Restrict super user write access to some files

filesystemrootsip

Is there a way to add folders to the SIP (System Integrity Protection) configurations in order to prevent them to be modified by the root user?
Or any other way not involving System Integrity Protection?
I want to protect the host file so I can block distracting websites and not being able to modify it as a root user. As a developer, I still need to be a root user so deleting sudo is not an option.

I'm looking for a solution which is independent from my internet connection.

Best Answer

SelfControl

SelfControl is an open source project aimed at restricting distractions:

SelfControl is a free and open-source application for macOS that lets you block your own access to distracting websites, your mail servers, or anything else on the Internet. Just set a period of time to block for, add sites to your blacklist, and click "Start." Until that timer expires, you will be unable to access those sites—even if you restart your computer or delete the application.

Pi-Hole

To block distracting websites and services on all your devices, consider blocking them on your network using Pi-Hole.

With this approach you avoid needing to modify your macOS configuration.

Related Solutions

MacOS – Other than user error, what types of attacks would SIP prevent

From Apple's page About System Integrity Protection on your Mac

Before System Integrity Protection, the root user had no permission restrictions, so it could access any system folder or app on your Mac. Software obtained root-level access when you entered your administrator name and password to install the software. That allowed the software to modify or overwrite any system file or app.

So, based on the premise of your question, a good sys admin would have used strong passwords, admin permissions to only users/apps that you trust and only using sudo when necessary.

Ok...let's look at a hypothetical, but entirely plausible scenario: Installing VirtualBox.

Assume for a moment, that the VirtalBox site got hacked and a malicious version of VB was uploaded and made available as genuine. Since to install VB it requires root privileges, you would invariably use sudo to install it (this is why it asks you for your password).

Without SIP, it could write to any of the protected areas as root installing itself with full admin privileges to do whatever nefarious things it wanted to do. It's important to note that the security practices you enumerated in your question never came into play.

It's just another layer of protection.

A Mac with SIP is no more or less safe than a Windows 10 machine with System Protection enabled. "Linux" is too broad a topic to make a statement. However, there is Oracle "Hardened" Linux (version of RedHat Enterprise) that has these features.

MacOS – How do system services modify protected directories with system integrity protection

Time Machine backup protection isn't related to System Integrity Protection — SIP is for protecting system files. Instead, TMSafetyNet.kext is responsible for enforcing protection of backups and permitting Time Machine to make changes only.

You can edit backups using the ‘bypass’ CLI tool.

sudo /System/Library/Extensions/TMSafetyNet.kext/Contents/MacOS/bypass

Append the tool you want to use at the end as if you were using it normally, for example:

sudo …/bypass rm -rf /Volumes/Backups/Backups.backupdb/path/to/folder

This protection of backups predates the introduction of SIP, but I imagine the file protection feature of SIP was inspired by how the Time Machine backups protection works, so they have their similarities.