Mac Security Article #9 - System Integrity Protection (SIP)
Article ID = 146Article Title = Mac Security Article #9 - System Integrity Protection (SIP)
Article Author(s) = Graham Needham (BH)
Article Created On = 30th September 2015
Article Last Updated = 12th August 2019
Article URL = https://www.macstrategy.com/article.php?146
Article Brief Description:
Information about Apple's new System Integrity Protection (SIP) low-level security technology included with OS X 10.11 El Capitan and later.
System Integrity Protection (SIP)
OS X 10.11 El Capitan or later includes a new low-level security technology called System Integrity Protection (SIP) which prevents the modification or removal of certain system files. This could affect third party products especially old installers so do check compatibility of your software before attempting to install it. Additional third party software compatibility information includes our own articles - Third party software compatibility with:- macOS 10.15 Catalina
- macOS 10.14 Mojave
- macOS 10.13 High Sierra
- macOS 10.12 Sierra
- OS X 10.11 El Capitan
UNIX operating systems (which macOS is based on) have a "god" level user called "root" that can pretty much do anything. The problem is that some software and processes use root to perform/manage their tasks and this compromises the security of the comptuer. Starting with OS X 10.11 El Capitan Apple have introduced the idea of "rootless" (SIP) where these processes can be given the right privileges to get the job done but without the need to run as root - therefore protecting some levels of security.
File system protections apply only to a system's boot and root volumes. The following directories can only be written to by the system:
- System-Only Locations
- /bin
- /sbin
- /usr
- /System
- /Applications/Utilities
- In contrast, the following directories are available to any process (Locations Available to Developers):
- /usr/local
- /Applications
- [~]/Library
You can check whether System Integrity Protection is currently enabled on your system by running the following command in the Terminal: csrutil status
System Integrity Protection can be configured using the csrutil command.
csrutil disable = Disable the protection on the machine. Requires a reboot.
csrutil enable = Enable the protection on the machine. Requires a reboot.
csrutil status = Display the current configuration.
NOTE: SIP cannot be disabled from within the operating system, only from the macOS Recovery partition.
We highly recommend only disabling SIP in extreme circumstances - and in almost all cases you should re-enable SIP once you have finished doing what you need to do.
All proceeds go directly to MacStrategy / Burning Helix to help fund this web site.
All proceeds go directly to MacStrategy / Burning Helix to help fund this web site.
Go to this
web page
to donate to us.