If you are trying to install Dell SonicWALL NetExtender (it’s a VPN client) on OSX El Capitan, you might run into a situation where it won’t connect to the VPN server and you might see this in the logs.
10/31/2015 13:09:33.292 [general notice] SSL Connection is ready 10/31/2015 13:09:34.301 [general info] Using new PPP frame encoding mechanism 10/31/2015 13:09:34.302 [general info] Using PPP async mode 10/31/2015 13:09:34.308 [general info] Connecting tunnel... 10/31/2015 13:09:34.308 [general error] ERROR: Pppd is not setuid-root and the invoking user is not root. (3) 10/31/2015 13:09:34.308 [general fatal] Please delete and reinstall NetExtender, or run 'chmod u+s /usr/sbin/pppd' as an administrator. 10/31/2015 13:09:34.308 [general notice] SSL VPN logging out... 10/31/2015 13:09:35.094 [general notice] SSL VPN connection is terminated.
If you then try to do as the logs say, you won’t be able to do it.
$ sudo chmod u+s /usr/sbin/pppd Password: chmod: Unable to change file mode on /usr/sbin/pppd: Operation not permitted
Apparently, there is a new feature called ‘System Integrity Protection‘ in OSX El Capitan, which restricts the root account to do perform certain actions.
System Integrity Protection is a security technology in OS X El Capitan that’s designed to help prevent potentially malicious software from modifying protected files and folders on your Mac.
In OS X, the “root” user account previously had no permission restrictions and could access any system folder or application on your Mac. Software gained root-level access when you entered your administrator name and password to install it and could then modify or overwrite any system file or application.
System Integrity Protection restricts the root account and limits the actions that the root user can perform on protected parts of OS X.
So, in order to fix the issue at hand, the System Integrity Protection (SIP) must be disabled first, then NetExtender must be installed and SIP must then be enabled back again. Here is MacWorld’s article on how to do it. Basically, these are the steps :-
- Restart your Mac in recovery mode (hold CMD+R during restart)
- Go to Utilities menu and open Terminal and type in the command ‘csrutil disable’
- Restart Mac again and run the command ‘sudo chmod u+s /usr/sbin/pppd’ and then install NetExtender again. Try connecting to VPN and confirm it works this time.
- Restart Mac again in recovery mode and run command ‘csrutil enable’
SIP enabling/disabling might be needed for a lot of other reasons, however, I needed it today to install NetExtender. But the same steps could be followed for any other command that’s been restricted because of this new feature.