Sorry, Unix fans: OS X El Capitan kills root

Root is no longer supreme in El Capitan, but the real bad news is a breaking change in legacy driver support

Sorry, Unix fans: OS X El Capitan kills root
Credit: Shutterstock

If you haven't heard, Apple has locked out root from various file system paths and core functions in Mac OS X 10.11 El Capitan. The new sheriff here is System Integrity Protection (SIP), which reduces root privileges in an attempt to increase security. 

The gist is that no user -- not even root -- can write to /usr, /bin, /System, and /sbin or debug protected processes. Apple has also removed the ability to use unsigned kernel extensions through boot-time flags. It's important to note that SIP can be disabled, through the recovery partition, but this will typically be done only for development and testing purposes. 

From a Unix purity perspective, this ain't great. There's a reason that root exists, and there's a reason why root has omnipotent access to the system. It's part of the Unix philosophy. That said, Mac OS X 10.11 may be Unix, but it's not a server. It may not even be a workstation in the traditional sense anymore. It's now a desktop OS exclusively, and treatments like this should be expected.

First, SIP is essentially forcing developers to make better choices. We'd all agree that third-party software that adds files to /bin and /sbin is generally a bad idea. Nevertheless, we've grown used to third-party executables winding up in /usr/bin or /usr/sbin in Linux, because the distros' own package managers tend to use those locations. 

BSD prefers /usr/local/ for all additional software installation, and that's what SIP enforces. If you want to add system files, put them under /usr/local. Root has full privileges there. Apple also locked up /System for the same reasons. Apple really wants developers to use /Applications for everything, which makes all kinds of sense in the OS X world.

From the file system perspective, SIP could be considered enforcement of proper Unix etiquette, which should be lauded. It may seem heavy-handed to Unix folks, but for the purposes of protecting a "normal" user's desktop, it's not a bad thing. The prevention of process profiling may also seem a bit rough -- you can't run DTrace on a protected process or a number of other debugging tools. This will hamstring a very small segment of the OS X installed base, but it shouldn't be a problem for the vast majority of users. 

Frankly, the normal MacBook Pro or iMac user won't notice or care, and the few developers who run into problems with SIP are either doing something wrong to begin with or developing at a level that would likely preclude App Store distribution anyway.

There's a bigger problem lurking with dropping support for unsigned kernel extensions. Yes, this is a security risk. However, as I've mentioned in the past, it renders perfectly good legacy drivers useless. That means your expensive hardware could suddenly become useless with an OS update. Previously, it was possible to set a boot-time flag that allowed the extensions to load, but that's gone.

This will either lead to a never-before-witnessed miracle of hardware companies updating drivers for recently discontinued products or a whole boatload of people who use Macs with hardware even only a few years old will not be able to upgrade to El Capitan. Or even worse, they won't pay attention, will upgrade, and will discover that they need to buy new hardware because downgrading back to a stable system with full data restoration can be quite difficult unless they planned ahead.

I find it hard to fault Apple for some of the SIP policies, but I would caution the company against tipping too much further into walling off the OS and narrowing the upgrade and downgrade paths. Apple may be trying to protect and simplify life for its casual users, but it's doing so at the expense of high-end users and developers. Considering the vast numbers of Macs used for high-end video and audio production, photography, and software and hardware development of every stripe, it may be best not to upset that, um, apple cart. 

Note: Literally the second I filed this column, I received an email from Apogee Electronics stating that its Ensemble hardware, an expensive and highly regarded audio interface, will not be supported on Mac OS X 10.11 El Capitan. This interface was discontinued less than three years ago and cost roughly $2,500 new. I own one. It used to be that when you bought expensive audio production hardware, you expected more than a few years of use.

But don't be so quick to blame Apogee. With El Capitan, Apple has discontinued development and maintenance of its FireWire Core Audio driver, which will cause problems with a huge number of other hardware devices as well. 

Thanks again, Apple!

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.