Protect hosts file

command linehostsSecurityterminal

I am under the impression that there is no real way to protect the hosts file completely without creating a none-admin user account on my Mac and setting the password of the admin account to one that I won't remember.

So therefore I would like to make editing of my hosts file difficult as a next-best alternative.

I have read that it is possible to set a system immutable flag on specific files which would need to be disabled before the files are able to be edited.

So of course it would still be possible to edit the hosts file, but it would at least make it a bit trickier.

Is this a recommended approach? or is there a better way to achieve it?

Best Answer

Protecting with ‘schg’, the system immutable flag, is a potential solution, depending on how much protection you need. You can set the schg flag using

sudo chflags schg /etc/hosts

Removal of the protection depends on your kernel security level. Run sysctl kern.securelevel:

1 means you need to boot to single-user mode to run chflags noschg /etc/hosts,
0 means you can simply sudo chflags noschg /etc/hosts.

Instead of schg, you can use System Integrity Protection's restricted flag in El Capitan and later. You can boot to the Recovery HD to set the flag using chflags restricted /etc/hosts.

This protects the file from modification whilst SIP is enabled, which is enabled by default and can only be disabled by booting to the Recovery HD and running csrutil disable.

Check the status of SIP by running csrutil status: if it is enabled, any files with the restricted flag cannot be modified without disabling SIP from Recovery first or by installers signed with Apple's Software Update certificate (even root cannot modify the file).

Related Solutions

Multiple IP addresses for same host name in /private/etc/hosts

Unfortunately, the answer is no. The hosts file is a static lookup file, and because of this it has no concept of multiple-address per name failover, round-robin, or other features baked into the name resolver.

You can specify multiple names for a given IP address, but not multiple IP addresses mapping back to a single name.

Dare I ask, why can't you access the external interface of the mailserver while internal to your office? We configure all of our clients to use Mail/Jabber externally so they never run into this issue.

Despite conventional wisdom, using the external interface when internally does not "pull all the way across the internet", if configured correctly, of course.

MacOS – launch the File (Save/Open) Dialog from the command line

This can be done using AppleScript, like in the question you linked to. Watch out, this is not the same as Automator.

Example script:

osascript -e 'tell application (path to frontmost application as text)
set myFile to choose file
POSIX path of myFile
end'

This uses the simplest form of the choose file command, and puts the result in the variable myFile. The result will be of type alias, which has a POSIX path property, which we read in the next line. The result will be written to stdout.

Look here for all the possible optional options to the choose file command. You can e.g. provide a custom prompt text, choose a default location, or only allow certain file types.

Best Answer

Related Solutions

Multiple IP addresses for same host name in /private/etc/hosts

MacOS – launch the File (Save/Open) Dialog from the command line

Related Question