OS X 10.11 El Capitan introduced a security feature called System Integrity Protection or SIP. It flags certain system directories and files as “Restricted” and they cannot be altered not even using the root account.
|Directories that are jailed by SIP|
|Directories that allow root access for developers|
For better or worse, SIP is a good thing. It not only protects you from malicious intent but it can also protect you from yourself, insuring that only Apple signed software can alter certain system files. And it makes you think twice before meddling where you probably shouldn’t.
That being said there are occasions when you might need access to those system files. Compiling and installing Apache modules for example. Let’s find out how to work with SIP.
Looking for Restricted flags:
To see the flags on file and directories you need to use ls -lO. For example open Terminal and enter:
cd / ls -lO
System Integrity Protection Status:
To see if SIP is active on your computer open Terminal and type:
Unless you’ve already disabled it Terminal should respond with “Protection status: enabled”.
Disabling System Integrity Protection:
So how do we disable it? First you’ll need to boot into recovery mode. Restart your computer and when you hear the start-up chime hold down the Command and R keys. When the system loads elect Utilities from the menubar. Now launch Terminal from the dropdown menu and enter:
csrutil disable reboot
Enabling System Integrity Protection:
Now once you’ve finished the task at hand that required root access to the system, it’s probably wise to turn SIP back on. Again booted into Recovery Mode launch Terminal enter:
csrutil enable reboot