The golden era of the Mac as a virus-proof computer has ended, and malware has become a serious issue that Apple needs to address if it wants to be able to stand by the message it puts out to its users: Apple takes your privacy very seriously.
While macOS relies on multiple security measures to provide the confidence that your data is protected against malware, there is still a superuser on any Mac that can uproot all of these. When you ‘root’ the Mac, you’re gaining full control over the computer, which also includes the power to disable all those security measures on the machine. To protect the Mac from a rogue superuser, Apple has now limited these root powers by implementing a new layer of security called System Integrity Protection or SIP.
What Is System Integrity Protection?
SIP is a new layer of security for protecting the operating system from malware attacks and was introduced by Apple with macOS (then OS X) 10.10 El Capitan in 2015. SIP sits atop the other security layers that were enabled before macOS 10.10. These are:
- Gatekeeper, which is the first layer of security and has the role of stopping untrusted code apps from being launched.
- Sandbox, which restricts the app’s access to user data except for those that are actually given it.
- The POSIX permissions scheme, meaning that if the app is exploited and a hacker passes the first two layers, he or she only has the privileges granted to that specific user. In other words, standard users won’t have access to the systemwide configuration settings owned by the root user.
- And finally, the keychains, where the account names and passwords for apps, servers, and online accounts are stored. Keychain data is protected by the Mac user account password.
While this protection mechanism looks secure at first glance, there are a few problems with it: Gatekeeper won’t stop the app from doing anything when it is run, and it won’t protect the macOS installed on the computer. Secondly, sandboxing is only an opt-in feature of macOS, meaning that it is not a native requirement for system processes to actually run in a sandbox.
While there are shared Macs out there, the majority of Apple computers are actually single-user systems, and therefore the user running the system is an admin account. That means the root account – which has superuser privileges – and the whole operating system is only protected by a typically weak password.
And let’s not forget about the human factor: if software politely asks for a password, users are likely to provide it. In other words, there is a huge security risk here that Apple needed to address, which is what it did with the introduction of SIP.
What Does SIP Do?
The powers of the superuser become a serious threat if used for malicious purposes, so Apple has decided to “protect the system” from root functions. SIP is essentially a security policy applied to the overall system and serves the purpose of preventing the modification of system files and processes by third parties. To do that, the company has designed SIP to:
- Prevent parties other than Apple from modifying directories and files stored in certain directories.
- Restrict the functionality of a number of system calls.
- Block installation of unsigned kernel extensions.
Locating the SIP Configuration
Since Apple has taken away power from the superuser, it can’t implement this security measure in the operating system itself since the superuser is part of the operating system. This is why Apple had to store the SIP configuration in the NVRAM instead of the file system. SIP is only configurable when the Mac is booted into either the macOS Installer or the macOS Recovery environment.
Storing the SIP configuration in NVRAM has two advantages: first, it applies to the entire system; and second, it remains untouched, even with macOS reinstalled. And the Mac remains protected from the powers of the superuser.
Why Would You Disable SIP?
With SIP turned on, advanced Mac users cannot reach restricted areas with Terminal commands, such as deleting ‘sleepimage’ for example. These commands were executed easily using the power of the root superuser in earlier versions of macOS. As a result, those who want full access to the system will find the security measure uncomfortable, so for these users it makes sense to disable it and claim back full control of the machine.
How to Disable SIP
- From the Apple menu, select Restart.
- Hold down the Command + R keys to boot into the Recovery OS.
- From the Utilities, menu select Terminal.
- Type the command “csrutil disable”, and press return.
- Close the Terminal app and reboot your machine.
If you decide to re-enable SIP, you can follow the steps above, but instead of “csrutil disable” type the “csrutil enable” command.
We strongly advice against disabling SIP because it is a great security measure implemented by Apple to protect the Mac against malware. Still, it is your decision whether you choose to leave your Mac off-guard or not. It is possible to disable SIP, delete sleepimage and then re-enable SIP to keep your Mac protected from malware.
Best Mac Optimization Software of 2018