[ryandrake]

> I shut down my Mac. Held the power button. Booted into Recovery Mode. Opened Terminal. Ran csrutil disable. Rebooted. Opened Terminal. Deleted the kernel extensions. Ran find to confirm they’re gone. Shut down AGAIN. Booted into Recovery Mode AGAIN. Ran csrutil enable. Rebooted AGAIN. All this just to delete four dead files and their mirrors from a disk utility.

This one is entirely on Apple. It was Apple who decided that "root isn't good enough" and that you, the user, shouldn't be able to administer your own goddamn system as root, without performing backflips while singing Happy Birthday.

[gchamonlive]

But the system is proprietary, it's not yours. I don't get it with apple users. It's fine to purchase apple devices, they are gorgeous, well built, stellar performance and the UI is nice. But they never promised to keep an open system and to give you access, so why expect it? Even if you had an specific liberty with the system before, you were never entitled to that feature you lost after an update because the system just isn't yours.

[Aurornis]

You can just turn that off once and leave it off if it bothers you.

Even most power users leave it on except for temporary situations like this because it’s a helpful security protection.

[kstrauser]

Yup. I leave it alone. As much as it’s a hassle every 2 years or so when I need to do some voodoo on my laptop, it’s even more of a hassle for potential attackers. For me, for my risk profile, I believe it has a good return on investment.

[stainablesteel]

i get this is annoying, but any of this supposed to be some kind of safety measure for users against malicious actors?

[sneak]

This is 100% by design and 100% a good thing. “root” aka uid=0 should NOT have unlimited privileges to permanently modify the deepest parts of the OS, as assuming uid=0 is done daily for routine operations. Modifying kernel level stuff should not be possible from this daily use privilege level. It’s an ancient holdover from unix time sharing systems that are approaching a hundred years old.

If you think it’s bad, you don’t know why it was built - google Chesterton’s Fence. You, the user, still have 100% ability to modify your system however you choose - if you first clearly indicate that you ARE the user, and not just some random-ass installer running under admin privs, which is a completely normal and common occurrence. A higher privilege level that is used to protect OS integrity is a wonderful thing. If you think there is a better or safer way to access it, please submit your suggestions to Apple, but don’t assume the guardrails around System Integrity Protection (1TR etc) are slapdash or unreasonable or poorly thought out.

[kstrauser]

Phrased a little more harshly than I would've, but I agree. SIP keeps any random process running as the device owner from running amok and paving over the system. You have to jump through just enough hoops to disable it that a rogue process can't automatically do it against you.