Enabling SIP while disabling specific parts, is it safe?

[Henri9009]

Hi everybody!

To make an "extra Finder application" work properly, I'd have to enable only parts of System Integrity Protection.

sudo csrutil enable –without debug –without fs

I've read that SIP must be enable for security reasons. Is it OK if it's only a part of it?

Thank you!

 

[bogdanw]

In my opinion, disabling SIP is not unsafe. I have it disabled (csrutil disable from Terminal in Recovery).
But using an “extra Finder application” might be unsafe, as you are giving that third party app full disk access.
Apple’s documentation https://developer.apple.com/documen...ling_and_enabling_system_integrity_protection

 

[Fishrrman]

I have immediately disabled system integrity protection on EVERY Mac I've used that has it as a part of the OS. No problems.

I also disable all facets of the "startup security" panel, as well.

I want none of this stuff mucking with things behind the scenes, and keeping me from otherwise doing things I want or need to do.

 

[KALLT]

The --without debug argument allows programs to "attach" to other programs and manipulate them at runtime; the latter can be hijacked to access/manipulate their data or abuse their permissions. The --without fs argument disables the writing restrictions to system directories (even if accessed as root).

It is not safe. You should be aware that disabling these mechanisms for a single app affects the system as a whole. I would not do it without a good reason.

 

[Henri9009]

The --without debug argument allows programs to "attach" to other programs and manipulate them at runtime; the latter can be hijacked to access/manipulate their data or abuse their permissions. The --without fs argument disables the writing restrictions to system directories (even if accessed as root).

It is not safe. You should be aware that disabling these mechanisms for a single app affects the system as a whole. I would not do it without a good reason.

What about disabling the whole SIP? The two above seem to think it's safe.

 

[KALLT]

What about disabling the whole SIP?

Disabling it completely is even worse. When you keep it partially enabled with the above-mentioned arguments, you will still keep some other parts enabled. SIP is really a bundle of security policies enforced by the kernel.

Also keep in mind that the --without arguments are undocumented. There is no guarantee that they won't lead to problems at some point if Apple changes how they work.

The two above seem to think it's safe.

Fishrrman generally doesn't care about it and bogdanw actually points out the risk of disabling it. The "extra Finder application" does not work with SIP fully enabled and this for a reason, since it works by hijacking Finder to inject additional features at runtime (it does this by injecting code into it or manipulating its memory). (Partially) disabling SIP will allow apps like this more access than they should have, with is not what Apple intends with these security policies.

If Finder is not sufficient to you, consider other file managers, like Commander One.

 

[bogdanw]

Long thread of "Best Finder alternative" https://forums.macrumors.com/threads/best-finder-alternative.2258057/

 

[svenmany]

There's not enough information to answer whether it's safe. It depends on a number of things.

• The current exploits in the wild
• Your online behavior
• The applications you run
• Your competence and caution levels
• Luck

I've not seen anyone come up with a quantitative measure of the risk. The experiences of a small sample of people mean nothing. Systems are often hijacked without the users being aware of it. Also, most everyone has sufficient luck to have not encountered anything bad. You'll be lucky too, unless you won't.

Some are OK disabling it and there are benefits to be gained. I'm not OK disabling it since the risk leaves me uncomfortable. It's a personal decision.

 

[bogdanw]

I am not aware of attacks/malware targeting systems with SIP disabled.
I know an example of malware stopping its execution if SIP is disabled.

(27:12 in the video)
To better understand the potential risk, a short SIP overview by Microsoft https://www.microsoft.com/security/...hat-could-bypass-system-integrity-protection/