Rootless kernel level protection

tarf

macrumors newbie
Original poster
Jun 8, 2015
5
2
Rootless was rumored about a lot, but with the release there does not seem to be any additional information pertaining to it. Has anyone had any experience with it and what it is and how it works yet?
 
  • Like
Reactions: luke lau

MikhailT

macrumors 601
Nov 12, 2007
4,332
827
It was just a rumor, that's it.

It is possible it might have be the system integrity protection, this was mentioned today in the Platform State of the Union session.
 

oatman13

macrumors regular
Feb 14, 2013
208
57
Rootless was rumored about a lot, but with the release there does not seem to be any additional information pertaining to it. Has anyone had any experience with it and what it is and how it works yet?
It is in the OS... You cannot modify or delete system files even with SUDO.
 

dagamer34

macrumors 65816
May 1, 2007
1,359
101
Houston, TX
During the Platform State of the Union, it was referred to as "System Integrity Protection". But they didn't go into too terribly much detail than what we already knew (no overwriting system files).
 

mag01

macrumors regular
Apr 10, 2011
148
41
To disable the rootless protection, use something like
Code:
sudo nvram boot-args="rootless=0"
And better check your current boot args via
Code:
nvram -p
and then just add/modify the rootless argument.
 
Last edited:
  • Like
Reactions: Skoal and redheeler

colinwil

macrumors regular
Nov 15, 2010
185
68
Reading, UK
Rootless was rumored about a lot, but with the release there does not seem to be any additional information pertaining to it. Has anyone had any experience with it and what it is and how it works yet?
To add to the helpful reply by mag01...

I just tried to change the .kext' extension for a file in /System/Library/Extensions to '.disable'. By default, Rootless prevents me from doing this - either from Finder or from Terminal using sudo mv.

I turned off Rootless using sudo nvram boot-args="rootless=0" in Terminal and rebooted. I was now able to change the file extension from within Get Info in Finder.

Once I'd renamed it, I turned rootless back on with sudo nvram -d boot-args
 

djtech42

macrumors 65816
Jun 23, 2012
1,428
49
Mason, OH
To add to the helpful reply by mag01...

I just tried to change the .kext' extension for a file in /System/Library/Extensions to '.disable'. By default, Rootless prevents me from doing this - either from Finder or from Terminal using sudo mv.

I turned off Rootless using sudo nvram boot-args="rootless=0" in Terminal and rebooted. I was now able to change the file extension from within Get Info in Finder.

Once I'd renamed it, I turned rootless back on with sudo nvram -d boot-args
The code snippet didn't work for me
 

KALLT

macrumors 601
Sep 23, 2008
4,921
3,002
To add to the helpful reply by mag01...

I just tried to change the .kext' extension for a file in /System/Library/Extensions to '.disable'. By default, Rootless prevents me from doing this - either from Finder or from Terminal using sudo mv.

I turned off Rootless using sudo nvram boot-args="rootless=0" in Terminal and rebooted. I was now able to change the file extension from within Get Info in Finder.

Once I'd renamed it, I turned rootless back on with sudo nvram -d boot-args
I wonder what will happen once you update your system. Since repair permissions is now part of the update procedure, among other things, it is possible that OS X either overwrites your changes or refuses to load.
 

w0lf

macrumors 65816
Feb 16, 2013
1,233
73
USA
I wonder what will happen once you update your system. Since repair permissions is now part of the update procedure, among other things, it is possible that OS X either overwrites your changes or refuses to load.
Most likely nothing out of the ordinary. Worst case scenario you would just have to re-enable rootless from the recovery partition.

You can also still repair permissions with
Code:
diskutil repairPermissions /
 

KALLT

macrumors 601
Sep 23, 2008
4,921
3,002
Most likely nothing out of the ordinary. Worst case scenario you would just have to re-enable rootless from the recovery partition.

You can also still repair permissions with
Code:
diskutil repairPermissions /
I read elsewhere that this diskutil command was gone, so it's still there? The next beta will probably reveal some more information about this new feature.
 

djtech42

macrumors 65816
Jun 23, 2012
1,428
49
Mason, OH
Most likely nothing out of the ordinary. Worst case scenario you would just have to re-enable rootless from the recovery partition.

You can also still repair permissions with
Code:
diskutil repairPermissions /
Just tried to disable rootless through the recovery partition and got this:

I've never loathed Apple like I do now.
 
  • Like
Reactions: tarf

redheeler

macrumors 604
Oct 17, 2014
7,395
6,962
To disable the rootless protection, use something like
Code:
sudo nvram boot-args="rootless=0"
And better check your current boot args via
Code:
nvram -p
and then just add/modify the rootless argument.
That did the trick for me, after adding the boot arg and restarting system files can be modified.
I read elsewhere that this diskutil command was gone, so it's still there? The next beta will probably reveal some more information about this new feature.
The command for it is still there, but it's gone from the GUI.
 

djtech42

macrumors 65816
Jun 23, 2012
1,428
49
Mason, OH
That did the trick for me, after adding the boot arg and restarting system files can be modified.

The command for it is still there, but it's gone from the GUI.
What did you modify in order to test it? I'm still unable to modify system files.
 

chrfr

macrumors G3
Jul 11, 2009
8,175
2,508
I read elsewhere that this diskutil command was gone, so it's still there? The next beta will probably reveal some more information about this new feature.
diskutil is still there.
 

netkas

macrumors 65816
Oct 2, 2007
1,119
289
rootless is just Sandboxing everything, including bsd environment (bash and friends)

if you try to change anything in /S/L/E (with or without rootless=0) and then look into dmesg output - you will see SAndbox info.
 

thadoggfather

macrumors G4
Oct 1, 2007
10,832
7,670
How do you get rootless back after you've disabled it with
sudo nvram boot-args="kext-dev-mode=1 rootless=0"

Thanks!
 

thadoggfather

macrumors G4
Oct 1, 2007
10,832
7,670
didnt seem to resolve my VPN client issues I was having by re-enabling rootless with that command.

Thanks anyways
 

maflynn

Moderator
Staff member
May 3, 2009
63,831
30,346
Boston
I'm not on 10.11 but I am curious about rootless. I know apple is all about secrecy but having more info on this would be nice
 

redheeler

macrumors 604
Oct 17, 2014
7,395
6,962
I'm not on 10.11 but I am curious about rootless. I know apple is all about secrecy but having more info on this would be nice
As far as we know, it's designed to protect system files and folders from being deleted or modified even as root through Terminal. It can be disabled with a boot argument.
After inputing
sudo nvram boot-args="rootless=0", disk utility still shows rootless enabled. Is it going to show enabled regardless?
It seems to, at least on the first beta.