EPFL Logo
fr|en
Se Connecter
Concept

System Integrity Protection

System Integrity Protection (SIP, sometimes referred to as rootless) is a security feature of Apple's macOS operating system introduced in OS X El Capitan (2015) (OS X 10.11). It comprises a number of mechanisms that are enforced by the kernel. A centerpiece is the protection of system-owned and directories against modifications by processes without a specific "entitlement", even when executed by the root user or a user with root privileges (sudo). Apple says that the root user can be a significant risk factor to the system's security, especially on systems with a single user account on which that user is also the administrator. SIP is enabled by default, but can be disabled. Apple says that System Integrity Protection is a necessary step to ensure a high level of security. In one of the WWDC developer sessions, Apple engineer Pierre-Olivier Martel described unrestricted root access as one of the remaining weaknesses of the system, saying that "[any] piece of malware is one password or vulnerability away from taking full control of the device". He stated that most installations of macOS have only one user account that necessarily carries administrative credentials with it, which means that most users can grant root access to any program that asks for it. Whenever a user on such a system is prompted and enters their account password – which Martel says is often weak or non-existent – the security of the entire system is potentially compromised. Restricting the power of root is not unprecedented on macOS. For instance, versions of macOS prior to Mac OS X Leopard enforce level 1 of securelevel, a security feature that originates in BSD and its derivatives upon which macOS is partially based. System Integrity Protection comprises the following mechanisms: Protection of contents and of system files and directories; Protection of processes against code injection, runtime attachment (like debugging) and DTrace; Protection against unsigned kernel extensions ("kexts"). System Integrity Protection protects system files and directories that are flagged for protection.

Source officielle
À propos de ce résultat
Cette page est générée automatiquement et peut contenir des informations qui ne sont pas correctes, complètes, à jour ou pertinentes par rapport à votre recherche. Il en va de même pour toutes les autres pages de ce site. Veillez à vérifier les informations auprès des sources officielles de l'EPFL.

Copyright © 2025 EPFL, tous droits réservés

Graph Chatbot

Chattez avec Graph Search

Posez n’importe quelle question sur les cours, conférences, exercices, recherches, actualités, etc. de l’EPFL ou essayez les exemples de questions ci-dessous.

AVERTISSEMENT : Le chatbot Graph n'est pas programmé pour fournir des réponses explicites ou catégoriques à vos questions. Il transforme plutôt vos questions en demandes API qui sont distribuées aux différents services informatiques officiellement administrés par l'EPFL. Son but est uniquement de collecter et de recommander des références pertinentes à des contenus que vous pouvez explorer pour vous aider à répondre à vos questions.