macOS System Integration Protection

With the introduction of OS X El Capitan, Apple added SIP (System Integration Protection) as a control mechanism to protect system-wide files and directories from being able to be altered, even by root. This is therefore also referred to as Apple’s rootless solution; and referred to by Apple as a necessary requirement to improve their level of security of their macOS El Capitan and up. It is on by default. But thankfully we can still disable it with a few steps and reboots.

tl;dr System Integration Protection within El Capitan and up is an added layer of security by Apple, and on by default. This blog post gives you the steps to turn it off and on.

If you wish to read up on the details of SIP, check a wiki page, but here’s how you can boot into recovery mode, disable SIP, etc.

Some of us will have legit reasons to require a bit more access to our system files and directories beyond average use. A few examples are: installing the great app Bartender 2, fix the kernel_task’s memory allocation issue, installing the missing package manager HomeBrew, create dual boot to Linux, or as a developer you need access to /System or /usr, stuff like that.

Please note though that I personally strongly recommend to leave SIP on. It helps fight malware infection, and that someone can gain access to your Mac or your files by escalating privilege exploits remotely. So, if you really need to turn it off, know what you are doing, and turn it back on as soon as you’re done.

Step 1. (boot into recovery mode)
Shut down your Mac, then power it back up. To avoid booting normally – and to get it to boot into Recovery Mode – press both the [Command] and [R] key on your keyboard.

Step 2. (disable sip in terminal app)
Now that we have completed booting into Recovery Mode. We have to start the Terminal app and type a command to disable SIP.
From the top menu bar select Utilities, and select Terminal.
Once you have a Terminal window, type the following command:
$ csrutil disable and press the [Enter] key.

Step 3. (reboot to regular mode)
You are halfway there. The next thing to do is restart the Mac and boot back into your regular mode (and not Recovery Mode again).
Once your system is done booting, do your thing. You can now install those apps, complete your development, etc. as you have access to system protected files and folders again. But again, please do the last step and turn SIP back on again.

Step 4. (enable sip again)
Done with what you needed to do? Great, I am glad this blog post was helpful. Please share it on Facebook and/or Twitter. But you aren’t done. You have to shut down your system again. And boot back into Recovery Mode, and open Terminal again. We have to enable SIP again with the following command:
$ csrutil enable and press the [Enter] key.
Yep, now all there is left to do is restart the system and boot back into Regular Mode again.

Quick Summary: Using the csrutil you can disable or enable the SIP, which has to be done in Recovery Mode (cmd+r to get there). Leave it enabled, and only disable it when you really-really need to and know what you’re doing.


Posted

in

by

Tags: