Dumb Question Corner – Is it ok to partially turn off System Integrity Protection?

apple diagram showing layers of protection from keychain to sandbox to gatekeeperOur Dumb Question this week comes from John Ormsby, aka NasaNut in the chat room. He’s asking whether it’s ok to follow the advice of some app developers and partially turn off the protections Apple has put in place in El Capitan.

Here’s John’s full question where he explains why he’s asking the question:

I have been using a utility that has been extremely helpful to me for quite awhile. It is XtraFinder. This utility allows you to have two (or more) finder tabs side by side and active in the Finder. This allows me to easily drag & drop files from one location to another. I am not a programmer but I understand that the way this utility works is that it injects code into the Finder, thus modifying the Finder as opposed to a stand alone application. The problem is that the new security features in El Capitan (System Integrity Protection or SIP) prevent this utility from working. There is also a competing product that suffers from the same problem with El Capitan. That utility is TotalFinder.

Both of these developers discuss the issue on their websites and, although they are clear to say that are not recommending turning off SIP, they explain how (partially?) do it so that their applications will continue to work.

Reading the comments on the TotalFinder forum, a lot of people seem to be of the opinion that “We did not have SIP before El Capitan and didn’t have a problem so we don’t see a need for it now”.

I am aware that there are applications such as PathFinder and Forklift that provide similar functionality (and more) but it is so much easier to simply use the Finder and not have to worry with another application for this one feature.

So, and this is really targeted at Bart unless you two decide to add it as show topic:

  • What are the pro’s and con’s of following this procedure to partially turn off SIP?
  • What does it mean to ‘Partially’ turn off SIP?
  • How much of a security risk would there be in doing so?
  • Your general opinion of doing so?

Here are some links to the developers sites and forums if you want to take a look.

Total Finder: totalfinder.binaryage.com/system-integrity-protection and discuss.binaryage.com/t/totalfinder-status-under-os-x-10-11-el-capitan

XtraFinder trankynam.com/xtrafinder/sip.htmlhttps://www.trankynam.com/xtrafinder/sip.html

Allison’s initial answer:

I think I understand it and could probably get a 90% answer done on it myself but it would be way better to have Bart lead the discussion.

Bart and I have never been big fans of things that fiddle with the Finder, and for just the reasons that you describe here. There are those that do enjoy a good kernel extension modification ( George from Tulsa) but it never sounded like a good idea to me.

And then there’s the lack of permissions repair now because apps can’t mess with each other – huzzah!

Anyway I bet Bart likes this idea as much as I do,

Bart’s response:

So yea – the short answer is that I like this kind of carry on as much as Allison does 🙂

The longer answer is that I have advised against these kinds of hacks for years. They are a recipe for trouble. Apple, rightly, assume that the Finder is as they left it, so when they release software updates, they do not add in extra code to work around these hacks. Most of the time the changes Apple make will not interact with the changes the hackers make, but there is a real possibility they will some day. Now, if you hack something non-critical like Pages, the only risk is that you break Pages. The Finder is different – it provides most of the OS X UI – the desktop is Finder! So, if you break Finder, you have an un-usable OS!

Basically, these kinds of ‘utilities’ are playing with fire – avoid them like the plague has always, and remains, my advice. If you don’t like the Finder, use an alternative, don’t butcher the OS!

So – as for why it’s a bad idea to turn off System Integrity Protection – simple, it stops malware from altering the OS. It is true that we survived without it in older versions of OS X, so it is tempting to think that it is not important. But, that attitude misses a very important reality – security is a cat and mouse game – last year’s cat was able to stand up to last year’s mouse, but last year’s cat may have more trouble with next year’s mouse, not to mention the mouse from five years into the future. Apple is not increasing it’s defences for no reason – developing SIP cost a lot of money, and Apple didn’t make that investment on a whim – they know the attackers are upping their game, so Apple is upping our defences in response.

Apple are not going to roll back their security in OS X, so you are on a road to nowhere IMO. Today, it is possible to turn off SIP, and it may well be possible next year in OS X 10.12 Venice Beach (or what ever they call it), but I would not bet on it remaining possible for many versions into the future. Today, running without it is not reckless, but will that be true next year, or the year after, or five years from now? That’s another bet I wouldn’t take. All these hacks are dead men walking IMO.

I’ve chosen to make my career in an industry that changes rapidly and relentlessly. After a decade and a half of experience, the most important lesson I’ve learned is to avoid swimming up-stream if at all practical – been there, done that, and that way lies only frustration and anger! I believe one of the eastern religions describes life as a river, and teaches the importance of noticing which way the current is flowing – I think they were definitely on to something!

I’m going through this myself at the moment. I ADORE Aperture. But it’s on a road to nowhere. I need to become proficient in Adobe’s imaging suite. It’s painful in the short-term, but in the long term it’s inevitable I end up in the Adobe world, so I’m putting my energies into making that work for me, rather than fighting it.

Not sure if this counts as tech advice or philosophy, but either way, those are my thoughts for what they’re worth 🙂

3 thoughts on “Dumb Question Corner – Is it ok to partially turn off System Integrity Protection?

  1. Joe Hecht - December 29, 2015

    This is not Dumb Question.

    Bart has it right. And no, you really do not want software that inject’s code into a system app (or any app for that matter), (unless you have a very special case need).

    The ability to “partially” turn this feature off is not going to be around for long, and it’s not something you want to do (and forget). Figure than “Partially” is a very special case crutch, and is not put there for average users to take advantage of. On this one, if you have to ask, then no, do not use it. If you have special case installation that demands it, then you will be aware of it’s use as your probably covered under some sort of governmental contract or the like, and Apple will be helping you to use it).

  2. Grumpy (Mike) - December 29, 2015

    I won’t bother answering the question as hand (I think Bart summed it up wonderfully – at least as far as I am concerned).
    Instead, I will respond to the root cause of this query. John was asking about disabling SIP (albeit partially) to maintain a
    feature enhancement that he has come to enjoy and even rely upon….easy file moving (which is such a pain in the A$$ in the
    Finder). As John mentioned, there are other apps. I use PathFinder….but that too has its issues.
    A recommendation I will make where John can have his cake and eat it too (for a price). The app Yoink (available in the MAS)
    will allow him to fairly easily move files from one file to another and it works with any file browser app, including the standard Finder app.
    It is a 2-step process, which is not ideal but beats the standard Finder. I have used it for many years and it works great.

    ** Just noticed that the price has gone up from when I bought it several years ago. Currently $6.99USD.

  3. Shai Yammanee - December 29, 2015

    It was very interesting to hear the conversation about turning off SIP.
    Unfortunatley, I had no choice but to turn it off.

    Now, before you wave your hands in the air and berate my crazy decision, let me explain why.
    I do a lot of recording for performing artists using some M-Audio hardware and pro level condensor microphones.
    Unfortunatley, the hardware is no longer being supported for software updates.
    I knew that we were getting close to end of life of this audio interface, but I really didn’t want to shell out around $1000 to replace it.

    When updating to El Capitan, it completely broke the interface. Totally.
    There was no way for my computer to recognise my hardware, and no amount of searching online helped.

    After a ridiculous amount of research, I finally decided to try disabling SIP, and see what happens.
    And it worked! I was able to get all functionality back and my recording capabilities have been restored.

    Oh, I forgot to mention. My audio interface only connects via Firewire 400.

    So, I have managed to give my old hardware a bit of extra life, but I am going to have to upgrade it soon.

    Now, I am super vigilant over the traffic my computer does.
    I use a secondary login (not an admin), little snitch, turned off all flash and java, and soothing music to keep my nerves in check.

    I’m also able to turn SIP back on whenever I’m not needing my recording functionalities.

    I know that the average person won’t have any issues with SIP, but I am sure there are many out there that use specialised hardware that might have issues.
    I know that once I upgrade my computer (can you believe I’m still using a 2008 Macbook Pro for all my professional photographic, editing, sound recording and video editing work!?) I am going to have to upgrade everything in my workflow.
    It will be a very expensive visit to the Apple store.

    Thanks again for a fun show. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top