Hacker News new | past | comments | ask | show | jobs | submit login

Although possible to disable the feature, those steps are crazy complicated, and probably impossible for anyone who isn't a developer. (Apart from anything else, regular users should never be advised to disable SIP.)



I am sure the complexity is intentional.


Why should they not? Linux for example doesn't have any such features and somehow is okay to use like that.


A year ago, a Chrome update (its Keystone auto-update agent) corrupted system files in Macs which had SIP disabled [1]. The result was that they didn't boot anymore. Mac users who had SIP enabled were not affected.

I won't disable SIP and I'll avoid installing Google Chrome on my new Macs, if possible.

[1] https://support.google.com/chrome/thread/15235262?hl=en


If you can figure out how to disable SIP, you can figure out how to disable Keystone. The latter is probably a much better idea.


A major application briefly had a (very bad) bug. It happens. It probably won’t happen the same way again.


What stops a Linux program altering the system? I guess you need root access to change things outside of /usr/local this could easily be done on macOS too but the wheel had to be reinvented by Apple in a way that is probably less trustworthy.


With SIP you can't change some things even as root. SIP has definitely made macos a harder target, though it is still lagging Windows in some areas. Linux is almost comically unprotected.

@grishka Edit because I'm rate limited:

I've not seen anything that does executable validation for linux and actually works. Needs lots of kernel support. See the response from the old DigSig author: https://stackoverflow.com/questions/1732927/signed-executabl...

You can check binary signatures on disk (tripwire) but that is extremely tiresome to maintain and does not prevent straight loading of shellcode into memory.

More recently: https://lwn.net/Articles/733431/

Signed kernel modules is on its way though: https://www.kernel.org/doc/html/latest/admin-guide/module-si...

I guess that would be a place to start for implementing SIP...


>I've not seen anything that does executable validation for linux and actually works.

ChromeOS uses dm-verity to verify the root partition at runtime, similar to Mac OS's signed system volume.


So does Android. But the executable binaries themselves aren't signed, this only verifies the integrity of the system partition at boot time.


Interesting thanks, what would be the Linux equivalent of SIP?


SIP relies on entitlements, which rely on code signing. I'm not sure code signing is at all a thing on Linux.


Package signing is definitely a thing on Linux.


On installation sure, but not on execution.

/usr/bin/vim was installed by my package manager, but there's no guarentee the version I'm running matches the version that was installed. Now in debian there is a file which has a checksum of the version the package installed, but that's not checked on execution, nor is it itself signed (so the process that replaced vim could just as easilly replace the checksum, or the process that checks the checksum)


You actually need root on macOS to modify anything under /System, and this was the case even before SIP. This is why some installers ask for the root password.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: