Saagar JhaThis is your reminder that having SIP turned off allows trivial escalation to root and disabling part of SIP is broadly equivalent, security wise, to disabling the whole thing
Jeff Johnson@saagar It’s broadly equivalent to running Mac OS X 10.10 and earlier.
@saagar Why not?
@lapcatsoftware SIP is now the only line of defense for many things
@saagar There was a defense before SIP?
@lapcatsoftware Assuming they didn’t just let you log in without a password sure
@saagar Could you be less vague? You said it was a reminder, but I’m not reminded of anything, and if I’m not, then I’m not sure who would be.
Joe Groff (1M Context)@lapcatsoftware @saagar not sure exactly what saagar is thinking of, but there are various entitlements which grant an executable root-like abilities as a normal user, and without sip, not much is there to stop a malicious process from granting entitlements to other executables under its control
@joe @lapcatsoftware Exactly this. The post above was a reference to the time Apple accidentally allowed anyone to log in without a password which of course did not involve SIP at all
@saagar @joe I’m confused. Are you referring to the High Sierra “I am root” bug, which you admit that SIP did not protect against? If so, then why would you mention that in this context? It’s a red herring and feels obscurantist.
So far, neither you nor Joe have given a single specific example, which again, is a reminder of absolutely nothing.
@lapcatsoftware @saagar i didn't have an exploit per se in mind, but one thing i was recently playing with in a side project was creating virtual network interfaces with vmnet.framework. creating an interface typically requires root, but if apple grants your executable the `com.apple.vm.networking` entitlement, then that executable can do so as a regular user, or even in the sandbox. but the mechanisms that ensure #OnlyApple can grant that entitlement rely on SIP, AIUI
@lapcatsoftware @saagar i suppose that isn't so different from setuid binaries though
@joe @lapcatsoftware Yeah I mean vaguely you would have the same issue if there was a configuration that convinced ld to let you preload into a setuid binary or that you could mess with their procfs or something