SIP System Integration Protection

sudo gem install bundler
/System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/universal-darwin15/rbconfig.rb:213: warning: Insecure world writable dir /Users/lucas/dev/android/dex2jar/dex2jar- in PATH, mode 040777
Fetching: bundler-1.13.1.gem (100%)
ERROR:  While executing gem ... (Errno::EPERM)
   Operation not permitted - /usr/bin/bundle

Google it find

After adding option -n /usr/local/bin, it works.

sudo gem install bundler -n /usr/local/bin
Successfully installed bundler-1.13.1
Parsing documentation for bundler-1.13.1
Installing ri documentation for bundler-1.13.1
1 gem installed

The full list of restricted directories (and exceptions like /usr/local and a few others) is in /System/Library/Sandbox/rootless.conf. Of course, this file is itself in a restricted area.

When you upgrade to El Capitan, it moves any “unauthorized” files from restricted areas to /Library/SystemMigration/History/Migration-(some UUID)/QuarantineRoot/.

This does block some significant things like injecting code into the built-in Apple apps (notably the Finder). It also means that dtrace-based tools for system monitoring (e.g. opensnoop) will not be able to monitor & report on many system processes.