The golden era of the Mac as a virus-proof computer has ended, and malware has become a serious issue that Apple needs to address if it wants to be able to stand by the message it puts out to its users: Apple takes your privacy very seriously.
While macOS relies on multiple security measures to provide the confidence that your data is protected against malware, there is still a superuser on any Mac that can uproot all of these. When you ‘root’ the Mac, you’re gaining full control over the computer, which also includes the power to disable all those security measures on the machine. To protect the Mac from a rogue superuser, Apple has now limited these root powers by implementing a new layer of security called System Integrity Protection or SIP.
SIP is a new layer of security for protecting the operating system from malware attacks and was introduced by Apple with macOS (then OS X) 10.10 El Capitan in 2015. SIP sits atop the other security layers that were enabled before macOS 10.10. These are:
While this protection mechanism looks secure at first glance, there are a few problems with it: Gatekeeper won’t stop the app from doing anything when it is run, and it won’t protect the macOS installed on the computer. Secondly, sandboxing is only an opt-in feature of macOS, meaning that it is not a native requirement for system processes to actually run in a sandbox.
While there are shared Macs out there, the majority of Apple computers are actually single-user systems, and therefore the user running the system is an admin account. That means the root account – which has superuser privileges – and the whole operating system is only protected by a typically weak password.
And let’s not forget about the human factor: if software politely asks for a password, users are likely to provide it. In other words, there is a huge security risk here that Apple needed to address, which is what it did with the introduction of SIP.
The powers of the superuser become a serious threat if used for malicious purposes, so Apple has decided to “protect the system” from root functions. SIP is essentially a security policy applied to the overall system and serves the purpose of preventing the modification of system files and processes by third parties. To do that, the company has designed SIP to:
Since Apple has taken away power from the superuser, it can’t implement this security measure in the operating system itself since the superuser is part of the operating system. This is why Apple had to store the SIP configuration in the NVRAM instead of the file system. SIP is only configurable when the Mac is booted into either the macOS Installer or the macOS Recovery environment.
Storing the SIP configuration in NVRAM has two advantages: first, it applies to the entire system; and second, it remains untouched, even with macOS reinstalled. And the Mac remains protected from the powers of the superuser.
With SIP turned on, advanced Mac users cannot reach restricted areas with Terminal commands, such as deleting ‘sleepimage’ for example. These commands were executed easily using the power of the root superuser in earlier versions of macOS. As a result, those who want full access to the system will find the security measure uncomfortable, so for these users it makes sense to disable it and claim back full control of the machine.
From the Apple menu, select Restart.
Hold down the Command + R keys to boot into the Recovery OS.
From the Utilities, menu select Terminal.
If you decide to re-enable SIP, you can follow the steps above, but instead of “csrutil disable” type the “csrutil enable” command.
We strongly advice against disabling SIP because it is a great security measure implemented by Apple to protect the Mac against malware. Still, it is your decision whether you choose to leave your Mac off-guard or not. It is possible to disable SIP, delete sleepimage and then re-enable SIP to keep your Mac protected from malware.
Best Reviews may receive compensation for its content through paid collaborations and/or affiliate links. Learn more about how we sustain our work and review products.
©2012-2024 Best Reviews, a clovio brand –
All rights
reserved
Privacy
policy
·
Cookie
policy
·
Terms
of use
·
Partnerships
· Contact
us