El Capitan's System Integrity Protection will shift utilities' functions
A new protection mechanism in OS X increases security, but prevents some low-level activities that utilities rely on. They'll have to find new paths.
iOS is so locked down that disabling protections in order to install your own modifications is called “jailbreaking.” But OS X has remained free and easy—until now. El Capitan adds some security improvements that should make OS X more resistent to exploitation by malware, but it will also mean a change or end to some software utilities on which you may rely.
OS X 10.11 includes System Integrity Protection, discussed in early June at Apple’s annual Worldwide Developer’s Conference, which will prevent the modification or removal of certain system files, among other changes. By locking more of the core system down, it adds another hurdle to any malware that needs to fiddle with things that typically don’t need to be modified. Apple provides a way to disable this protection, but it’s unlikely that most regular users will avail themselves of it.
(Side note: Before installing an El Capitan beta—either the public or developer version—you should check the blogs and newsletters of third-party developers on whose software you rely, particularly utilities that modify system behavior, like in dialog boxes or menus.)
The root of the problem
System Integrity Protection lets OS X operate normally while removing administrative overrides to modify a number of files, folders, running processes—software that manages tasks in the background—and system apps, like the Finder. It’s been labeled rootless, because Unix has long been based around the notion that a superuser, called root, can do anything to the system she or he wants to.
Regular, non-root users have more limited access, which made sense for simultaneous multi-user systems, like servers, or workstations which different people use at various times—while sitting in front of them or remotely—and no one person should be able to muck things up for anyone else. The root user was both a god within the system and a bulwark against regular users.
OS X’s Unix foundation gives the potential of root-level permission to any user who has administrator privileges, however, and you need those privileges to install many kinds of software. The first user created in the setup process for a new Mac has to have administrator privileges to create other accounts, modify security setups, and handle other tasks.
However, because one or more users can gain this kind of power, it renders OS X vulnerable to both local and remote attacks: A malicious local user could run software that escalates privileges, gaining root when they’re not supposed to; a remote attacker might install malware through an exploit, which then gets root and takes over the machine. Some malware’s entire vector of attack is as a Trojan horse: Convincing a user that it’s legitimate, so that they type in their password to install it.
You can see how it would be desirable to remove that possibility—hence, rootless. This change allows users to maintain their control over most aspects of OS X, but is a much stronger blockade against those privileges being used against their system.
Look, but don’t touch
The specifics of System Integrity Protection are that no user, application, or process will be able to write files or modify files in the root System folder or the
/usr directories, which are hidden by default in OS X’s Finder. The
/usr/local folder remains accessible, however; it’s a long-running convention in Unix and variants as a place to stash material and software that individual users rely on.
El Capitan will also remove files from those directories that don’t belong to Apple. Upgrading to El Capitan will therefore disable some software you want, but also pull out old cruft that isn’t needed, and perhaps kill some lurking horrors. Only Apple installer software and software updater can modify the contents of those folders.
If you’re running a beta of El Capitan, you’ll also notice a change to Disk Utility: Repair disk permissions is gone! (And the program’s user interface has been totally overhauled.) OS X 10.11 automatically repairs permissions during software updates, and permissions won’t be allowed to be changed at other times—thus, they won’t need to be repaired. It’s been thought that repair disk permissions was a placebo for the last few releases, even though it was once a vital part of the troubleshooting arsenal.
The protection also extends to locking down a variety of OS X software, like Finder and Dock and anything launched from protected folders. For instance, Dropbox used to fiddle with the Finder to show sync status for files and folders, but Apple added generic code to support that in Yosemite. Kernel extensions (kexts) that modify the core of OS X—the part that handles input and output and launching background software and the like—will still be allowed. But they will have to be cryptographically signed by a developer with a valid certificate from Apple.
(If you’d like all the gory details, you can watch the 50-minute presentation from WWDC.)
Dave, my mind is going. I can feel it
The upshot for most users, especially those who only use Apple software and software purchased or obtained through the Mac App Store, is that there will be no difference whatsoever. The vast majority of software used by the vast majority of people doesn’t need access to or play around with files or processes.
For users who customize their systems with utilities and like to make full nightly clone updates of their systems, there will be change ahead. Developers are going to have to rethink some of their products.
So far, I’ve seen blog entries from Shirt Pocket about SuperDuper, St. Clair Software about Default Folder, and BinaryAge about TotalFinder and TotalSpaces2. I’m sure there are dozens of other developers writing up their short-term problems and sending email warning about updating to betas as well.
SuperDuper needs to read everything on a drive to perform a clone and, to restore, write anywhere. In an earlier developer build, El Capitan didn’t allow SuperDuper to read the file that specifies that rootless mode is active, in a bit of irony, meaning that a restored system would disable it. That’s already fixed in the public beta, but it will be impossible to restore a volume without disabling System Integrity Protection. Default Folder, on other hand, requires a thorough overhaul, and the folks at BinaryAge are unclear about their path forward.
Savvy users will be able to disable rootless. Boot into the recovery partition, and then choose Security Configuration from the Utilities menu. You can uncheck Enforce System Integrity Protection, click Apply Configuration, and restart. It seems unlikely that option will disappear in the shipping version of El Capitan, because there will always be cases in which you’ll need full access.
This does take OS X further down the road towards an iOS-style full lockdown, but Apple made an effort to carve out only the most troubling aspects of unfettered root access. I don’t see red flags yet in this implementation. While Apple has avoided easily and widely deployable malware in OS X, every step it takes to make future efforts fruitless without disabling the ability to install any software we choose is a good one.