Jump to content

System Integrity Protection

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Totie (talk | contribs) at 23:10, 18 June 2015 (Created page with ''''System Integrity Protection''' (sometimes referred to as "rootless"<ref>The boot argument to the NVRAM command-line utility is called...'). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

System Integrity Protection (sometimes referred to as "rootless"[1][2][3]) is a security feature of OS X El Capitan, the upcoming release of the operating system by Apple. It protects certain system processes, files and folders from being modified or tampered with by other processes, even when executed by the root user. Apple claims that the root user can be a significant risk factor to the system's security, especially on systems with a single user account on which the user is the de facto administrator. System Integrity Protection is enabled by default, but can be disabled.[4][5]

Functions

System Integrity Protection will apply limitations to all processes on the system, including privileged and sandboxed ones. In addition, certain system files and folders will be flagged for protection. The kernel then stops all processes without specific privileges from writing to these flagged components, as well as from injecting code into other protected processes. Among the protected locations are: /System, /bin, /sbin and /usr (although /usr/local is excluded). On installing El Capitan, the installer will move any unauthorised file or folder within these locations to another location. Unsigned kernel extensions can no longer be installed. System Integrity Protection can currently be disabled completely either by adding a boot argument to the NVRAM (due to be removed) or by booting into the recovery system.[4] By preventing access to system locations, permissions repair is no longer required.[6]

Responses

From a security perspective, Apple claims that System Integrity Protection is a necessary step to ensure a high level of security. In one of the WWDC developer sessions, Apple developer Pierre-Oliver Martel considers root access to be one of the remaining weaknesses of the system, saying that "[any] piece of malware is one password or vulnerability away from taking full control of the device".[4] The responses have been mixed. Some have expressed the concern that Apple is on the verge of taking full control away from users and developers, moving OS X's security policy slowly to one similar to Apple's mobile operating system iOS.[2] Some developers who rely on deeper system access for their applications have expressed their disappointment, saying that users have to be willing to disable the security feature to install their applications.[7]

References

  1. ^ The boot argument to the NVRAM command-line utility is called rootless.
  2. ^ a b Cunningham, Andrew (June 17, 2015). "First look: OS X El Capitan brings a little Snow Leopard to Yosemite". Ars Technica. Retrieved June 18, 2015.
  3. ^ Slivka, Eric (June 12, 2015). "OS X El Capitan Opens Door to TRIM Support on Third-Party SSDs for Improved Performance". MacRumors. Retrieved June 18, 2015.
  4. ^ a b c Pierre-Olivier, Martel (June 2015). "Security and Your Apps" (PDF). Apple Developer. Apple. pp. 8–54. Retrieved June 18, 2015.
  5. ^ "What's New in OS X". Mac Developer Library. Apple. June 8, 2015. At section OS X v10.11. Retrieved June 18, 2015.
  6. ^ "OS X v10.11 Developer Beta 1 Release Notes". Mac Developer Library. Apple. June 8, 2015. At section Notes and Known Issues. Retrieved June 18, 2015.
  7. ^ Sykes, Stephen (June 16, 2015). "On System Integrity Protection in El Capitan, OSX 10.11". BinaryAge. Retrieved June 18, 2015.

as "[any] piece of malware is one password or vulnerability away from taking full control of the device".

Retrieved from "https://en.wikipedia.org/w/index.php?title=System_Integrity_Protection&oldid=667559090"