Does booting an alternate OS still work to get around it, or have Apple thought of that route and somehow blocked it too?
(I have limited experience with OS X - only briefly played around with driver development and bootloaders in the 10.4 era with osx86 - and I did have to boot from the DVD a few times when I made the system unbootable.)
This raises the question, what good is root if it's not really root anymore?
This has been the plan for several years. I remember seeing block diagrams for GlobalPlatform's Trusted Execution Environment[1] that were based on the idea of the "Rich OS" (OSX, Linux, etc) being able to run more or less normally, with something that isn't really a hypervisor providing the "secure"/"trusted" environment.
The idea is that a combination of a SecureBoot-style trusted boot sequence and technologies like Intel's SGX instructions to create an area that is protected from everything else, root included.
Ever since (heavily controlled) iOS was accepted by the tech crowd as a replacement for a proper General Purpose Computer, we've been slowly loosing more and more control. At least there seems to be workarounds for this particular OSX "feature". It is incredibly important to stop this trend now; it will be a lot harder to work around these restrictions when it gets hardware support.
> Does booting an alternate OS still work to get around it, or have Apple thought of that route and somehow blocked it too?
It's easier than that. It's just a kernel argument to disable it. Simply add "rootless=0" to your boot-args and you have control of your machine back.
I'm running the 10.11 beta and I've already had to disable rootless because I like to have /usr/local as a symlink to somewhere else and by default the rootless configuration prevents writes to /usr. :-/
Apple has stated that the "rootless=0" boot argument to disable System Integrity Protection is temporary and will be gone in the GM version of El Capitan. Allowing this route to disable the feature would defeat the entire purpose of it.
Source? They said in the WWDC session (http://asciiwwdc.com/2015/sessions/706) that the process to disable rootless may change during the beta, but didn't say that it won't be possible in the GM.
They know that rootless will break some applications/drivers, plus some types of development may need it disabled.
You are allowed to write to /usr/local. But making /usr/local itself into a symlink requires writing to /usr which is prohibited. So I was screwed but for the normal case it should work fine.
There is a supported option to disable SIP from recovery mode, so there's no need to get around it per se. (Recovery mode because it would be hard to impossible to verify the user's intent when malware that already has root privileges is running...)
(I have limited experience with OS X - only briefly played around with driver development and bootloaders in the 10.4 era with osx86 - and I did have to boot from the DVD a few times when I made the system unbootable.)
This raises the question, what good is root if it's not really root anymore?