Yes but that's all or nothing then. And you lose out on some functionality.
There is no way for me to put my own configuration in the system and still have it persist. For example I change things in sshd_config (to turn off password auth), and PAM.
This is not OK, there should be a way for me to sign files so they are marked as valid.
I don't think the read-only OS partition or the SIP is a bad idea. The bad part is that Apple is the only one who controls it.
With all due respect, a person doesn't have to be that smart to cut and paste something from a Google search while not completely understanding the consequences.
> There is no way for me to put my own configuration in the system and still have it persist. For example I change things in sshd_config (to turn off password auth), and PAM.
Does putting your custom options in something like:
/etc/ssh/sshd_config.d/disable-passwords.conf
no longer allow custom sshd config to survive updates? It's like if you're configuring daemons on, say, Ubuntu the "right way" so you don't get a ton of those prompts during apt-updates asking you if you want to accept the maintainer's config file or roll the dice and keep your own.
Good point, I have not tried that. Pretty sure when I still used macOS this didn't work. I think Mojave or Catalina was the last one. In the end I just had enough of macOS, this was only one of the many reasons. The lack of choice in UX configuration is another one.
Opinionated software is great if your opinion is aligned with the vendor's but Apple has been moving away from mine ever so slowly since peak macOS which was around snow leopard for me.
I really love how KDE gave me all the options back that I missed for so long. Finally virtual desktops in a grid again. And choosing what I want my UI to look like (and not forced changes on me every year)
The problem is that any way for you to sign files is also a way for malware to convince a less technically-adept user to sign it. Even if the dialogue that pops up for this says “Never ever do this unless you know exactly what you are doing, if a program you are running brought this up then it is probably trying to HACK you!”, people will click through it on autopilot and then maybe go ask what it meant afterwards.
I have a feeling it's not only that though. Apple is rapidly expanding from a hardware to a media content vendor and they have reasons to want to protect their own content as much as possible.
> here is no way for me to put my own configuration in the system and still have it persist. For example I change things in sshd_config (to turn off password auth), and PAM.
This is now possible for SSH, btw.
They finally support /etc/ssh/ssh[d]_config.d/ where you can add your customization files, and they won't be squashed by an OS update.
So they finally picked up on the technique Linux has been using forever.
There is no way for me to put my own configuration in the system and still have it persist. For example I change things in sshd_config (to turn off password auth), and PAM.
This is not OK, there should be a way for me to sign files so they are marked as valid.
I don't think the read-only OS partition or the SIP is a bad idea. The bad part is that Apple is the only one who controls it.