System Integrity Protection and you...

by Wolfgang BairdDEC 26th, 2020

What are the security implications of turning off System Integrity Protection?

System Integrity Protection is a security technology in OS X El Capitan and later that's designed to help prevent potentially malicious software from modifying protected files and folders on your Mac. It has grown in scope since it's original introduction and Apple hasn't kept their documentation completely up-to-date. With that in mind we can't say for certain all of the functionality that it does or doesn't provide but here's the basics:

Using some macEnhance products you will need to turn off SIP using csrutil disable, but fear not this doesn't actually turn off all features of System Integrity Protection as you may initially believe

The filesystem

System Integrity Protection includes protection for these parts of the system:

  • /System
  • /usr
  • /bin
  • /sbin
  • /var
  • Apps that are pre-installed with macOS

As of Big Sur this is actually handled under a Sub component of SIP that is not turned off with csrutil. The new component is csrutil authenticated-root, which can be enabled or disabled independently.  

Debugging and Code injection

Another less documented feature of SIP is preventing debuggers from attaching to a process not owned by the debugger.

This is something that has two layers of security. The first being SIP, the second being Library Validation. With SIP disabled you still cannot load external code into a host process that has a flag called Hardened Runtime enabled unless the external code is signed with the same certificates as the host. In order to do this you must also turn off Library-Validation. This is required for MacForge but not cDock.


Outside of System Integrity Protection are things like:

The Transparency, Consent, and Control (TCC) Framework is an Apple subsystem which denies installed applications access to ‘sensitive’ user data without explicit permission from the user (generally in the form of a pop-up message). To learn more about how TCC works, especially with Catalina, I recommend reading this article. TCC is what handles all the controls available in System Preferences > Security & Privacy > Privacy.

There is also the standard user protection of a unix system like apps needing administrator privileges to do certain tasks. 

In Summary

You're really are not losing out on much by turning off SIP but as always with something security related the choice is up to the user.

In truth most computer security comes from responsible use of your device like keeping your browser and OS updated, avoiding sketchy/illegal sites, not using pirated software, using secure passwords, etc...

Turning SIP on or off won't prevent you from downloading and running malware in the first place and if you unfortunately happened to install malware it's likely that having SIP off would have little or no impact on the damage the malware could do.

It's also really easy to toggle SIP back on if you change your mind and are feeling like the security risk is too great, it's just one simple command in terminal to turn it back on, no hassle with booting to recovery mode.