Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

SIP question

petekjohnson

petekjohnson

macrumors member
Original poster
May 24, 2012
65
26
Springfield, MO
Just curious, but what exactly is the downside to disabling SIP on Ventura, Monterey or Big Sur, since all of them already cant really be tampered with due to the System volume being read-only and when you boot you're only booting off a snapshot (SSV)?
 
G

gilby101

macrumors 68030
Mar 17, 2010
2,596
1,394
Tasmania
SIP protects changes to some parts of the r/w part of the system volume - even when using root access. https://support.apple.com/en-us/HT204899

So the downside of disabling is that some parts of the system are not protected from malicious root access.

I have SIP disabled, but I am aware of the risk.

Recommend you leave it enabled unless you find a good reason to disable.
 
petekjohnson

petekjohnson

macrumors member
Original poster
May 24, 2012
65
26
Springfield, MO
I will probably reenable it, i just had to disable it to do something and wondered what the point of turning it back on was. Do you happen to know just which areas on the system that are not protected and need SIP? Curious.....
 
G

gilby101

macrumors 68030
Mar 17, 2010
2,596
1,394
Tasmania
petekjohnson said:
Do you happen to know just which areas on the system that are not protected and need SIP?
Click to expand...
As the Apple Support page says:
System Integrity Protection includes protection for these parts of the system:
  • /System
  • /usr
  • /bin
  • /sbin
  • /var
  • Apps that are pre-installed with OS X
Paths and apps that third-party apps and installers can continue to write to include:
  • /Applications
  • /Library
  • /usr/local
 
petekjohnson

petekjohnson

macrumors member
Original poster
May 24, 2012
65
26
Springfield, MO
Well I appreciate the info, but that just is not an accurate reflection of the exposed areas. U am almost 100% certain that all of those things reside on the read-only system volume with the exception of /usr and /Library and possibly areas in /var

Anyway, it's not a big deal, i am very careful with security practices and exposing myself to risky things for the most part so I don't imagine i should really be fretting.
 
E

elptdbi3lYI

macrumors 6502
Mar 26, 2021
317
271
SIP does more than protect filesystem locations, here are some of the things it controls, some pretty self explanatory:
  • CSR_ALLOW_UNAPPROVED_KEXTS
  • CSR_ALLOW_ANY_RECOVERY_OS
  • CSR_ALLOW_DEVICE_CONFIGURATION
  • CSR_ALLOW_UNRESTRICTED_NVRAM
  • CSR_ALLOW_UNRESTRICTED_DTRACE
  • CSR_ALLOW_TASK_FOR_PID
  • CSR_ALLOW_UNRESTRICTED_FS
  • CSR_ALLOW_UNTRUSTED_KEXTS
  • CSR_ALLOW_UNAPPROVED_KEXTS
  • CSR_ALLOW_ANY_RECOVERY_OS
  • CSR_ALLOW_DEVICE_CONFIGURATION
 
  • Like
Reactions: gilby101
Fishrrman

Fishrrman

macrumors Penryn
Feb 20, 2009
28,519
12,648
I DISABLE SIP on my Macs, as soon as I set them up.
No problems here that I can attribute to having done so...
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom