OSX 10.11, aka El Capitan, was released a few days ago and introduced System Integrity Protection (SIP). SIP is a security mechanism which, at its most basic, prevents the root user from performing all sorts of actions. It's conceptually very similar to SELinux but with none of the configuration ability. For the purposes of this post, the key "issue" is that SIP prevents root from writing to protected directories, namely /usr (amongst others).
In setting up a new machine tonight, I ran into an issue. I was unable to create a new crontab. After some digging, I realized that all of cron's magic is in /usr/lib on OSX. SIP is guarding /usr now so there's no way to get a new crontab going. That's … problematic.
Read More »