macOS 13.5 no longer allows setting system wide ulimits

141 点作者 hashhar超过 1 年前

13 条评论

kevincox超过 1 年前

The default limit is in place because select() uses a fixed size bitmap for file descriptors. If a program that uses select opens more than that many files it will make an out of bounds write. It is probably better to make the file descriptor allocation fail than have memory corruption.All programs that don't use select() should raise the limit to the hard limit on startup. Then drop it back down before exec()ing another program. It is a silly dance but that is the cost of legacy. I'm surprised that these programs that are affected can't add this dance in.

评论 #37234860 未加载

评论 #37234300 未加载

评论 #37234680 未加载

评论 #37235563 未加载

评论 #37234615 未加载

crest超过 1 年前

At least it's only the soft limit. The hard limit isn't reduced. The simplest workaround is to wrap the start of the of process with a shell script raising the soft limit before it execs into the application you want to run.

评论 #37234413 未加载

Angostura超过 1 年前

The error message indicates that "Operation not permitted while System Integrity Protection is engaged"..... and if SIP is turned off?

评论 #37234438 未加载

评论 #37235401 未加载

c-hendricks超过 1 年前

I've ... always used ulimit on macOS, going back almost a decade. Never heard of using `launchctl` to change it.<a href="https://www.google.com/search?q=ulimit+mac+site%3Astackoverflow.com&oq=ulimit+mac+site%3Astackoverflow.com" rel="nofollow noreferrer">https://www.google.com/search?q=ulimit+mac+site%3Astackoverf...</a>vs<a href="https://www.google.com/search?q=%22launchctl+limit+maxfiles%22+site%3Astackoverflow.com" rel="nofollow noreferrer">https://www.google.com/search?q=%22launchctl+limit+maxfiles%...</a>

henvic超过 1 年前

Globals are a nightmare. Despite this being something really common to do for developers and something that will cause a pain for a lot of early adopters of [whatever software that requires it], I see this as a great move!

评论 #37234271 未加载

semireg超过 1 年前

As an aside, Quinn “The Eskimo!” is a legend. They have helped me on a few occasions with code signing electron apps. In the American south there is a saying “doing the lords work.” Thank goodness we have people like Quinn. Their understanding of complex system and abilities to troubleshoot are invaluable.

评论 #37234571 未加载

评论 #37235546 未加载

评论 #37235704 未加载

评论 #37234965 未加载

roblh超过 1 年前

I am, at this exact moment, getting bodied by a ulimit problem on mac. Apparently with pacman, directories attached with bind mounts have a fixed ulimit of 64 internally and running npm install inside a mounted project explodes completely because of it. Funny that this turns up right now, even if it’s not a fix for my particular problem.

CodesInChaos超过 1 年前

I think a security option that does the following would make sense:1. exec should reduce the hard-limit to FD_SETSIZE unless it's passed a flag2. When a process calls `select` while having a hard-limit > FD_SETSIZE, it gets terminated. (Strictly speaking this doesn't prevent the memory corruption, since it happens in select's support macros, not select itself. But I'd expect it to be good enough in practice)A modern application which doesn't use `select` should raise its own hard-limit during startup, option into the select-termination in exchange for the ability to open many files.

amelius超过 1 年前

Only superroot (i.e., Apple) can change it.

baq超过 1 年前

I've been saying for as long as I've got a macbook pro that the hardware is absolutely above anything available from other vendors but macOS is crap for development. Interesting to know it actively and intentionally becomes even worse :/

评论 #37234508 未加载

评论 #37235628 未加载

评论 #37235321 未加载

评论 #37234878 未加载

评论 #37234457 未加载

评论 #37234964 未加载

评论 #37234661 未加载

评论 #37234473 未加载

dinkblam超过 1 年前

a much worse recent change is documented here:<a href="https://www.mothersruin.com/software/SuspiciousPackage/faq.html#finder-open-with" rel="nofollow noreferrer">https://www.mothersruin.com/software/SuspiciousPackage/faq.h...</a>basically no experienced Mac user would ever open a .PKG package with the Installer, but rather open it with a safe inspection app (Suspicious Package, Pacifist) first, either for security inspection of the pre- & post-install scripts, or to do a manual install outright to prevent the security nightmare that actually installing a package is.while inspecting and/or manually installing packages is much safer than installing packages with the installer, it is now effectively outlawed by Apple. continuing to do things in the safe way now takes a lot more time...

zarzavat超过 1 年前

Just turn off SIP. SIP is for regular users who don’t know what a ulimit is, the whole point of SIP is to lock down the OS as much as possible.If you’re a developer, you live in the Terminal, you obviously need full control over your OS.edit: I appreciate the irony of being downvoted for suggesting having control over your OS on Hacker News, so keep it coming please. Mo’ downvotes mo’ irony.

评论 #37234597 未加载

评论 #37235496 未加载

评论 #37235052 未加载

评论 #37234565 未加载

评论 #37235388 未加载

评论 #37234716 未加载

pierat超过 1 年前

So, who's computer is it REALLY when you can't make settings/decisions about the computer you bought? When some other entity, manufacturer included, is making decisions you cant change or reverse, sounds like they retain real ownership.Its high time for the FTC to start busting fraudulent rentals misrepresented as a "sale".(And anybody viewing the Apple ecosystem KNEW this anti-owner lockdown phone shit would eventually hit their laptop and desktop computers as well. But for some reason, the Apple fanatics are OK with this stuff. )

评论 #37235892 未加载