How to work with System Integrity Protection in El Capitan


OS X 10.11 El Capitan introduced a security feature called System Integrity Protection or SIP. It flags certain system directories and files as “Restricted” and they cannot be altered not even using the root account.

Directories that are jailed by SIP
/bin /sbin /usr /System
Directories that allow root access for developers
/usr/local /Applications /Library ~/Library

For better or worse, SIP is a good thing. It not only protects you from malicious intent but it can also protect you from yourself, insuring that only Apple signed software can alter certain system files. And it makes you think twice before meddling where you probably shouldn’t.

That being said there are occasions when you might need access to those system files. Compiling and installing Apache modules for example. Let’s find out how to work with SIP.

Looking for Restricted flags:

To see the flags on file and directories you need to use ls -lO. For example open Terminal and enter:

cd /
ls -lO

System Integrity Protection Status:

To see if SIP is active on your computer open Terminal and type:

csrutil status

Unless you’ve already disabled it Terminal should respond with “Protection status: enabled”.

Disabling System Integrity Protection:

So how do we disable it? First you’ll need to boot into recovery mode. Restart your computer and when you hear the start-up chime hold down the Command and R keys. When the system loads elect Utilities from the menubar. Now launch Terminal from the dropdown menu and enter:

csrutil disable

Enabling System Integrity Protection:

Now once you’ve finished the task at hand that required root access to the system, it’s probably wise to turn SIP back on. Again booted into Recovery Mode launch Terminal enter:

csrutil enable

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>