macOS, like all Unix systems, already limits privileges for non-root users. What do you accomplish by placing limits on root as well?
If a malicious application gets root, you are very screwed. The app can encrypt most of your hard drive, monitor most keystrokes, do nasty things with your hosts file, and steal most of your personal data. It won't be able to directly inject itself into other processes and certain critical OS files we protected, but how relevant is that?
As I see it, SIP's main purpose is to (1) prevent non-technical users from (completely) hosing their systems by copying and pasting terminal commands from the internet, and (2) to protect TCC.db so that apps can't bypass Apple's privacy system.
If you're able to turn off SIP, you have enough technical knowledge than #1 isn't necessary. I suppose #2 may have some limited value, but not much.
If I am completely off base on this, feel free to educate me—but in my several years of research I have not come across any plausible scenarios for when SIP's protection would be helpful.
------
Edit: One other relevant note: Apple lets you selectively disable and enable parts of SIP. So you'd likely be able to turn off sideload-blocking (or whatever it is) without disabling SIP completely, if you want to for whatever reason.
It's more of a "prevent app developers from asking you to do it". A normal user that has to disable SIP is a lot more of a barrier than a normal user typing in the root password.
Normal users need UX to save them from owning themselves.
Exactly! But if you're an even slightly advanced user, this isn't necessary.
I'm a little frustrated by all the FUD I've seen spread in Apple enthusiast communities about how SIP is this super important security feature that should never be turned off.
My opinion is that if you have a reason to disable SIP, go ahead and do so with a clear conscious. You will continue to be protected by the privilege system that's in place for (basically) all UNIX's.
I'm not sure I understand this but if you prefer it in terms of strange analogies - you're walking past a construction site where they're building a highrise and see they're hammering a giant steel pylon into the ground. You smirk and say 'that won't keep the rain out!'.
Stated better: it appears to me that the consequence of a malicious app getting root is already so incredibly catastrophic, that at that point it makes little difference whether or not SIP is enabled.
Right, and I'm trying (and seemingly failing, sorry) to convince you you are looking at it backwards. SIP is not there to magically save you in a system where an all-powerful administrative account is compromised. The goal is to come up with a system that doesn't have something like an all-powerful administrative account, among other security improvements. It's only part of an effort to retrofit an existing consumer desktop OS to be more resilient to adversarial software - a long and arduous one that all makers of consumer OS'es are engaged in and have been for years.
Put another way, you’re saying macOS’s admin account is currently too powerful? Even if Apple is able to eventually change that—and it would take a while—it doesn’t make SIP useful for security as of right now.
Edit: Also, security be damned, I don’t want to use an OS without a proper root account! So while not entirely relevent to the discussion, I know that I would either continue to turn off SIP or move to another platform.
You get around it with things like SIP. Getting root on iOS is not, for instance, the absolute security game-over you are describing and it's a related OS.
Let's say you wanted an OS with better privilege control and other clever security doodads people have come up with in the years since merely having user accounts seemed like unconscionable oppression. If you don't care about backward compatibility much and start with Linux and a JVM you might end up with something like Android. If you start Linux and Chrome you might end up with something like ChromeOS. If you start with OS X you might end up with something like iOS. If you start from scratch you might end up with something like Fuchsia.
But what if you do care about backward compatibility? You then have a far more difficult, thankless and long-term job. If you start with OS X, somewhere along the line you'll have something like OS X + SIP + Sandbox + FDE. Or Windows NT + UAC + irritating autoreboots in the middle of the night. We're in the 'somewhere along the line' stage.
