8 files, 74.8KB

  1. Proxychains-ng now has been installed at path /usr/local/Cellar

  2. brew install curl

==> Downloading https://homebrew.bintray.com/bottles/curl-7.53.1.el_capitan.bott
######################################################################## 100.0%
==> Pouring curl-7.53.1.el_capitan.bottle.tar.gz
==> Caveats
(here has some caveats I don't use this time)
==> Summary
🍺 /usr/local/Cellar/curl/7.53.1: 390 files, 2.7MB

  1. Curl also has been installed at path /usr/local/Cellar
  2. cd /usr/local/etc && vim proxychains.conf
  3. Configure [ProxyList] in proxychains.conf
  4. Do not use proxychains4 curl xxxx.com but proxychains4 /usr/local/Cellar/curl/7.53.1/bin/curl xxxxx.com.

liftliftlift commented Mar 10, 2017

Acorrding to Apple we should use path like /usr/local instead of /usr or /usr/bin etc since OS X El Capitan. See https://support.apple.com/en-us/HT204899.
And my solved steps at OSX 10.11.6:

  1. Install Homebrew
  2. brew install proxychains-ng

==> Downloading https://homebrew.bintray.com/bottles/proxychains-ng-4.12_1.el_ca
Already downloaded: /Users/futeli/Library/Caches/Homebrew/proxychains-ng-4.12_1.el_capitan.bottle.tar.gz
==> Pouring proxychains-ng-4.12_1.el_capitan.bottle.tar.gz
🍺 /usr/local/Cellar/proxychains-ng/4.12_1: 8 files, 74.8KB

  1. Proxychains-ng now has been installed at path /usr/local/Cellar

  2. brew install curl

==> Downloading https://homebrew.bintray.com/bottles/curl-7.53.1.el_capitan.bott
######################################################################## 100.0%
==> Pouring curl-7.53.1.el_capitan.bottle.tar.gz
==> Caveats
(here has some caveats I don't use this time)
==> Summary
🍺 /usr/local/Cellar/curl/7.53.1: 390 files, 2.7MB

  1. Curl also has been installed at path /usr/local/Cellar
  2. cd /usr/local/etc && vim proxychains.conf
  3. Configure [ProxyList] in proxychains.conf
  4. Do not use proxychains4 curl xxxx.com but proxychains4 /usr/local/Cellar/curl/7.53.1/bin/curl xxxxx.com.
@Huang-Libo

This comment has been minimized.

Show comment
Hide comment
@Huang-Libo

Huang-Libo Oct 26, 2017

@tais9
You helped me!

Huang-Libo commented Oct 26, 2017

@tais9
You helped me!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment