El Capitan makes it harder than ever for malware to be a problem on the Mac thanks to System Integrity Protection.
System Integrity Protection (SIP) is a new way of managing access to essential system files in OS X El Capitan, but it's kicking some older software to the curb. So why is Apple implementing it?
Malware is a really serious problem not just on Windows but the Mac too—it seems like almost every week, we get a new report of some sort of malware or adware that's attacking Apple users. Most of these outbreaks are contained quickly, fortunately, and mitigated by the built-in anti-malware and technologies like Gatekeeper.
Apple can always do better, and in El Capitan, they have. To help bolster the Mac's security against malware infections, Apple's come up with System Integrity Protection
Before El Capitan, people could easily modify, or allow to be modified, core system files used by OS X by entering their administrator password. It's how, for example, we grant software installers "root" access to setup apps.
That's why, El Capitan has gone "rootless". System Integrity Protection makes sure the vital system files are safe from modification. This is a good thing: It should reduce the likelihood that you can accidentally infect yourself with malware, or that someone can gain access to your Mac or your files by escalating privilege exploits remotely.
If you use system-modifying utilities and system extensions that made essential changes to the way OS X works, however, you may notice that they no longer function or need to be updated.
SIP created problems for some developers during El Capitan's public beta development period over the summer. In many cases those problems have either been straightened out or are getting straightened out now. So check with the makers of the apps you use to see if they have updates.
And of course stay tuned to iMore, because we'll report on key updates as they become available.
Of course, you do have ultimate control over what happens on your Mac, so you can deactivate System Integrity Protection if you want to. I strongly advise against doing this, but I completely understand that you may be dependent on software that has to work regardless. I'll just reiterate one last time that SIP has been instituted in El Capitan for a reason: To protect you and to protect your Mac. Apple takes your privacy very seriously.
How to turn off System Integrity Protection in El Capitan
- Click the menu.
- Select Restart...
- Hold down command-R to boot into the Recovery System.
- Click the Utilities menu and select Terminal.
- Type csrutil disable and press return.
- Close the Terminal app.
- Click the menu and select Restart....
If you decide later you want to re-engage SIP (and I earnestly hope that you do), repeat these steps, changing csrutil disable to csrutil enable instead.
Again, SIP has been instituted in El Capitan for a reason — to improve OS X security, and reduce the risk of anyone who isn't supposed to from getting to your data. But as in all things, your mileage may vary. Just be careful!
Reader comments
How to turn off system integrity protection on OS X (but don't)
This summer, Bartender told me that their workaround to function properly involved disabling System Integrity Protection, installing their 'helper app' and then re-enabling the protection.
Back then, disabling it was a menu selection after rebooting into Recovery. Re-enabling involved re-installing the OS. Not interested.
I like this System Integrity Protection, but I'm concerned about the several articles I've read about trivial ways to subvert it (though they usually physical access to the Mac).
I know MacPorts is having fits because of it, but mostly because the standards about where to install third-party software on a Unix system have been treated 'more as guidelines than actual rules.' Well, they're rules now!
It's fun to watch everyone trying to find ways to cope, but I'm not turning this off for Nobody!!
Bartender still works on systems with SIP, but won't patch Apple menu items without it being turned off first.
Well, I bit the bullet and did what Bartender wanted.
It's a free upgrade to Bartender 2 if you bought Bartender 1 after June 1st. I bought it in May. :-(
The disabling and reenabling on System Integrity Protection was less hassle than I expected and now I have the Bartender (and the very tidy menu bar) that I enjoyed so much when I first bought this in May.
Me too. So far so good!
Came here because of the same issue; I like a neat and tidy menu bar.
Checked Bartender's page, and there is an upgrade for 1/2 price for those of us with B1. I didn't want to jump in and disable/reenable SIP, and the price was right, so I bit the bullet. Very happy I did.
My goodness, I can't imagine not having root access to the computer. I suppose many people would never even know what this is, but I probably type sudo about 150 times per day.
sudo still works just fine.
Just don't try do do anything in /System, /bin, /sbin, or /usr (except for /usr/local).
If I disable it, is it then like before El Capitan? The reason I ask is that 70%of my GOG game library is unplayable, Don't know if they can do something to make it compatible again.
Will wait with the upgrade until I know more, and will ask the GOG forums the same.
Yes.
What I’m seeing most are people complaining that Disk Utility no longer has the Repair Permissions button and that’s because of SIP. The old voodoo incantations of ‘clean install’ and ‘repair permissions’ are going the way of the Dodo bird.
Too bad, because the dodo was a cool bird.
I've always had an Admin account in addition to my user account, and my wife's user account. This required the Admin password to do such system changes.
Is turning off SIP the only way to make these changes? This seems foolish.
I've had more problems with applications that update themselves from the App Store than I've had issues with "non-authenticated" apps. Mostly iTunes, but that's a whole other rant.
Sent from the iMore App
Administrator accounts still work just as before, they just don't give you full 'root' access to being able to add kernel extensions or do anything in /System, /bin /sbin or /usr (except for /usr/local).
I don't see that SIP will interfere with anything except for utilities that like to monkey with running programs or folks who like to use OS X just like any other Unix system.
Xtrafinder = monkey with running program. I only use it for the "Automatically auto resize all columns to correct width" feature. This means you don't have to double click the little || at the bottom of the column separator for each and every column each and every time you navigate to a new folder. I've been requesting this feature to apple for years. I had it for about a year with Xtrafinder, but now it's gone again :'-(
Sent from the iMore App
...and there are many other users, just like you, that use 3rd party apps, NOT available in the app store, to use a very basic function, that god knows why, Apple are not capable of fixing for many years. I, as well, use XtraFinder, mostly, for that exact feature you described, amongst other great features missing in OS X. That without, is a great annoyance.
XtraFinder is a great utility that compliments OS X's ancient Finder, and makes it more bareable to work with. I am not a newbie, I have been a loyal Apple products fan for over a decade, with rich history of use,repairs and maintaince of hundreds of them from iPods, iPhones and all Macs. I remember how exciting Apple products used to be - innovative, sexy, safe, reliable and mostly - enjoyable and user friendly - hardly no maintenance needed ,in comparison to PCs, which I used to build, use and repair, more than a decade before I switched to Apple, and never looked back..until recent years, when I started realizing, I am more "fighting" with my products, than enjoy them, and in order to get my tasks done, I installed more and more unsigned apps, and eventually, studied hacking, to get satisfactory results, which brought me back to the same place I was, when I switched from PC to Apple, because "It just worked".
Don't get me wrong, Apple's hardware is still very reliable, I love my iMacs and my iPhones (I own 3 of each). But the OSes and apps, other than being really pretty and aesthetic, are becoming, more and more buggy and restricted. I'm an advocate of security and privacy, and Apple's latest move is good and important, BUT, it should have been implemented, in a way that protects the everyday user, but also, not complicating things for the valuable developers and advanced users, by allowing them a deeper level of access, at their own risk, just like it was with Yosemite, with another layer of security, maybe with larger warning notifications.
Apple needs to stop playing the "concerened mother" and treat us like kids with "I know what is best for you!"
They need not to forget, that most of us are adults, and we can make our own decisions.
And I think, they should pause and try to remember what was their focus and moto in the first place, that gained them their success, in a very short period of time, all the way to the top! - becuase it proved to be the right thing!
I've also noticed apples code signature requirement has broken quite a few apps. Any way to manually authenticate a program? Or am I thinking about this all wrong.
Sent from the iMore App
Do you mean 'is there any way to fake an Apple code signature?' Gee, I sure hope not!
There was a problem with properly code-signed apps not being recognized as such by watchOS 2, I understand this is why the release of watchOS 2 was delayed.
Well since you put it that way! Haha I guess I mean it would be nice to be able to whitelist a program.
Xtrafinder & Menu Meters broke in El Cap. Someone fixed MM, I have no idea what they did. I suppose my lust for tinkering yet ignorance of the means could get me in trouble.
Sent from the iMore App
I’m wondering. When 10.11 is installed there is some data written to the NVRAM that is persistent across reboots and installations. SO,……..
What happens if you revert to an older OS, like 10.7 and when you do will it cause any kinds of problem? I’ve recently reverted to 10.10 and a man csrutil request is met with, ‘No manual entry for csrutil'.
I've heard there is some data written to NVRAM. That's part of why you have to reboot into the Recovery partition to make any modifications.
Previous OS X releases won't know anything about System Integrity Protection or csrutil.
use login as root, if not sure how to get root access see http://www.theregister.co.uk/2015/07/22/os_x_root_hole/
Hi I've just bought my first Macbook and IPhone at Christmas, moving from Samsung Android after about 5years. One of the features I miss is the ability to create my own ringtones for the iphone ? After digging around Ive come across an app on the 'appleclub' website (costs about 1.50) which claims to be able to create ringtones but needs the user to turn off SIPS first. Having just bought all of the hardware (and not being a confident user of Apple products at this point) Im a little wary about turning ths off, but if I did, then downloaded the app, coud I turn SIPS back on to reinstate the security ? Appreciate your advice or if you have any other suggestions for creating apps using songs from iTunes (that I've previously bought myself) Thanks
You'll find easy paths to make ringtones with out disabling SIP, just search!
It's even simple to make them manually in iTunes.
Yeah I got it sorted another route a lot easier thanks.
This would be fine...if it wasn't for the fact that Apple's OWN advice means you have to turn it off - for instance:
https://support.apple.com/en-us/HT200160 - this doesn't work even with true root enabled. Sudo, nothing. You have to turn of SIP before you can chmod the /Library/Preferences folder. *sigh*
So yeah...that's staying off. Do I trust Nanny Apple? Not really. Using Linux systems which are related, sudo always takes you to the highest level, or having a root account. Having a root account that doesn't do what root should do: useless. There should always be that option, although I accept 99.9999% of times and people you won't need it. But not even being able to add Users to a system folder? F*** that.
I know I'm chiming in late on this, but found this as I was searching for the answer to my issue and figured I’d post my 2 cents.
The way that Apple handled this was completely ridiculous. Not only did they break Apps that may never get fixed, but the caused a number of problems for users some of which others mentioned already.
I don't mind updating some Apps and maybe in some case switching to something new if it makes sense and isn't going to break the bank, but my problem seems more extreme than most. I backed my system up, run the update from Mavericks since I'd never bothered to go to Yosemite. Upgrade appeared to run fine. I looked around at the new interface. All seemed to be working fine. Rebooted and the system would not restart. Hours on the phone with Apple with them telling me that some app install had probably made a change that SIP didn’t like. Their suggestion…Do a full clean install of El Capitan and then reinstall all of my apps manually and restore my data manually as well and that it would be a time consuming process…Apple, Really?!?
This is as bad as having an Apple Zealot tell me, “Oh, just go buy the new stuff and leave the old behind”. That is an Absolutely Absurd response from anyone. The system is not malfunctioning, I have no signs of corruption, malware or anything like that. Just to have a few new features that would be nice and to be current, I need to spend who knows how many days to get things back to usable? Like some others, I have tons of programs that could be culprits of that. Since even Apple couldn’t tell me what the problem child or children were, the entire venture would be trial and error.
Having worked in IT on the Windows side for many years, I do understand the benefits of starting fresh and that sometimes it’s the only viable option. But I also understand the benefits of an upgrade. This was not a “It just works” situation. If Apple couldn’t handle the task of upgrading and warning about problem apps and giving choices as to what steps the user would like to take, they should NOT have provided an upgrade option in the first place. We shouldn’t have to play games in terminal to turn this off. It should be optional upon upgrade. Since Apple did not have a good answer for me, I restored from my Time Machine Backup to my previous state.
I may try it a third time soon and then follow this procedure to see if I can get the system to boot up. I don’t have SIP now, so turning it off in the new version is not a huge concern if I can’t boot my computer.