I use my /etc/hosts file as a personal firewall to block unwanted domains, and I want to make it immutable—even from myself—so I don’t easily modify it on impulse. My goal is to use macOS’s System Integrity Protection to enforce this restriction.
Do you have thoughts on this approach? I got this from a LLM but unsure if it is the best approach in this scenario and I do not want to brick my mac.
-
Enter macOS Recovery Mode
- Restart your Mac and hold
Cmd + Runtil the Apple logo appears.
- Restart your Mac and hold
-
Disable SIP & Authenticated Root:
- Open Terminal in Recovery Mode and run:
csrutil disable csrutil authenticated-root disable
- Open Terminal in Recovery Mode and run:
-
Modify
/etc/hostsin Normal Boot:- Reboot and edit
/etc/hostsas needed.
- Reboot and edit
-
Re-enter Recovery Mode and Lock the File:
- Run the following commands in Recovery Terminal:
mount -uw /Volumes/Macintosh HD/System/Volumes/Data cd /Volumes/Macintosh HD/System/Volumes/Data/etc chflags restricted,schg hosts csrutil enable csrutil authenticated-root enable
- Run the following commands in Recovery Terminal:
-
Re-enable FileVault
- Does this method seem correct for making
/etc/hostsimmutable under SIP? - I am wondering if there is a simpler solution that doesn’t require disabling and enabling FireVault. Seems this would take a lot of time decrypting and re-encrypting my entire drive.
- Are there better alternatives for achieving this level of protection?
