I’m finding it kind of funny that the conversation about this Apple issue bounces between “you don’t own your computer” and “you can fix this problem by editing your hosts file to block the OCSP calls.”
Doesn’t the success of the latter kind of undercut the former?
You're assuming that the ocsp process looks at /etc/hosts. I would not be surprised if it did it's own DNS lookup to a hardcoded DNS nameserver for the ocsp.apple.com lookup.
Your first choice to edit a config file should be: sudo --edit pathname
This trick has the same problem, $() has to be evaluated before sudo sees anything.
I see so many people flailing about here, and I've done it myself. So let's consider why these tricks don't work.
sudo is an ordinary command that accepts an environment, a series of words, and whatever filehandles it inherits.
Read /etc/sudoers to note that it's then munging its environment per the env_reset and env_keep directives.
man sudo notes that it's closing non-standard filehandles, by default.
And, by design, sudo doesn't want you to do clever tricks because it's trying to stop you from hacking the Internets.
Let's also look at what a shell is doing. All a shell really does is munge some environment vars, set up redirections, and ultimately fork itself and run commands.
All the redirection, command substitution, process substitution, etc. must take place either before or after the shell forks to run sudo. All the shell can provide to sudo is command line arguments, environment variables, and usually stdin.
All the shell can get from sudo is going to be a return code, and whatever it can capture from the stdout and stderr.
The 'echo foo | sudo tee -a path > /dev/null' trick works because we redirect stdin, and we delegate opening the file for append to the 'tee' command, which has now been run as the privileged user by sudo, and we ignore the stdout.
Likewise, if you want to read a privileged file, var=$(sudo cat foo) will work, because you get sudo's stdout.
You can try sudo sh -c 'arbitrary shell script', but it's not good general advice as shells are often banned as a security precaution.
Also, if you get curious and want to edit sudoers without locking yourself out by corrupting it, use 'visudo'. Note that it won't prevent you from locking yourself out by removing your own permissions! RTFM, take some notes, and experiment on a machine you have a root account on or can log in via single-user mode.
With all due respect, threads like this are why, despite the philosophical appeal of giving owners control of their machines, putting some hurdles in their way makes sense in practice...
I think Apple's gonna boil the frog on SIP and security in general, slowly restricting what you can disable until it's always on. Apple developers who are committed to the platform will be like Dilbert with the shock collar: "It's not so bad. We're still developing for the most powerful computing platform in the world. Apple needs to do this to protect their users and provide them with the best user experience possible."
2. Open Terminal
3. Run `sudo vi /etc/hosts`
4. Type `G$` (go to end of file)
5. Type `i`, left arrow, enter
6. Type `127.0.0.1 oscp.apple.com`
7. Press esc then type `:x` then press enter
8. Restart
https://gist.github.com/nathanhleung/2ceeda4c743f2a1cf3d670c...
Some updated procedure.