How to modify System Integrity Protection in El Capitan

In case you have software hindered by it.

El Capitan ships with a new OS X feature: System Integrity Protection (SIP), also known as “rootless” mode. This reduces the attack surface for malware that relies on modifying system files by preventing any user, whether with system administrator (“root”) privileges or not from modifying a number of operating system directories and files.

It doesn’t eliminate the possibility of malware or folks finding a way to subvert this mode, but it does increase the difficulty of finding a hole to penetrate. All such changes discourage those who hack for profit or destruction, because the more time it takes and the less likely successful, the more often they turn to other operating systems and targets.

However, a few system-modifying and system-extending software programs can’t work properly under SIP, as I discussed back in July in covering this feature and a simple workaround available in the public betas. The golden master (final release candidate) and shipping version of El Capitan have a minor change that make it harder, but not impossible, to turn SIP off.

Early reports of problems with rootless mode seemed to indicate that a wider set of software might be unable to work with the restriction enabled, such as SuperDuper! from Shirt Pocket Software. However, Apple made changes during beta testing that resolved concerns with that app and others. (Shirt Pocket had to update SuperDuper! to deal with the omission of an open-source program, which breaks scheduled updates; those have to be re-created in the El Capitan-compatible release.)

At the moment, only a few widely used utilities won’t work with SIP enabled:

  • Default Folder 4.7 from St. Clair Software. However, developer is hard at work on version 5, which won’t need to bypass SIP. It’s expected out as early as the end of October, and is free to new purchasers of 4.7 from this point on.

  • BinaryAge will discontinue new development on its TotalFinder software that enhances the Finder, which will have some features missing. It will keep supporting TotalSpace2, a desktop spaces manager, but that app will require disabling SIP to function.

Rogue Amoeba has opted to discontinue Intermission, which it says wasn’t one of its big sellers, as it is incompatible with SIP, and incorporated its functionality into Audio Hijack.

There were previously concerns about a few utilities that have been resolved:

  • Surtees Studio’s Bartender 1.3—a menu bar app organizer—could work with SIP using a round-trip to Recovery with two restarts (disable, install, enable), but the developers were able to finish Bartender 2.0 in time for El Capitan’s release. The new version is fully compliant within SIP.

  • Disk Sensei 1.2 and Trim Enabler 3.1 from Cindori now work without rootless turned off; earlier versions did not.

  • Both SuperDuper! and Carbon Copy Cloner work with SIP enabled.

Disabling rootless mode in El Capitan beta required just selecting a menu item after booting into the Recovery disk. Now, it’s slightly more involved with El Capitan.

Warning: The point of SIP is to prevent malware and other unwanted modifications into system files. Consider whether or not you want to dispense with this protection.

For the following to work, you must have a proper and up to date Recovery partition on your boot drive. While that should be a given, it’s possible to clone a startup volume without Recovery installed.

rootless launch recovery terminal

From the Utilities menu in Recovery select Terminal.

rootless terminal command recovery

Use the Terminal in Recovery to enter the SIP-disabling command.

Follow these steps to disable SIP:

  1. Restart your Mac.
  2. Before OS X starts up, hold down Command-R and keep it held down until you see an Apple icon and a progress bar. Release. This boots you into Recovery.
  3. From the Utilities menu, select Terminal.
  4. At the prompt type exactly the following and then press Return: csrutil disable
  5. Terminal should display a message that SIP was disabled.
  6. From the  menu, select Restart.

You can re-enable SIP by following the above steps, but using csrutil enable instead.

Tags malwareOS X El Capitan

Show Comments