Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not working on OS X 10.11 due to SIP #78

Open
Willian-Zhang opened this issue Sep 6, 2015 · 31 comments
Open

Not working on OS X 10.11 due to SIP #78

Willian-Zhang opened this issue Sep 6, 2015 · 31 comments

Comments

@Willian-Zhang
Copy link

@Willian-Zhang Willian-Zhang commented Sep 6, 2015

which error ?

generally it doesn't work.

version

$ brew info proxychains-ng
proxychains-ng: stable 4.10, HEAD
Hook preloader
https://sourceforge.net/projects/proxychains-ng/
/usr/local/Cellar/proxychains-ng/4.8.1 (8 files, 100K)
  Built from source
/usr/local/Cellar/proxychains-ng/4.10 (8 files, 88K) *
  Built from source
From: https://github.com/Homebrew/homebrew/blob/master/Library/Formula/proxychains-ng.rb
==> Options
--universal
    Build a universal binary
--HEAD
    Install HEAD version

testcase

Config

strict_chain
proxy_dns
remote_dns_subnet 224
tcp_read_time_out 15000
tcp_connect_time_out 8000
localnet 127.0.0.0/255.0.0.0

[ProxyList]
socks5 127.0.0.1 30039

Test

$ proxychains4 curl http://ifconfig.co/
[proxychains] config file found: /Users/User/.proxychains/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.10/lib/libproxychains4.dylib
{{an ip resulted from DIRECT accessed http://ifconfig.co/ }}

why does your proxychains not print version information ? (it should)

like [proxychains] DLL init: proxychains-ng 4.10 ?
on my non-el-capitan OS X, it does and it works

if that is so, someone needs to research which changes were introduced in 10.11 that breaks LD_PRELOAD and how to fix it.
possibly it's the guilt of this new "feature": https://en.wikipedia.org/wiki/System_Integrity_Protection

any idea how to fix it?

you could try to disable the system integrity protection (as described in the wikipedia article) temporarily to see if it makes proxychains work. if so, we can try to seek a permanent workaround.

yes, disabling it would led to success in working of proxy chains

Disabling SIP

Run csrutil disable in Recovery mode

@Willian-Zhang thanks for testing. now we can look if there's a way to disable the LD_PRELOAD "protection" "feature" for handpicked applications, in our case proxychains-ng.

@rofl0r any luck with this problem?

i haven't found any documentation about the LD_PRELOAD specific protection so far. we need to wait until more information is available (probably after the official release).

@Willian-Zhang
Copy link
Author

@Willian-Zhang Willian-Zhang commented Sep 6, 2015

Logs above are moved from #74

@Willian-Zhang Willian-Zhang changed the title Not working on OS X 10.11 due to LD_PRELOAD protection Not working on OS X 10.11 due to SIP Sep 6, 2015
@tais9
Copy link

@tais9 tais9 commented Sep 8, 2015

It only happens if you execute a system binary using proxychains, e.g. proxychains4 ssh user@server. For now, a workaround is to copy the executable to another location (e.g. cp /usr/bin/ssh ~/XXX), and use it (e.g. proxychains4 ~/XXX/ssh user@server). You can modify the path variable so that ~/XXX/ssh is executed instead of /usr/bin/ssh, when you just type "ssh".

@Pikaurd
Copy link

@Pikaurd Pikaurd commented Sep 17, 2015

@tais9 worked of me
thanks

@kennel209
Copy link

@kennel209 kennel209 commented Oct 1, 2015

In OSX 10.11
something workaround is to turn off debug flag in SIP in recovery mode
csrutil enable --without debug

otherwise, proxychains cannot apply to /bin/* /usr/bin/* /System* ... unfortunately most script with #!/usr/bin/env XXX

@cache0928
Copy link

@cache0928 cache0928 commented Oct 12, 2015

I find that if you move the executable file(proxychains4) to your home folder(like ~/bin), and then you need to change the PATH value. If you do this, you don't have to disable the SIP, , it will works with no error @Willian-Zhang

@wd
Copy link

@wd wd commented Nov 4, 2015

If do not want to disalbe SIP, you can use pyenv to solve this. Use pyenv install a local python version(of cuz, you can install a python use make && make install from source).

And then run command like this
proxychains4 ~/.pyenv/versions/2.7.9/bin/python /usr/local/Cellar/youtube-dl/2015.10.24/bin/youtube-dl

@Willian-Zhang
Copy link
Author

@Willian-Zhang Willian-Zhang commented Dec 11, 2015

Update

Run csrutil disable in Recovery mode

For those who's disabling SIP to make it work:
There is no need to disable all SIP:debug mode will also work

Disabling partial SIP

Run csrutil enable --without debug in Recovery mode

@archywillhe
Copy link

@archywillhe archywillhe commented Jan 9, 2016

Nice. Disabling SIP's debug indeed works. Though it did complain and echo

requesting an unsupported configuration. This is likely to break in the future and leave your machine in an unknown state

For anyone who wanna have a better sense of what SIP does and how to configure it, you can read it up here (which I stumbled upon it while I was reading a SE post) or just check out the apple doc

@MatzFan
Copy link

@MatzFan MatzFan commented Feb 22, 2016

For those like me who do not wish to disable SIP, note that it is possible to use proxychains-ng with Homebrew-installed executables (or linked dupes) as SIP doesn't cover /usr/local. E.g. to use Homebrew's curl (with Tor in the .conf file here):

$ brew install curl

Then:

$ proxychains4 /usr/local/bin/curl http://ifconfig.co/
[proxychains] config file found: /Users/me/.proxychains/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.11/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.11
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  188.113.88.193:80  ...  OK
171.25.193.132

Perhaps this could be added to the README section where this issue is mentioned?

@rofl0r
Copy link
Owner

@rofl0r rofl0r commented Feb 22, 2016

@MatzFan please elaborate on "linked dupes". is there a possibility to use e.g. ssh with a softlink or a hardlink ?

@MatzFan
Copy link

@MatzFan MatzFan commented Feb 22, 2016

Using the curl example you can do brew link --force curl which will use Homebrew's curl before system installed version (as Homebrew insists /usr/local/bin comes before /usr/bin in your $PATH). If you do that you can simply do $ proxychains4 curl http://ifconfig.co/. Generally not advised to override (dupe) system binaries like this - hence my example using path to the Homebrew Cellar. Homebrew call this Keg only I think.

Not tried ssh, but any Homebrew-installed binary should work with proxychains like this on El Cap., as SIP doesn't affect the directory where all brewed symlinks go.

@MatzFan
Copy link

@MatzFan MatzFan commented Feb 23, 2016

Homebrew openssh seems to work (using Tor in my .conf file):

$ brew install openssh
==> Installing openssh from homebrew/dupes
==> Downloading https://homebrew.bintray.com/bottles-dupes/openssh-7.1p2.el_capitan.bottle.tar.gz
Already downloaded: /Library/Caches/Homebrew/openssh-7.1p2.el_capitan.bottle.tar.gz
==> Pouring openssh-7.1p2.el_capitan.bottle.tar.gz
🍺  /usr/local/Cellar/openssh/7.1p2: 30 files, 3.9M
Macintosh:~ me$ which ssh
/usr/local/bin/ssh
Macintosh:~ me$ proxychains4 ssh -T git@github.com
[proxychains] config file found: /Users/me/.proxychains/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.11/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.11
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  192.30.252.130:22  ...  OK
Hi MatzFan! You've successfully authenticated, but GitHub does not provide shell access.

@meritozh
Copy link

@meritozh meritozh commented Mar 31, 2016

because of SIP, you can't use proxychains-ng to proxy a execute which is in system dir like /usr/bin. But /usr/local/bin can works. Something like youtube-dl with call python which is in /usr/bin, install a Homebrew python or others can solve it.

@zanjs
Copy link

@zanjs zanjs commented Nov 18, 2016

$: proxychains4 /usr/local/bin/curl http://ifconfig.co/
[proxychains] config file found: /usr/local/Cellar/proxychains-ng/4.11/etc/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.11/lib/libproxychains4.dylib
proxychains can't load process....: No such file or directory

@kakashisan
Copy link

@kakashisan kakashisan commented Dec 2, 2016

Hello all, i'm not expert to fellow up but it seems i have a problem may be similar and related to this SIP, and i would be gratefull if someone could help.
i use proxychains4 in mac os sierra and have an issue with scp.
for ssh, i counter the problem by copying the ssh from /usr/bin to /User/mylaptop then use this to ssh :
proxychains4 /users/mylaptop/ssh user@host
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /opt/local/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.10
[proxychains] Strict chain .........
and i could connect to my host. but scp wont work.
i ran out of idea.

@rofl0r
Copy link
Owner

@rofl0r rofl0r commented Dec 2, 2016

@kakashisan how about trying the things recommended here ?
and what is the error you get from scp ?

@kakashisan
Copy link

@kakashisan kakashisan commented Dec 2, 2016

Thank you for the fast reply here when i scp:
proxychains4 /Users/didisan/scp -vvv didi@host:.bashrc new.file
[proxychains] config file found: /private/etc/proxychains.conf
[proxychains] preloading /opt/local/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.10
Executing: program /usr/bin/ssh host user didi, command scp -v -f .bashrc
OpenSSH_7.2p2, LibreSSL 2.4.1
debug1: Reading configuration data /Users/didisan/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug2: resolving "host" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to host [host] port 22.
debug1: connect to address host port 22: Connection refused
ssh: connect to host host port 22: Connection refused

@rofl0r
Copy link
Owner

@rofl0r rofl0r commented Dec 2, 2016

oh so the problem is that scp starts ssh from /usr/bin. maybe you can fix that by overriding PATH pointing to where your copy of the ssh binary is, for example:

PATH=/Users/didisan/ proxychains4 /Users/didisan/scp -vvv didi@host:.bashrc new.file

this assumes that "ssh" as well as "scp" are in /Users/didisan.

@kakashisan
Copy link

@kakashisan kakashisan commented Dec 3, 2016

i did it before by adding the path but it stills excecutes the binary one :
"Executing: program on /usr/bin/ssh"
i think even if i copied the scp from usr/bin to my local folder, it is still somehow (may be because of proxychains lib or smth) linked to the ssh of the bin and executed it. my ssh still works with this trick and connect through proxy.

@JasonQSY
Copy link

@JasonQSY JasonQSY commented Jan 18, 2017

For git, use sudo proxychains4 git clone works for me.

@liftliftlift
Copy link

@liftliftlift liftliftlift commented Mar 10, 2017

Acorrding to Apple we should use path like /usr/local instead of /usr or /usr/bin etc since OS X El Capitan. See https://support.apple.com/en-us/HT204899.
And my solved steps at OSX 10.11.6:

  1. Install Homebrew
  2. brew install proxychains-ng

==> Downloading https://homebrew.bintray.com/bottles/proxychains-ng-4.12_1.el_ca
Already downloaded: /Users/futeli/Library/Caches/Homebrew/proxychains-ng-4.12_1.el_capitan.bottle.tar.gz
==> Pouring proxychains-ng-4.12_1.el_capitan.bottle.tar.gz
🍺 /usr/local/Cellar/proxychains-ng/4.12_1: 8 files, 74.8KB

  1. Proxychains-ng now has been installed at path /usr/local/Cellar

  2. brew install curl

==> Downloading https://homebrew.bintray.com/bottles/curl-7.53.1.el_capitan.bott
######################################################################## 100.0%
==> Pouring curl-7.53.1.el_capitan.bottle.tar.gz
==> Caveats
(here has some caveats I don't use this time)
==> Summary
🍺 /usr/local/Cellar/curl/7.53.1: 390 files, 2.7MB

  1. Curl also has been installed at path /usr/local/Cellar
  2. cd /usr/local/etc && vim proxychains.conf
  3. Configure [ProxyList] in proxychains.conf
  4. Do not use proxychains4 curl xxxx.com but proxychains4 /usr/local/Cellar/curl/7.53.1/bin/curl xxxxx.com.

@Huang-Libo
Copy link

@Huang-Libo Huang-Libo commented Oct 26, 2017

@tais9
You helped me!

@rickygu
Copy link

@rickygu rickygu commented Jan 11, 2019

On mac 10.14.2, csrutil enable --without debug doesn't work. I had to disable completely to kind of work.
I would often get this error warning but everything works fine.

dyld: warning: could not load inserted library '/usr/local/Cellar/proxychains-ng/4.13/lib/libproxychains4.dylib' into hardened process because no suitable image found.  Did find:
	/usr/local/Cellar/proxychains-ng/4.13/lib/libproxychains4.dylib: code signature in (/usr/local/Cellar/proxychains-ng/4.13/lib/libproxychains4.dylib) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.
	/usr/local/Cellar/proxychains-ng/4.13/lib/libproxychains4.dylib: stat() failed with errno=1

How do I get rid of this error?

@heany
Copy link

@heany heany commented Feb 2, 2019

proxychains4 curl www.google.com                                      ✔  671  01:01:10
[proxychains] config file found: /usr/local/etc/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.13/lib/libproxychains4.dylib
curl: (7) Failed to connect to www.google.com port 80: Operation timed out

In mac 10.14, why ? and how do I solve this error?

@theblackturtle
Copy link

@theblackturtle theblackturtle commented Feb 11, 2019

I have this problem too.

@ilyamochalov
Copy link

@ilyamochalov ilyamochalov commented Apr 4, 2019

same problem for me on
macOS 10.13.6,
ShadowsocksX-NG 1.7.1
proxychains-ng 4.14

@peiyaoli
Copy link

@peiyaoli peiyaoli commented Apr 16, 2019

same issues here

@Neboer
Copy link

@Neboer Neboer commented Jun 4, 2019

I am using Ubuntu 19.04 and I still can't launch GUI programme in a graphic way.
I saw the above discussion and the problem seems have been solved, but in your last release Release 4.14 the problem still occurs. Please find out a solution and solve it, thank you very much.

@rofl0r
Copy link
Owner

@rofl0r rofl0r commented Jun 4, 2019

Please find out a solution and solve it

you volunteer? great!

btw, your comment has nothing to do with the issue discussed here, so post further updates about your work in a new issue/PR.

@kk580kk
Copy link

@kk580kk kk580kk commented Oct 18, 2019

I can solve this problem!!!!

Problem

first
Gitl clone https://github.com/rofl0r/proxychains-ng.git
then make
./configure --prefix=/usr/local --sysconfdir=/etc
sudo make install
installed in /usr/local/bin/proxychains4
but
/usr/local/bin/proxychains4 curl -v -L https://ip.cn/
returns
{"ip": "xxx.xxx.xxx.xxx", "country": "上海市", "city": "移动”}
Same problem there

Solve it

install curl by brew
brew install curl
then do it
/usr/local/bin/proxychains4 /usr/local/opt/curl/bin/curl -v -L https://ip.cn
Solved
{"ip": "xxx.xxx.xxx.xxx", "country": "美国", "city": "阿里云”}

Finally

In case I use zsh.
echo 'export PATH="/usr/local/opt/curl/bin:$PATH"' >> ~/.zshrc
Then
proxychains4 curl -v -L https://ip.cn/
Got
{"ip": "xxx.xxx.xxx.xxx", "country": "美国", "city": "阿里云"}

Goal

@omidraha
Copy link

@omidraha omidraha commented Nov 22, 2020

Same issue, fixed for some commands as @tais9 said.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet