Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Private I: El Capitan's System Integrity Protection will shift utilities' functions

Glenn Fleishman | July 16, 2015
iOS is so locked down that disabling protections in order to install your own modifications is called "jailbreaking." But OS X has remained free and easy--until now. El Capitan adds some security improvements that should make OS X more resistant to exploitation by malware, but it will also mean a change or end to some software utilities on which you may rely.

You can see how it would be desirable to remove that possibility--hence, rootless. This change allows users to maintain their control over most aspects of OS X, but is a much stronger blockade against those privileges being used against their system.

Look, but don't touch

The specifics of System Integrity Protection are that no user, application, or process will be able to write files or modify files in the root System folder or the /bin, /sbin, and /usr directories, which are hidden by default in OS X's Finder. The /usr/local folder remains accessible, however; it's a long-running convention in Unix and variants as a place to stash material and software that individual users rely on.

El Capitan will also remove files from those directories that don't belong to Apple. Upgrading to El Capitan will therefore disable some software you want, but also pull out old cruft that isn't needed, and perhaps kill some lurking horrors. Only Apple installer software and software updater can modify the contents of those folders.

If you're running a beta of El Capitan, you'll also notice a change to Disk Utility: Repair disk permissions is gone! (And the program's user interface has been totally overhauled.) OS X 10.11 automatically repairs permissions during software updates, and permissions won't be allowed to be changed at other times--thus, they won't need to be repaired. It's been thought that repair disk permissions was a placebo for the last few releases, even though it was once a vital part of the troubleshooting arsenal.

The protection also extends to locking down a variety of OS X software, like Finder and Dock and anything launched from protected folders. For instance, Dropbox used to fiddle with the Finder to show sync status for files and folder, but Apple added generic code to support that in Yosemite. Kernel extensions (kexts) that modify the core of OS X--the part that handles input and output and launching background software and the like--will still be allowed. But they will have to be cryptographically signed by a developer with a valid certificate from Apple.

Dave, my mind is going. I can feel it

The upshot for most users, especially those who only use Apple software and software purchased or obtained through the Mac App Store, is that there will be no difference whatsoever. The vast majority of software used by the vast majority of people doesn't need access to or play around with files or processes.

For users who customize their systems with utilities and like to make full nightly clone updates of their systems, there will be change ahead. Developers are going to have to rethink some of their products.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.