Learn about the new System Integrity Protection (SIP) tool in OS X El Capitan. Understand how SIP works and how to enable and disable SIP. Learn how SIP protects organizations and their users. Find out how to administer SIP and understand which directories permissions are changed by SIP. Learn how to work around and with System Integrity Protection and list all of the directories affected.
- Don't just disable System Integrity Protection. Learn how you're going to use it from now on, and what the misnomer "rootless" means to MAC system administration with System Integrity Protection. Let's start by talking about what System Integrity Protection is. Apple decided that, in the state that most Macintosh systems exist in the world, with one admin user account and used by a user who may not understand the security implications of entering their admin password into a presented authentication dialog, it's much safer if they remove the ability for that admin user to enter into a root session that could potentially overwrite sensitive information within the operating system.
This is sometimes called a rootless system but that's not really true as the root user and the ability to enter a sudo session still exist. Instead, SIP simply protects system files from being changed by anyone but Apple. To see the list of directories protected by System Integrity Protection you can type the following into Terminal. To do this we're going to need to go to the Go menu, pull out the Utilities, open Terminal, and we're going to make it a little bit bigger so you can see what we're doing here, and we're going to type the following: we're going to CD and to System Library Sandbox Compatibility.bundle Contents Resources That puts us into a directory where if we type "ls" to list the contents we see something called paths.
All we need to do in order to preview what's in the paths directory is type the less command against paths hit return, and then we can see all of the different paths that are protected by System Integrity Protection. I'm just hitting the space bar to space through this list. Hit q to get out of that list when you're finished reviewing it. If you wanted to save that, for later review, you would type "less paths" space, and then ">" space, and then a path where you want to save this.
I'm going to put it on this user's desktop folder by typing "~/Desktop" and then "/" I'm going to just type this out as "paths.txt" This is going to create a text document with the contents that were spit out over the less command whenever it read the paths file. I do that, and boom, you see it just pop right there up on the Desktop. And if I click look that file it's got the contents that we were reviewing before, except that now I can just leave it here on my Desktop and review it whenever I wish and I haven't damaged anything.
It's worth noting that if you turn off System Integrity Protection that list goes away. So, you would want to do this before disabling SIP if that were what you're going to do. If you perform an upgrade from a previous version of OS X what you'll see is that the OS will quarantine files that were placed in protected pathways via installations performed on the previous OS. Any old applications that put things into folders or pathways that are protected under El Capitan's System Integrity Protection those pathways are going to be quarantined.
And the quarantined file paths are going to be moved into /Library we'll CD into this /Library System Migration and if you type "SystemMig" and you hit tab and it doesn't go it means that you did not upgrade from a previous version and so this pathway does not exist. But the rest of the pathway is /Library and I'll type it for you here, so you can see it: /SystemMigration/History/Migration and then this will be followed by a <UUID> it would be a long, long, long number and then there would be a folder called QuarantineRoot All right? And so, all of that will be quarantined within this directory for you.
I'm going to quit Terminal. Now, another feature of the System Integrity Protection system is that it protects kernel extensions from running errant code. So, a kernel extension, or the residuous kexts, they're bundles that extend the kernel, okay? And with System Integrity Protection kernel extensions have to be signed by a Developer ID certificate and installed into Library/Extensions They can't install into System Library Extensions because that's a protected area.
When a process has started, the kernel checks to see whether the main executable is protected on disk or is signed with a special system entitlement. If either is true, then a flag is set to denote that it's a protected resource, and it's protected against modification. Any attempts to attach to a protected process is denied by the kernel. So, this feature not only protects the system by making certain directories unwritable, it also provides real time validation of code being launched by the system kernel to extend its functionality to be sure the extension is trusted.
System Integrity Protection configuration is stored in NVRAM rather than in the file system that you're working in here. So, as a result, the configuration applies to every installation of OS X across all volumes on the entire computer. This includes externally attached bootable volumes and it persists across all OS X installations that support System Integrity Protection. Which, of course, currently only includes El Capitan. This, obviously, even though it's installed in NVRAM, wouldn't affect Yosemite because Yosemite doesn't know anything about System Integrity Protection.
System Integrity Protection can be enabled or disabled using the csrutil command only while booted from the recovery partition from the included terminal application. You can check whether System Integrity Protection is turned on on your system by running the following command in Terminal while booted normally. So, again, we're going to go into Terminal, and we're going to type "csrutil status" and hit return and it tells us that System Integrity Protection status is disabled.
So we're going to have to boot into the recovery HD partition in order to enable System Integrity Protection again. This has been disabled because we've been going back and forth and playing with this here on the recording system. We're going to show you what it means to go in and to do this at the command line in Terminal in the recovery partition. So, we're going to do that process now. To begin, we restart the computer and we hold down the command R keys on the keyboard.
When you boot into the recovery partition you're presented with an OS X Utilities window and, under the Utilities menu you go up here and you pull down to Terminal. When you open Terminal you can do the same thing that you can do on a standard Mac which is, increase the size, but notice that the command prompt has changed I'm no longer in my regular user account, I'm instead in here, as root, essentially, here and in the recovery partition.
All right, so when we were in the previous screen when we were in Terminal on our Mac and booted normally we noted that the System Integrity Protection had been disabled, so, in order to enable it we simply type "csrutil enable" and hit return. Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. We type "exit", we quit, we go up here, we hit Restart, and upon Restart, we will have ourselves a fully protected System Integrity Protection protected system.
If we wanted to change that to disabled we would do exactly the same thing again. So, here we are back on our system. If we go to the Go menu, pull down the Utilities, and we open up Terminal and we open it. If we just go and run the exact same command we did before, "csrutil status" we can now see that System Integrity Protection status is enabled. Which is exactly what we would want. So, that is what you need to do in order to administer the csrutil via the command line in the recovery partition in order to enable System Integrity Protection or disable it.
Remember, the same thing happens if you just type "csrutil disable" while booted from recovery, that same thing will work. Another thing that I should point out here is that if you disable SIP to accomplish some administrative tasks or enable some application or kernel extension that you trust but which has not been rewritten yet to support SIP be sure to boot back into recovery and reenable it after your configuration work is complete and the system is ready to be used again. System Integrity Protection is the most dramatic improvement to basic system security in OS X since its original release.
And now, you have a much better understanding of how to interact with it as an IT administrator in El Capitan.
- Understanding the El Capitan system requirements
- Installing and configuring El Capitan
- Protecting user data
- Performing a partial or full-system recover with Time Machine
- Installing applications
- Managing application preferences
- Monitoring the system
- Configuring security
- Directory binding
- Troubleshooting problems
- Understanding Spotlight problems and how to fix them
- Collecting system information