<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Presumably keeping normal uses of system programs from being subverted (even if they're not running privileged, i.e. setuid/setgid). There is probably some benefit to normal uses, but it's demonstrably trivial to work around if one already has full control.</div><div class=""><br class=""></div><div class="">I tend to think they went overboard, and/or this wasn't well designed, although I suspect that if number of users benefited vs adversely affected is the only measure, it may work as intended. My impression is that at the very least, there are a number of cases of legitimate configuration that aren't supported. Fine-grained permissions (an alternative to all-powerful root) in Solaris make some sense, for example; this reminds me more of the 3rd party open-source "Papillion" module for Solaris, which could lock down or blacklist or restrict to user view certain features, but wasn't really comprehensive.</div><div class=""><br class=""></div><div class="">Were I to take a really wild guess, some of the thinking of how to do this (in principle, if not detail) may have come from the iOS/OS X cross-pollination. But what's appropriate on a mobile device (assuming you agree they should be locked down) isn't necessarily appropriate on a general purpose system. It wouldn't take a lot of change to accommodate doing much better; just allow an overriding per-system config file that updates didn't touch, that could add exceptions to the directories and files protected by SIP. If one wanted to be paranoid, one could then have that file lock itself down, too, once one had it the way one wanted. That way, nobody would ever have to turn off SIP (except temporarily, to set up that file if they wanted it).</div><div class=""><br class=""></div><br class=""><div><blockquote type="cite" class=""><div class="">On Oct 4, 2015, at 01:42, Sven Kolja Heinemann <<a href="mailto:web@bachsau.name" class="">web@bachsau.name</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="content-type" content="text/html; charset=utf-8" class=""><div dir="auto" class=""><div class=""></div><div class="">Where is the security benefit from this, that Apple wants to Achieve?</div><div class=""><br class="">Am 03.10.2015 um 22:30 schrieb Richard L. Hamilton <<a href="mailto:rlhamil@smart.net" class="">rlhamil@smart.net</a>>:<br class=""><br class=""></div><blockquote type="cite" class=""><div class="">But it's so easy to test that theory: :-)</div><div class=""><div style="margin: 0px; font-size: 18px; line-height: normal; font-family: 'Andale Mono'; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">sh-3.2# dtruss /bin/sh</div><div style="margin: 0px; font-size: 18px; line-height: normal; font-family: 'Andale Mono'; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">dtrace: failed to execute /bin/sh: dtrace cannot control executables signed with restricted entitlements</div><div style="margin: 0px; font-size: 18px; line-height: normal; font-family: 'Andale Mono'; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">sh-3.2# dtruss /net/localhost/bin/sh</div><div style="margin: 0px; font-size: 18px; line-height: normal; font-family: 'Andale Mono'; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">sh-3.2# SYSCALL(args) <span class="Apple-tab-span" style="white-space:pre">                </span> = return</div><div style="margin: 0px; font-size: 18px; line-height: normal; font-family: 'Andale Mono'; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">thread_selfid(0x0, 0x0, 0x0)<span class="Apple-tab-span" style="white-space:pre">                </span> = 867702 0</div><div style="margin: 0px; font-size: 18px; line-height: normal; font-family: 'Andale Mono'; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">csops(0x0, 0x0, 0x7FFF563BF720)<span class="Apple-tab-span" style="white-space:pre">                </span> = 0 0</div><div style="margin: 0px; font-size: 18px; line-height: normal; font-family: 'Andale Mono'; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">issetugid(0x0, 0x0, 0x7FFF563BF720)<span class="Apple-tab-span" style="white-space:pre">                </span> = 0 0</div></div></blockquote></div></div></blockquote></div><br class=""></body></html>