Cartoonguy
Level 1 (8 points)
Mac OS X

Q: Do I need System Integrity Protection?

There are some utility apps like XtraFinder and Default Folder X which will not work with El Capitan unless the user goes into Terminal and switches off System Integrity Protection.  There are many articles about how to do this, but they all warn that it is not so safe to do so because it is there to protect you from Malware and such.  So my question is, how important really is SIP?  That is, did it not exist at all before El Capitan?  So by disabling it, would I simply be in the same risk position as when I was running Yosemite and every other OSX before it?  If that's true, then I guess SIP can't be that vital to have running.

iMac, OS X El Capitan (10.11), 3.4 GHz, Fusion drive

Posted on Oct 10, 2015 12:57 PM

by Topher Kessler,Solvedanswer
Topher Kessler Topher Kessler
Level 6 (9,866 points)
A:

SIP is just another layer of security, and as with all others is only there to help protect against certain threats; however, SIP is a non-specific approach that has imposed limitations. Your logic is absolutely correct, in that if it has not been an issue before El Capitan, then you can keep it disabled to be at the same level of the "security vs capability" compromise as you were before, and not be affected by its restrictions. Unfortunately some software will not be able to run as it previously did under the new restrictions of SIP, so those who wish to use these programs might benefit from disabling SIP.

 

Ultimately SIP is there to protect the masses, and not be something that everyone will need. If you're savvy and understand your Mac and the software you run, then you will likely not need SIP or other similar protections at all.

Posted on Oct 11, 2015 8:53 PM

Close
Cartoonguy

Q: Do I need System Integrity Protection?

  • All replies
  • Helpful answers

  • by VikingOSX,Helpful

    VikingOSX VikingOSX Oct 11, 2015 7:07 PM in response to Cartoonguy
    Level 7 (21,428 points)
    Mac OS X
    Oct 11, 2015 7:07 PM in response to Cartoonguy

    SIP did not exist prior to El Capitan and is Apple's answer to prevent malware from writing into and changing guarded system locations. It is on by default for your protection. If there is an application that you want to install — directly — from a known, and trusted development source, and SIP blocks its installation, then turn off SIP *only* as long as it takes to install the application. Re-enable SIP immediately afterwards.

  • by Cartoonguy,

    Cartoonguy Cartoonguy Oct 10, 2015 1:28 PM in response to VikingOSX
    Level 1 (8 points)
    Mac OS X
    Oct 10, 2015 1:28 PM in response to VikingOSX

    I believe it needs SIP off the whole time to run as it is a system utility, but I'm not entirely sure.  In any case, if SIP is so vital, why was it perfectly okay not to have it all these years before El Capitan?  I mean, if I had not upgraded to El Capitan, then I would be using Yosemite without SIP, so why do I need to worry about it now?  Do you mean that Yosemite users are suddenly in grave danger of malware?

  • by Linc Davis,

    Linc Davis Linc Davis Oct 11, 2015 5:02 PM in response to Cartoonguy
    Level 10 (208,037 points)
    Applications
    Oct 11, 2015 5:02 PM in response to Cartoonguy

    If a third-party developer is too lazy or incompetent to update his products for compatibility with a security feature that was announced about six months ago, does that mean you should weaken the security of your system?

  • by KiltedTim,

    KiltedTim KiltedTim Oct 11, 2015 5:08 PM in response to Cartoonguy
    Level 9 (56,366 points)
    Mac OS X
    Oct 11, 2015 5:08 PM in response to Cartoonguy

    Cartoonguy wrote:

     

    I believe it needs SIP off the whole time to run as it is a system utility, but I'm not entirely sure.  In any case, if SIP is so vital, why was it perfectly okay not to have it all these years before El Capitan?  I mean, if I had not upgraded to El Capitan, then I would be using Yosemite without SIP, so why do I need to worry about it now?  Do you mean that Yosemite users are suddenly in grave danger of malware?

    It's becoming more important to have these kinds of protective measures in place because malware authors are beginning to target OS X more as its market share grows to a significant percentage of the computer using public.

  • by Allan Eckert,

    Allan Eckert Allan Eckert Oct 11, 2015 6:21 PM in response to Cartoonguy
    Level 9 (54,050 points)
    Desktops
    Oct 11, 2015 6:21 PM in response to Cartoonguy

    Read About System Integrity Protection on your Mac - Apple Support

  • by Cartoonguy,

    Cartoonguy Cartoonguy Oct 11, 2015 7:06 PM in response to Linc Davis
    Level 1 (8 points)
    Mac OS X
    Oct 11, 2015 7:06 PM in response to Linc Davis

    Linc Davis wrote:

     

    If a third-party developer is too lazy or incompetent to update his products for compatibility with a security feature that was announced about six months ago, does that mean you should weaken the security of your system?

    Not sure you can pin this on software developers.  Even Avid takes months to come out with compatible software for their professional apps every time there is a new OS.  Read one explanation here regarding Default Folder X.  They explain that it requires a complete rewrite of the software:  http://www.stclairsoft.com/DefaultFolderX/el_capitan.html

     

    What is clear to me now is that SIP is as good as completely unnecessary right now.  If it was so vital, then all the Yosemite users would be screaming with all the malware and hacks and such.  It's just not happening.  SIP is good practices going forward, but Apple does not tend to think that third party software which changes the OS, like Xtra Finder and Default Folder, should be accommodated, so they don't care that SIP blocks them from being used.

     

    As far as Mac OS becoming more popular:  Really?  "becoming more popular"?  I kind of think that by now, if Mac's were going to be victim's of virus's and such, it would have happened a few billion dollars worth of market share ago.  As I say, I get that it's good to do this, but it amounts to wearing a helmet inside your car as well as your seatbelt.  Yes, it could be useful, but you look pretty stupid.  Okay, the analogy is not perfect, but you know what I mean.

  • by Whickwithy,

    Whickwithy Whickwithy Oct 11, 2015 8:24 PM in response to Cartoonguy
    Level 1 (68 points)
    Mac OS X
    Oct 11, 2015 8:24 PM in response to Cartoonguy

    Have you tried looking at the Security and Privacy System Preferences after downloading?  I find that, the way I have things set, I have to go to that window and tell it I want to enable the operation, if it wasn't from a recognized source (in my case, the Apple Store only).  If that is the case, the ability to override should show up on the "general" page of the Security and Privacy System Preferences at the bottom, just below "allow apps downloaded from:"  choices.

     

    Oh, and if you set that choice to "anywhere", it may completely obviate the problem.  Of course, there is the possibility you are running into something completely different, I guess.

  • by Topher Kessler,Solvedanswer

    Topher Kessler Topher Kessler Oct 11, 2015 8:53 PM in response to Cartoonguy
    Level 6 (9,866 points)
    Oct 11, 2015 8:53 PM in response to Cartoonguy

    SIP is just another layer of security, and as with all others is only there to help protect against certain threats; however, SIP is a non-specific approach that has imposed limitations. Your logic is absolutely correct, in that if it has not been an issue before El Capitan, then you can keep it disabled to be at the same level of the "security vs capability" compromise as you were before, and not be affected by its restrictions. Unfortunately some software will not be able to run as it previously did under the new restrictions of SIP, so those who wish to use these programs might benefit from disabling SIP.

     

    Ultimately SIP is there to protect the masses, and not be something that everyone will need. If you're savvy and understand your Mac and the software you run, then you will likely not need SIP or other similar protections at all.

  • by Topher Kessler,

    Topher Kessler Topher Kessler Oct 11, 2015 8:56 PM in response to Cartoonguy
    Level 6 (9,866 points)
    Oct 11, 2015 8:56 PM in response to Cartoonguy

    Cartoonguy, your assessment is 100% correct, but dont expect some posters on this forum to acknowledge such facts.

  • by Cartoonguy,

    Cartoonguy Cartoonguy Oct 12, 2015 10:58 AM in response to Topher Kessler
    Level 1 (8 points)
    Mac OS X
    Oct 12, 2015 10:58 AM in response to Topher Kessler

    The only addendum to this issue is that Apple no longer has the oft used "repair permissions" option is no longer available in El Capitan and that's because SIP is supposed to stop the need for it. Found on the web: "The bottom line here is that Repair Disk Permissions is going away because Apple is hardening OS X against alterations to critical system files via System Integrity Protection. The fallout for the customer is that it'll be more important than ever to certify that every critical app used is ready for the migration to El Capitan."

     

    So if we have SIP disabled, but we can no longer repair permissions, could that be an issue?