Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

petekjohnson

macrumors member
Original poster
May 24, 2012
67
29
Springfield, MO
Just curious, but what exactly is the downside to disabling SIP on Ventura, Monterey or Big Sur, since all of them already cant really be tampered with due to the System volume being read-only and when you boot you're only booting off a snapshot (SSV)?
 
SIP protects changes to some parts of the r/w part of the system volume - even when using root access. https://support.apple.com/en-us/HT204899

So the downside of disabling is that some parts of the system are not protected from malicious root access.

I have SIP disabled, but I am aware of the risk.

Recommend you leave it enabled unless you find a good reason to disable.
 
I will probably reenable it, i just had to disable it to do something and wondered what the point of turning it back on was. Do you happen to know just which areas on the system that are not protected and need SIP? Curious.....
 
Do you happen to know just which areas on the system that are not protected and need SIP?
As the Apple Support page says:
System Integrity Protection includes protection for these parts of the system:
  • /System
  • /usr
  • /bin
  • /sbin
  • /var
  • Apps that are pre-installed with OS X
Paths and apps that third-party apps and installers can continue to write to include:
  • /Applications
  • /Library
  • /usr/local
 
Well I appreciate the info, but that just is not an accurate reflection of the exposed areas. U am almost 100% certain that all of those things reside on the read-only system volume with the exception of /usr and /Library and possibly areas in /var

Anyway, it's not a big deal, i am very careful with security practices and exposing myself to risky things for the most part so I don't imagine i should really be fretting.
 
SIP does more than protect filesystem locations, here are some of the things it controls, some pretty self explanatory:
  • CSR_ALLOW_UNAPPROVED_KEXTS
  • CSR_ALLOW_ANY_RECOVERY_OS
  • CSR_ALLOW_DEVICE_CONFIGURATION
  • CSR_ALLOW_UNRESTRICTED_NVRAM
  • CSR_ALLOW_UNRESTRICTED_DTRACE
  • CSR_ALLOW_TASK_FOR_PID
  • CSR_ALLOW_UNRESTRICTED_FS
  • CSR_ALLOW_UNTRUSTED_KEXTS
  • CSR_ALLOW_UNAPPROVED_KEXTS
  • CSR_ALLOW_ANY_RECOVERY_OS
  • CSR_ALLOW_DEVICE_CONFIGURATION
 
  • Like
Reactions: gilby101
I DISABLE SIP on my Macs, as soon as I set them up.
No problems here that I can attribute to having done so...
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.