Mac users: OS X 10.11 El Capitan is here, and it’s pretty great. Most users will get a noticeable performance boost, and there are some (relatively minor) new features.
But what’s the biggest change Apple made this time around? Security. OS X is now so locked down even root users can’t modify the operating system – let’s go over what that means, shall we?
System Integrity Protection: Root Has No Power Here
Remember this old cartoon?
Don’t get it? Well, in many UNIX-like systems – including OS X – the command sudo stands for superuser. Putting “sudo” in front a command, assuming your user account is an administrator, lets you do things you can’t otherwise.
Basically, if you’re a superuser, you can do anything – unless, of course, you’re running El Capitan. In this version of OS X you cannot edit core system files, at all, regardless of whether you’re root.
This is because of System Integrity Protection (SIP) – sometimes called rootless – a new feature that means users and third-party software, including malware, cannot change core system files.
To summarize, SIP means that:
- Core system files cannot be re-written, even by root users.
- Injecting code into protected processes is no longer permitted by the system.
- Only signed kernel extensions can run – no exceptions.
The basic idea here is that if you can’t modify these core files, neither can malware or hackers. But there are some potential downsides, especially if you’re the kind of user who likes to hack or customize things.
System Directories Cannot Be Edited
In El Capitan, the contents of certain folders cannot be altered by the user or any program the user might choose to run. Which folders?
- /usr (except “/usr/local”)
Testing this is simple: head to the Terminal and try to create a new directory in /System. It won’t work:
This means that you, and any programs you might choose to run, can’t make any changes to OS X – even if you’re a root user, and even if you type your password. This also means that malware and hackers can’t change anything in those folders.
Any application that worked in part by making changes to these folders isn’t going to work in El Capitan, full stop, without some sort of update.
And this change is retroactive, meaning if you’ve done anything to edit OS X in the past those changes are going to revert when you upgrade to El Capitan – but you can recover all the files and changes, if you want, they’re in /Library/SystemMigration.
Holy hell. When you install Mac OS X 10.11 "El Jefe", rootless moves a *bunch* of stuff to /Library/SystemMigration/ I have stuff from 2006!
— Rosyna Keller (@rosyna) September 21, 2015
No More Injecting Things Into Memory
Did you ever use EasySIMBL, which lets you customize almost anything on your Mac? This program can add functionality to programs and OS X itself, and accomplishes this by injecting code into a currently-running program. For example: one plugin for EasySIMBL made Twitter’s official Mac client support embedded images from Instagram, a feature it doesn’t otherwise have.
This can be really cool, but it’s also using the exact methodology that a lot of common malware uses to do all sorts of nasty things. It’s no longer possible in El Capitan.
— ???? ?????? 3G? ??x ????? (@hbkirb) August 22, 2015
This breaks things like EasySIMBL, and the popular Flashlight plugin system for Spotlight, on El Capitan – but also prevents all sorts of theoretically possible malware.
No More Unsigned Kernel Extensions
Kernel extensions are pieces of software that interact directly with the system’s kernel. Most Mac users will probably never install a kernel extension, unless they need drivers for some sort of third party hardware.
— Andrew Fecheyr (@andruby) January 25, 2015
And from now on all kernel extensions – including drivers – need to be signed in order to run. This means that if you rely on a piece of hardware that relies on an unsigned driver, that driver will not load in El Capitan – your device manufacturer needs to release a signed driver, or you’ll be unable to use your hardware.
Turning Off SIP/Rootless In El Capitan
These changes will, without question, improve security – but some people feel it’s not worth the loss of freedom.
Mac Os X El Capitan is a nightmare for developers with *** rootless implementation
— Necromant2005 (@necromant2005) October 5, 2015
Whether you agree with these complaints, or simply rely on apps or hardware that don’t work with SIP enabled, it’s possible to turn this security function off.
System Integrity Protection cannot be disabled from within the OS itself: you need to boot into OS X Recovery. Shut down your Mac, then hold CMD+R while it’s starting up.
Once the system loads OS X Recovery, load the Terminal from the menubar, then type csrutil disable and hit Enter. If you later want to turn SIP/rootless back on, repeat this process, but type csrutil enable in the Terminal.
Alternatively, you could simply not install El Capitan for a while – you can get the great features without upgrading anyway.
Other Various Security Patches
SIP isn’t the only new security feature in El Capitan – just the most noteworthy. You can read Apple’s long list of OS X security updates, if you like, but here’s a few highlights:
- Many changes to apps to protect Keychain access.
- Improved encryption algorithms.
- Changes to the EFI to prevent system-wide tampering.
- An improved form of two-factor authentication for iCloud users.
Security or Freedom?
ugh, having to turn off rootless mode in el capitan so I can replace my mac's icons feels weird
— Zach Smith (@Zacitus) July 24, 2015
I’ve talked about how El Capitan’s new security functions are the end of Mac customization, and the comments I got surprised me – people basically said “So what?”.
Maybe more Mac users agree with this: that they’d rather have security features like SIP than the ability to tweak things. I want to know what you think: is there a tradeoff here, and is it worth it? Let’s talk this over in the comments.
Image Credits: “Sandwich” courtesy of XKCD