no way to disable SIP??

Discussion in 'OS X El Capitan (10.11)' started by fisherking, Sep 9, 2015.

  1. fisherking macrumors 601

    fisherking

    Joined:
    Jul 16, 2010
    Location:
    ny somewhere
    #1
    in the newly-released final 10.11, the option to disable SIP is missing from Utilities when i boot up in Recovery Mode (it was there in the betas). No longer possible? or is there a terminal command to run in recovery?
     
  2. Shirasaki macrumors 603

    Shirasaki

    Joined:
    May 16, 2015
    #2
    As I know, csrutil will be the only official way to disable sip in el Capitan.
    And it is only available in recovery partition.
     
  3. fisherking thread starter macrumors 601

    fisherking

    Joined:
    Jul 16, 2010
    Location:
    ny somewhere
    #3
    can you give me more info? or is it just that command in terminal?
     
  4. MacManiac76 macrumors 65816

    MacManiac76

    Joined:
    Apr 21, 2007
    Location:
    Arizona
    #4
    csrutil disable in Terminal from the Recovery partition.
     
  5. fisherking thread starter macrumors 601

    fisherking

    Joined:
    Jul 16, 2010
    Location:
    ny somewhere
    #5
    works (and allowed me to reinstall the Bartender app helper, and change some icons, ie safari, mail). thanx!
     
  6. MagnusVonMagnum macrumors 601

    MagnusVonMagnum

    Joined:
    Jun 18, 2007
    #6
    Riddle me this. How can you possibly disable SIP if you run OS X from a RAID boot volume? There is no recovery partition in such a setup. How the ###% does Apple expect you to boot into a Recovery Partition that doesn't exist??? You don't normally need a recovery partition if you have a full volume bootable backup (at least not until now). Why on earth would they create a command that can only be run from a partition that doesn't exist for power users when power users are the ones most likely to want to disable that POS (and yes it's a POS since it stops Xtrafinder and other programs from running and believe you me that you NEED Xtrafinder to make Finder usable).

    FRACK APPLE. It's MY computer. They have NO RIGHT to tell the ROOT USER that he can't edit a simple .plist file to make NFS work without having to manually turn it on via the shell every time I reboot.... It's what startup scripts exist for, to let you start things up during boot up! This isn't security. It's bullcrap.

    They need to make another way to disable it that doesn't involve a non-existent partition.
     
  7. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #7
    What process are you trying to use to start NFS?
    Put your NFS shares in a file at /etc/exports, and nfsd automatically starts and shares them, and you don't deal with SIP whatsoever.
    https://support.apple.com/en-us/HT202243
     
  8. HenryAZ macrumors 6502

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #8
    Install 10.11 onto an external drive, and it will have its own recovery partition that you can use via Option-boot.
     
  9. dsemf macrumors regular

    Joined:
    Jul 26, 2014
    #9
    If you have created a USB Install Drive, you can use it to change SIP.

    I am currently running PB6, but tomorrow I will be doing the upgrade so I created the USB drive earlier and on a whim I booted the installer drive, disabled SIP in Terminal, re-booted my PB6 install and ran csrutil status.

    Code:
    System Integrity Protection status: enabled (Custom Configuration).
    
    Configuration:
        Apple Internal: disabled
        Kext Signing: disabled
        Filesystem Protections: disabled
        Debugging Restrictions: disabled
        DTrace Restrictions: disabled
        NVRAM Protections: disabled
    
    This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.
    
    The "Protection status" bug still exists.

    This provides an alternate method to change SIP when the Recovery Partition does not exist, such as a raid configuration.


    DS
     
  10. MagnusVonMagnum, Oct 2, 2015
    Last edited: Oct 2, 2015

    MagnusVonMagnum macrumors 601

    MagnusVonMagnum

    Joined:
    Jun 18, 2007
    #10
    I already have them in etc/exports. XBMC needs the -N option (allow non-root clients to access files, which XBMC requires as it has no root privileges nor should it) when NFSD starts and that is in /System/Library/LaunchDaemons/com.apple.nfsd.plist file. You normally just add <string> -N </string> after the NFSD string line and all is good. Apple removed that change from my Mavericks file I made and put it back to not having the -N option and locked the file so you can't change it (SIP). -N is a valid option. Options exist for a reason. Startup files exist for a reason. Apple has said we are too stupid to use the UNIX features in OS X and used security as an excuse to lock us out of them. They could have just used a "MASTER" password that is ONLY used for those files and is never allowed to be used by a 3rd party program unless you login in a shell with it or something, but instead, they put it in the Recovery Partition, which means not only a reboot for most people, but it means power users that have a RAID boot drive have no way to turn it off period. It also killed XtraFinder and TotalFinder as well the same way.

    I CAN get NFS to work with XBMC manually if I stop the process and manually restart it with the -N option, but unless I can find a script to automate this away from the one OS X automatically starts I'd have to do it every time I reboot.

    I just read for some options you can do a "Defaults write <key> <value>" argument, but I saw no change in the file so I have no idea what it did or if I used the wrong argument. I should reboot and see if anything changed since it only runs that file on boot.

    But will that allow me to turn it off and modify files on my RAID boot partition or would it only modify them on the external drive? I suppose I could then COPY that external version file change BACK to the RAID boot partition using Carbon Copy Cloner. Hmmm, that might at least get around the problem for NFS and installing something like XtraFinder. The only issue is I have Mavericks on that backup copy right now as I evaluate El Capitan and so I'd either have to buy another backup drive or wait until I'm sure I'd want to stick with El Capitan. Of course, every time Apple updates OSX, there's a chance it would change the files back to default all over again.

    Well, if that will work for the boot partition (where does SIP exist? In EFI? I assumed it was changing a file setting on the boot partition itself and thus it would change it on the regular boot partition on the USB stick, not the RAID drive), but your post seems to indicate otherwise. I downloaded a script that will install a recovery partition on my backup drive (which is not RAID) so I can try that there (Carbon Copy Cloner apparently only clones a recovery drive from the existing source, not creates one when it's already wiped out; this utility claims to create a new one). So I can see what happens. Bad for me if something goes wrong, though (since Mavericks is on it right now). The USB drive thing sounds safer, but I'd have to make one up first.

    Edit: I guess SMB doesn't work after all. It was still using my SMBuP settings. Turning on Apple's own SMB killed it on a reboot.... figures.
     
  11. dsemf macrumors regular

    Joined:
    Jul 26, 2014
    #11
    As I understand it, the SIP setting is stored in NVRAM. This means that however you boot El Capitan on a specific machine, the setting will always be the same. The minimal OS used by the install and the Recovery Partition provide the ability to change the SIP state.

    Tomorrow I am going to try a test. I am going to disable SIP on my PB6 system, do the standard install and see what the setting is when I am done. Just curious if it persists across OS X installs.


    DS
     
  12. dsemf macrumors regular

    Joined:
    Jul 26, 2014
    #12
    Just a quick followup. The SIP disabled setting did persist across the standard install.

    DS
     

Share This Page