Other than user error, what types of attacks would SIP prevent?

macos security sip

On this site and throughout other Apple enthusiast communities, I often see people strongly advise against disabling System Integrity Protection. This has always struck me as somewhat odd, as SIP did not even exist until recently, and it prevents a lot of tweaks that used to be relatively commonplace, such as SIMBL and OSXFuse.

If I am an enthusiast user following basic security practices such as:

  1. Using a strong, unique administrative password.
  2. Only granting administrator permissions to applications I trust.
  3. Only using sudo when necessary, and only for commands I understand.

What types of attacks am I opening myself up to by leaving SIP disabled?

Put another way, is a Mac computer without SIP more vulnerable than a comparable machine running a default configuration of Windows or a common flavor of Linux?


Solution 1:

From Apple's page About System Integrity Protection on your Mac

Before System Integrity Protection, the root user had no permission restrictions, so it could access any system folder or app on your Mac. Software obtained root-level access when you entered your administrator name and password to install the software. That allowed the software to modify or overwrite any system file or app.

So, based on the premise of your question, a good sys admin would have used strong passwords, admin permissions to only users/apps that you trust and only using sudo when necessary.

Ok...let's look at a hypothetical, but entirely plausible scenario: Installing VirtualBox.

Assume for a moment, that the VirtalBox site got hacked and a malicious version of VB was uploaded and made available as genuine. Since to install VB it requires root privileges, you would invariably use sudo to install it (this is why it asks you for your password).

Without SIP, it could write to any of the protected areas as root installing itself with full admin privileges to do whatever nefarious things it wanted to do. It's important to note that the security practices you enumerated in your question never came into play.

It's just another layer of protection.

A Mac with SIP is no more or less safe than a Windows 10 machine with System Protection enabled. "Linux" is too broad a topic to make a statement. However, there is Oracle "Hardened" Linux (version of RedHat Enterprise) that has these features.

Related

How to use the Terminal application to search or print a man page
How to install command line tools offline?
How to remove a partition with terminal?
How can I tell the difference between display sleep vs. computer sleep on my MacBook Air (Late 2010)?
Why is my MacBook Pro quitting and/or failing to start up?
Uninstall confer app
How to activate mod_rewrite on MacOSX Lion
Is picture location info retained when I share a photo?
APFS partition disappeared after creating hybrid MBR
How to Make Bootable APFS Volume From Disk Image
How to find the source of a sound on an iPhone?
Where is the iWork shape library stored?