European Union Flag
European Apple Users Information & Support
LOGIN
Award Winning Antivirus Software
RSS Feed Icon
via fetchrss.com
The next event is:
CES 2018

On 9 January 2018
More events…

macOS 10.13 High Sierra
FREE
Amazon UK Mac Software Affiliate Link

Mac Security Article #9 - System Integrity Protection (SIP)

Article ID = 146
Article Title = Mac Security Article #9 - System Integrity Protection (SIP)
Article Author(s) = Graham Needham (BH)
Article Created On = 30th September 2015
Article Last Updated = 23rd January 2017
Article URL = http://www.macstrategy.com/article.php?146

Article Brief Description:
Information about Apple's new System Integrity Protection (SIP) low-level security technology included with OS X 10.11 El Capitan and later.

System Integrity Protection (SIP)

OS X 10.11 El Capitan or later includes a new low-level security technology called System Integrity Protection (SIP) which prevents the modification or removal of certain system files. This could affect third party products especially old installers so do check compatibility of your software before attempting to install it. Additional third party software compatibility information includes our own articles - Third party software compatibility with:

UNIX operating systems (which macOS is based on) have a "god" level user called "root" that can pretty much do anything. The problem is that some software and processes use root to perform/manage their tasks and this compromises the security of the comptuer. Starting with OS X 10.11 El Capitan Apple have introduced the idea of "rootless" (SIP) where these processes can be given the right privileges to get the job done but without the need to run as root - therefore protecting some levels of security.

File system protections apply only to a system's boot and root volumes. The following directories can only be written to by the system:

    • System-Only Locations
    • /bin
    • /sbin
    • /usr
    • /System
    • /Applications/Utilities
  • In contrast, the following directories are available to any process (Locations Available to Developers):
    • /usr/local
    • /Applications
    • [~]/Library
    All directories in /usr except for /usr/local are restricted to the system. Apple app directories in /Applications are restricted to the system.

You can check whether System Integrity Protection is currently enabled on your system by running the following command in the Terminal: csrutil status

System Integrity Protection can be configured using the csrutil command. csrutil disable = Disable the protection on the machine. Requires a reboot.

csrutil enable = Enable the protection on the machine. Requires a reboot.

csrutil status = Display the current configuration.

NOTE: SIP cannot be disabled from within the operating system, only from the macOS Recovery partition.

We highly recommend only disabling SIP in extreme circumstances - and in almost all cases you should re-enable SIP once you have finished doing what you need to do.


Article Keywords: OS X OSX 1011 macOS 1012 1013 El Capitan Sierra High Sierra System Integrity Protection SIP

This article is © MacStrategy » a trading name of Burning Helix. Apple, the Apple logo, and Mac are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc.


If this information helped you or saved you time and/or money why not donate a little to us via PayPal?
All proceeds go directly to MacStrategy / Burning Helix Limited to help fund this web site.
If this information helped you or saved you time and/or money why not donate a little to us via PayPal?
All proceeds go directly to MacStrategy / Burning Helix Limited to help fund this web site.

Go to this
web page
to donate to us.