Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Henri9009

macrumors member
Original poster
Jun 21, 2011
40
2
Montreal
Hi everybody!

To make an "extra Finder application" work properly, I'd have to enable only parts of System Integrity Protection.

sudo csrutil enable –without debug –without fs

I've read that SIP must be enable for security reasons. Is it OK if it's only a part of it?

Thank you!
 

Fishrrman

macrumors Penryn
Feb 20, 2009
29,054
13,083
I have immediately disabled system integrity protection on EVERY Mac I've used that has it as a part of the OS. No problems.

I also disable all facets of the "startup security" panel, as well.

I want none of this stuff mucking with things behind the scenes, and keeping me from otherwise doing things I want or need to do.
 
  • Like
Reactions: Henri9009

KALLT

macrumors 603
Sep 23, 2008
5,380
3,415
The --without debug argument allows programs to "attach" to other programs and manipulate them at runtime; the latter can be hijacked to access/manipulate their data or abuse their permissions. The --without fs argument disables the writing restrictions to system directories (even if accessed as root).

It is not safe. You should be aware that disabling these mechanisms for a single app affects the system as a whole. I would not do it without a good reason.
 

Henri9009

macrumors member
Original poster
Jun 21, 2011
40
2
Montreal
The --without debug argument allows programs to "attach" to other programs and manipulate them at runtime; the latter can be hijacked to access/manipulate their data or abuse their permissions. The --without fs argument disables the writing restrictions to system directories (even if accessed as root).

It is not safe. You should be aware that disabling these mechanisms for a single app affects the system as a whole. I would not do it without a good reason.
What about disabling the whole SIP? The two above seem to think it's safe.
 

KALLT

macrumors 603
Sep 23, 2008
5,380
3,415
What about disabling the whole SIP?

Disabling it completely is even worse. When you keep it partially enabled with the above-mentioned arguments, you will still keep some other parts enabled. SIP is really a bundle of security policies enforced by the kernel.

Also keep in mind that the --without arguments are undocumented. There is no guarantee that they won't lead to problems at some point if Apple changes how they work.

The two above seem to think it's safe.

Fishrrman generally doesn't care about it and bogdanw actually points out the risk of disabling it. The "extra Finder application" does not work with SIP fully enabled and this for a reason, since it works by hijacking Finder to inject additional features at runtime (it does this by injecting code into it or manipulating its memory). (Partially) disabling SIP will allow apps like this more access than they should have, with is not what Apple intends with these security policies.

If Finder is not sufficient to you, consider other file managers, like Commander One.
 

svenmany

macrumors demi-god
Jun 19, 2011
2,252
1,496
There's not enough information to answer whether it's safe. It depends on a number of things.

  • The current exploits in the wild
  • Your online behavior
  • The applications you run
  • Your competence and caution levels
  • Luck
I've not seen anyone come up with a quantitative measure of the risk. The experiences of a small sample of people mean nothing. Systems are often hijacked without the users being aware of it. Also, most everyone has sufficient luck to have not encountered anything bad. You'll be lucky too, unless you won't.

Some are OK disabling it and there are benefits to be gained. I'm not OK disabling it since the risk leaves me uncomfortable. It's a personal decision.
 
  • Like
Reactions: Henri9009
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.