El Capitan ships with a new OS X feature: System Integrity Protection (SIP), also known as rootless mode. This reduces the attack surface for malware that relies on modifying system files by preventing any user, whether with system administrator (root) privileges or not from modifying a number of operating system directories and files.
It doesnt eliminate the possibility of malware or folks finding a way to subvert this mode, but it does increase the difficulty of finding a hole to penetrate. All such changes discourage those who hack for profit or destruction, because the more time it takes and the less likely successful, the more often they turn to other operating systems and targets.
However, a few system-modifying and system-extending software programs cant work properly under SIP, as I discussed back in July in covering this feature and a simple workaround available in the public betas. The golden master (final release candidate) and shipping version of El Capitan have a minor change that make it harder, but not impossible, to turn SIP off.
Early reports of problems with rootless mode seemed to indicate that a wider set of software might be unable to work with the restriction enabled, such as SuperDuper! from Shirt Pocket Software. However, Apple made changes during beta testing that resolved concerns with that app and others. (Shirt Pocket had to update SuperDuper! to deal with the omission of an open-source program, which breaks scheduled updates; those have to be re-created in the El Capitan-compatible release.)
At the moment, only a few widely used utilities wont work with SIP enabled:
Default Folder 4.7 from St. Clair Software. However, developer is hard at work on version 5, which wont need to bypass SIP. Its expected out as early as the end of October, and is free to new purchasers of 4.7 from this point on.
BinaryAge will discontinue new development on its TotalFinder software that enhances the Finder, which will have some features missing. It will keep supporting TotalSpace2, a desktop spaces manager, but that app will require disabling SIP to function.
Rogue Amoeba has opted to discontinue Intermission, which it says wasnt one of its big sellers, as it is incompatible with SIP, and incorporated its functionality into Audio Hijack.
There were previously concerns about a few utilities that have been resolved:
Surtees Studios Bartender 1.3a menu bar app organizercould work with SIP using a round-trip to Recovery with two restarts (disable, install, enable), but the developers were able to finish Bartender 2.0 in time for El Capitans release. The new version is fully compliant within SIP.
Disk Sensei 1.2 and Trim Enabler 3.1 from Cindori now work without rootless turned off; earlier versions did not.
Both SuperDuper! and Carbon Copy Cloner work with SIP enabled.
Disabling rootless mode in El Capitan beta required just selecting a menu item after booting into the Recovery disk. Now, its slightly more involved with El Capitan.
Warning: The point of SIP is to prevent malware and other unwanted modifications into system files. Consider whether or not you want to dispense with this protection.
For the following to work, you must have a proper and up to date Recovery partition on your boot drive. While that should be a given, its possible to clone a startup volume without Recovery installed.
From the Utilities menu in Recovery select Terminal.
Use the Terminal in Recovery to enter the SIP-disabling command.
Follow these steps to disable SIP:
Source: http://www.macworld.com/article/2986118/security/how-to-modify-system-integrity-protection-in-el-capitan.html
No comments:
Post a Comment