At least it's only the soft limit. The hard limit isn't reduced. The simplest workaround is to wrap the start of the of process with a shell script raising the soft limit before it execs into the application you want to run.
The error message indicates that "Operation not permitted while System Integrity Protection is engaged".
.... and if SIP is turned off?
I've ... always used ulimit on macOS, going back almost a decade. Never heard of using `launchctl` to change it.
https://www.google.com/search?q=ulimit+mac+site%3Astackoverf...
vs
https://www.google.com/search?q=%22launchctl+limit+maxfiles%...
Globals are a nightmare. Despite this being something really common to do for developers and something that will cause a pain for a lot of early adopters of [whatever software that requires it], I see this as a great move!
As an aside, Quinn “The Eskimo!” is a legend. They have helped me on a few occasions with code signing electron apps. In the American south there is a saying “doing the lords work.” Thank goodness we have people like Quinn. Their understanding of complex system and abilities to troubleshoot are invaluable.
I am, at this exact moment, getting bodied by a ulimit problem on mac. Apparently with pacman, directories attached with bind mounts have a fixed ulimit of 64 internally and running npm install inside a mounted project explodes completely because of it. Funny that this turns up right now, even if it’s not a fix for my particular problem.
I think a security option that does the following would make sense:
1. exec should reduce the hard-limit to FD_SETSIZE unless it's passed a flag
2. When a process calls `select` while having a hard-limit > FD_SETSIZE, it gets terminated. (Strictly speaking this doesn't prevent the memory corruption, since it happens in select's support macros, not select itself. But I'd expect it to be good enough in practice)
A modern application which doesn't use `select` should raise its own hard-limit during startup, option into the select-termination in exchange for the ability to open many files.
Only superroot (i.e., Apple) can change it.
I've been saying for as long as I've got a macbook pro that the hardware is absolutely above anything available from other vendors but macOS is crap for development. Interesting to know it actively and intentionally becomes even worse :/
a much worse recent change is documented here:
https://www.mothersruin.com/software/SuspiciousPackage/faq.h...
basically no experienced Mac user would ever open a .PKG package with the Installer, but rather open it with a safe inspection app (Suspicious Package, Pacifist) first, either for security inspection of the pre- & post-install scripts, or to do a manual install outright to prevent the security nightmare that actually installing a package is.
while inspecting and/or manually installing packages is much safer than installing packages with the installer, it is now effectively outlawed by Apple. continuing to do things in the safe way now takes a lot more time...
Just turn off SIP. SIP is for regular users who don’t know what a ulimit is, the whole point of SIP is to lock down the OS as much as possible.
If you’re a developer, you live in the Terminal, you obviously need full control over your OS.
edit: I appreciate the irony of being downvoted for suggesting having control over your OS on Hacker News, so keep it coming please. Mo’ downvotes mo’ irony.
So, who's computer is it REALLY when you can't make settings/decisions about the computer you bought? When some other entity, manufacturer included, is making decisions you cant change or reverse, sounds like they retain real ownership.
Its high time for the FTC to start busting fraudulent rentals misrepresented as a "sale".
(And anybody viewing the Apple ecosystem KNEW this anti-owner lockdown phone shit would eventually hit their laptop and desktop computers as well. But for some reason, the Apple fanatics are OK with this stuff. )
The default limit is in place because select() uses a fixed size bitmap for file descriptors. If a program that uses select opens more than that many files it will make an out of bounds write. It is probably better to make the file descriptor allocation fail than have memory corruption.
All programs that don't use select() should raise the limit to the hard limit on startup. Then drop it back down before exec()ing another program. It is a silly dance but that is the cost of legacy. I'm surprised that these programs that are affected can't add this dance in.