undefined | Better HN

0 pointseridius10y ago0 comments

The point of rootless (SIP) is to prevent malware from being able to embed itself into the system such that it's difficult or impossible to remove. And it's also a completely different technology than sandboxing.

0 comments

teacup5010y ago

Which in of itself is pretty much an impossible goal, and in the meantime, it destroys a litany of use-cases that make computers useful to people.

eridiusOP10y ago

No it doesn't. It should be vanishingly rare for software not shipped by Apple to be impacted by rootless. The whole point of the feature is to prevent files that should never be modified from being modified. The only software that I can think of that's impacted by rootless is Xcode, which is of course Apple's own app. I can't think of anything else that should be hampered by the inability to modify system files. Can you name any other software that has a problem with this?

And if you really want to disable rootless anyway, you can do so. Boot into the recovery partition and there's an option there to turn off rootless.

I'm also completely baffled by the claim that, just because no security solution is 100% perfect, that we shouldn't even try. That makes no sense at all. Yes, security is hard. But protecting you from 99% of all malware, even if there's the rare case of malware that gets past you, is still extremely useful. Besides, it's awfully cynical to declare that SIP is an impossible goal before you've even looked at it.

ddoolin10y ago

Just found one yesterday: https://github.com/binaryage/asepsis/issues/30

But, you can disable SIP so not sure how much it really matters.

1 more reply

j / k navigate · click thread line to collapse