User profile for user: martinmaldonado
martinmaldonado Author
User level: Level 1
4 points

Ventura blocking access to files even after SIP is disabled

Hi Everyone! I'm trying to set up a NFS server to share some media files with other devices in my home (Samba is not an option when handling 4K HDR 10 files with over 10GB for example).

In order to do so, with previous macOS versions I used to do this:

  1. Reboot in Recovery Mode
  2. Disabled System Integrity Protection (csrutil disable)
  3. Edit (with sudo) the Launch Daemon file for NFS to enable non-root access (for example for making Kodi able to reach my files).
  4. Re-enable SIP by reversing steps 2 and 1.
  5. Done.


With Ventura, even disabling SIP whenever I try to edit the NFS daemon file I get a message saying "Cannot open file for writing: Read-only file system".

I know about the idea of making the system read-only but it's completely unacceptable that there's no actual way for users to set up their systems in case they need to.


Any idea about a workaround for this?


Thanks in advance!

MacBook Pro 13″, macOS 13.3

Posted on May 16, 2023 11:50 AM

Reply
Question marked as Top-ranking reply
User profile for user: etresoft
etresoft
User level: Level 9
58,084 points

Posted on May 16, 2023 4:01 PM

OK. I dug into this. It sounds like Kodi is doing all of the mount logic itself, as a normal user. Normally, there is a system process that mounts volumes. But there is no concept of a "root user" at the network level. Any software can talk to an NFS server.


But NFS, being an ancient protocol, make some ancient assumptions. It is able to detect quasi-root usage by looking at the originating port. Normally that doesn't matter. But since NFS is so old, it gets special privileges and it sends connection requests from a privileged port with a value less than 1024. So when the server sees a request coming in from a port value greater than 1024, it rejects it by default.


So, knowing that this is the mechanism that is controlling this, you can look for another solution. That solution is the /etc/nfs.conf file. Run "man nfs.conf" to see the details. The setting you want is "nfs.server.mount.require_resv_port". Set it to "0". That should do the trick.


Unfortunately, I have no way to test this. My only NFS client is Linux. So you'll have to try this and report back.


PS: I'm pretty sure that recent updates to the file system make those old Kodi instructions completely impossible.

View in context

Similar questions

5 replies
Question marked as Top-ranking reply
User profile for user: etresoft
etresoft
User level: Level 9
58,084 points

May 16, 2023 4:01 PM in response to martinmaldonado

OK. I dug into this. It sounds like Kodi is doing all of the mount logic itself, as a normal user. Normally, there is a system process that mounts volumes. But there is no concept of a "root user" at the network level. Any software can talk to an NFS server.


But NFS, being an ancient protocol, make some ancient assumptions. It is able to detect quasi-root usage by looking at the originating port. Normally that doesn't matter. But since NFS is so old, it gets special privileges and it sends connection requests from a privileged port with a value less than 1024. So when the server sees a request coming in from a port value greater than 1024, it rejects it by default.


So, knowing that this is the mechanism that is controlling this, you can look for another solution. That solution is the /etc/nfs.conf file. Run "man nfs.conf" to see the details. The setting you want is "nfs.server.mount.require_resv_port". Set it to "0". That should do the trick.


Unfortunately, I have no way to test this. My only NFS client is Linux. So you'll have to try this and report back.


PS: I'm pretty sure that recent updates to the file system make those old Kodi instructions completely impossible.

Reply
User profile for user: etresoft
etresoft
User level: Level 9
58,084 points

May 16, 2023 12:33 PM in response to martinmaldonado

Before jumping down in that rabbit hole with you, I want to ask if you've tried using the built-in file sharing.


But on the other hand, I like rabbits. Can you explain where you learned that you needed to display SIP to use the NFS server?


In short, I just tried it. I took longer to type out this reply than it did to configure the nfs server on Ventura, test it from Linux, and shut it down again.

Reply
User profile for user: martinmaldonado
martinmaldonado Author
User level: Level 1
4 points

May 16, 2023 1:59 PM in response to etresoft

Sure, my problem is that in order to use NFS to share files with the Kodi app on my Xbox I can't use it out-of-the-box, I just need to add a line to the nfsd.plist file to allow non-root users to access my shared folders.

For doing so, SIP needs to be disabled because it's a file in a system folder and it's not writable by default. In the previous macOS versions, the whole process would take around 2 minutes. With the new restrictions, I couldn't find a single way to modify that file.

The weirdest part is that the same file is not present in the recovery mode (Under /System/Library/LaunchDaemons/).


The server is up and working. I just can't run it with the setting I need for the NFS client in Kodi to be able to access it. Any help on a workaround would be deeply appreciated.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Ventura blocking access to files even after SIP is disabled

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up