Turning off System Integrity Protection (aka. Rootless)


OS X El Capitan comes with a nifty little security feature designed to mitigate possible attack vectors inherent to most operating systems – the ability to execute commands at the root level. This feature (called System Integrity Protection, but better known as “rootless” mode) comes turned on automatically with any El Capitan upgrade.

System Integrity Protection (SIP) makes it more difficult for malicious code to be executed with high-level permissions, which is a great step in the right direction for overall security of the popular OS. Though it’s far from making OS X 100% secure (see this video on a discussion of 100% security), it definitely poses a few more obstacles in the way of the coveted root access. It’s a good attempt by Apple to force attackers to seriously consider which OS will give them a better ROI on their time spent scheming and hacking.

So, if this is such a great feature, why would you ever want to turn it off? Well, not only does it make malicious code harder to execute (or at least possibly reduce the damage done), but it also is a pain to develop certain software with SIP enabled. For example, most commands using sudo will pretty much throw an error, no matter how harmless the command is.

To test to see if you have SIP enabled or not, run the following in your terminal:

csrutil status

If enabled, you’ll see something like this:

CSRUtil Status Enabled

Needless to say, if you’re a developer, you’ll want to know how to turn this feature off.

Disabling SIP

To disable SIP, follow these steps:

  • Reboot your machine
  • When the Mac begins to start up again, hold Command+R until you see the Apple logo and a progress bar
    • Just as an aside, you’ve now entered into the Recovery partition of your drive. If it doesn’t work, you might not have a correct recovery partition set up, and SIP is the least of your concerns.
  • Select “Terminal” from the “Utilities” dropdown menu at the top of the screen
  • Type the following in at the terminal prompt:
csrutil disable
  • Restart your machine

To check that SIP is disabled, you can run the csrutil status command again, to which you should see something like this:

CSRUtil Status Disabled

Note that it says that SIP is enabled, but in a “Custom Configuration”, all of the features below it are disabled. 

In case you want to reenable this feature, you just repeat these steps, but replace the command in the recovery partition terminal with:

csrutil enable

Further Reading

2018-03-12T02:23:45+00:00 November 8th, 2015|