Rootless kernel level protection

xgman

macrumors 601
Aug 6, 2007
4,785
609
However if Apple implement system integrity check and prevent from booting up once detected unauthorised system file change, this could be another problem, for advanced users. (Such as hackers)
Hackers? More like tweakers or power users here at macrumors for the most part.
 
  • Like
Reactions: nikmatt

Fishrrman

macrumors P6
Feb 20, 2009
17,425
5,647
oatman wrote above:
"It is in the OS... You cannot modify or delete system files even with SUDO"

But there will be cases where administrators need this ability, regardless.

EDIT:
I had originally posted:
"Does a terminal command exist to override "rootless"?"
... but see that some capable users have already answered my question!

Thanks!
 
Last edited:

redheeler

macrumors 604
Oct 17, 2014
7,463
7,058
You can turn rootless off. Boot into the recovery mode tools, and there is an option to turn it off.
Even simpler, this command will restart with rootless disabled:
Code:
sudo nvram boot-args="rootless=0";sudo reboot
This was first posted elsewhere, and works fine.

Edit: In case the boot argument method stops working in future versions, here's how to disable it through Recovery as of the first beta. Boot into Recovery (start up holding down down Command-R until the Apple logo appears), and select "Security Configuration" from "Utilities" on the menu bar. Uncheck "Enforce System Integrity Protection", click "Apply Configuration", click "Apply" on the resulting prompt, and restart. Rootless will now be disabled.
 
Last edited:
  • Like
Reactions: Weaselboy

redheeler

macrumors 604
Oct 17, 2014
7,463
7,058
The problem is that Apple has already stated the terminal command for rootless will be removed before final release. So it may be simpler for today, but not exist tomorrow. That's why I choose to post the Apple sanctioned method instead.
Where did Apple state that?
 

Tucom

macrumors 65816
Jul 29, 2006
1,176
248
In fact, Apple already offer an option for some devs to migrate their service in a way that disables rootless already.
Wait, WHAT? Surely there's no apps - at all - that can and will be able to disable rootless? If so then what's the point of it being there at all. Also, IF (and I highly doubt this is the case) an app COULD disable rootless, would you get any kind of warning or notification before it happens?
 

redheeler

macrumors 604
Oct 17, 2014
7,463
7,058
"command line tool"? I assume you mean the boot argument. Anyway, I unchecked Utilities > Security Configuration > Enforce System Integrity Protection in Recovery and it does have the same effect as the boot argument.
Sorry, posted in wrong forum, but to answer the question here's how yo do it with Apple seal of approval.

Boot into recovery

Select utilities from the tool bar

Select Security Configuration and UN-check the box, then click apply.

The machine will reboot itself & rootless will be turned off.

And yes, Apple states the rootless command line tool will be removed before final release. Contact Apple support and they'll tell you.
 

MikhailT

macrumors 601
Nov 12, 2007
4,334
832
Wait, WHAT? Surely there's no apps - at all - that can and will be able to disable rootless? If so then what's the point of it being there at all. Also, IF (and I highly doubt this is the case) an app COULD disable rootless, would you get any kind of warning or notification before it happens?
I just re-watched the Platform State of the Union session that included this info. He said the developers would be able to develop kext extensions to ensure compatibility with SIP in Xcode but for those that can't work with SIP, Apple will provide an option via recovery partition tool to disable SIP. When he said this, the slide said simplified developer workflow as in there would be a workflow to disable SIP by the devs, so I got confused here. I believe you can only disable SIP via the recovery partition and you're correct, it would stupid for Apple to allow anyone to disable SIP like this.
 

paronga

macrumors member
Nov 9, 2011
89
2
Australia, Melbourne
Rootless will be the first thing to go if I stay with OS X. I HATE iOS because it just cripples you as a user. God, I can't tell you how many times I want to modify the hosts file on my iPad and I can't. Ugg, the more OS X becomes like iOS I just cringe.




-P

El Capitan - Worst. Name. Ever.
Almost as bad as the new MacRumors Theme
You're a bag full of sunshine aren't you?
 
  • Like
Reactions: dugbug and Andropov

AlanShutko

macrumors 6502a
Jun 2, 2008
642
46
Rootless will be the first thing to go if I stay with OS X. I HATE iOS because it just cripples you as a user. God, I can't tell you how many times I want to modify the hosts file on my iPad and I can't.
You can still edit files in /etc. you can't put things into /usr/bin but /opt, /usr/local are both fine. I will need to check but I suspect there are *.sb files listing specific things that are or are not allowed.
 

AlanShutko

macrumors 6502a
Jun 2, 2008
642
46
I took a look, and there's a /System/Library/Sandbox/rootless.conf that defines what is blocked. The first column is the process (or wildcard) which can edit files there. The second is what's blocked.

So the following is blocked: /System, /usr, /bin. But there are exceptions allowing access to /usr/local and a bunch of other things. Note at the bottom that /etc, /tmp, and /var are blocked, but those are only symlinks to the actual directories in /private. So you can still edit anything under those directories, you just cannot change the symlink itself.

Code:
                /System
*                /System/Library/Caches
booter                /System/Library/CoreServices
*                /System/Library/Extensions
                /System/Library/Extensions/*
UpdateSettings            /System/Library/LaunchDaemons/com.apple.UpdateSettings.plist
*                /System/Library/Speech
*                /System/Library/User Template
                /bin
dyld                /private/var/db/dyld
                /sbin
                /usr
*                /usr/libexec/cups
*                /usr/local
*                /usr/share/man
# symlinks
                /etc
                /tmp
                /var
 
  • Like
Reactions: SlCKB0Y and KALLT

MikhailT

macrumors 601
Nov 12, 2007
4,334
832
See my post here. As others mentioned, maybe they will remove the command line option, but leave the recovery GUI option to disable rootless?
In the Security session at WWDC, Apple said they're removing that boot-args command and the option to disable SIP will be available via the recovery OS's utility to change the security options.

They also mentioned such a change via Recovery OS will push it into nvram and will rename persistent across OS installs, so it's a one-time change.
 
Last edited:

Erdbeertorte

Suspended
May 20, 2015
1,180
484
Are you 100% sure you're using

Code:
sudo nvram boot-args="rootless=0"
and not

Code:
sudo nvram boot-args="rootless 0"

I have the same problem. It only works for the second SSD but not for the system SSD.

Also tried it deactivation from booting into the recovery partition (internal+external), in the terminal and in the tools.

But all that does only work for the other SSD.
 
Last edited:

Shirasaki

macrumors G3
May 16, 2015
9,478
3,464
I have the same Problem. It only works for the second SSD but not for the system SSD.

Also tried it the deactivation from booting into the recovery partition (intern+extern) in the terminal and in the tools.

But all that does only work for the other SSD.
What about removing your external SSD and using only internal SSD to see if you can disable rootless?
 
  • Like
Reactions: blake2

nikmatt

macrumors newbie
Apr 14, 2013
15
6
Orlando, FL
Does Rootless also cripple Single User Mode or have they decided to be reasonable and exclude it from these heavy-handed shenanigans?
 

bobbytomorow

macrumors 6502
Nov 10, 2007
424
22
Left Coast
I have the same Problem. It only works for the second SSD but not for the system SSD.

Also tried it the deactivation from booting into the recovery partition (intern+extern) in the terminal and in the tools.

But all that does only work for the other SSD.
I can confirm this

I have two drives in my MBP and the GUI option in recovery only disables rootless my drive that contains bootcamp and a data partition, this two partitions show up as "rootless enabled - NO" but on my system drive, with only one partition its, "rootless enabled - YES"

*Edit - If we can't access system files that will supremely suck
 

Shirasaki

macrumors G3
May 16, 2015
9,478
3,464
I can confirm this

I have two drives in my MBP and the GUI option in recovery only disables rootless my drive that contains bootcamp and a data partition, this two partitions show up as "rootless enabled - NO" but on my system drive, with only one partition its, "rootless enabled - YES"

*Edit - If we can't access system files that will supremely suck
If you remove all your external drive, and try to disable rootless, you may get something new. I have only one drive with boot camp. I use preview recovery partition disabled rootless successfully and reinstalled paragon ntfs software again.
 
  • Like
Reactions: bobbytomorow

KALLT

macrumors 601
Sep 23, 2008
4,934
3,007
See my post here. As others mentioned, maybe they will remove the command line option, but leave the recovery GUI option to disable rootless?
They did not even mention the command-line option to accomplish this, but recommended using the Recovery OS. Root cannot be trusted after all. From the developer session I understood that the latter method is going to stay for the time being, specifically to allow kext developers to test their modifications prior to applying for a signature (as kexts have to be signed since Yosemite). However, I think the tendency is pretty obvious and the frankness with which they approached the subject makes it more or less clear that third-party system modications are a thing of the past as far as Apple is concerned.
 

SlCKB0Y

macrumors 68040
Feb 25, 2012
3,126
197
Sydney, Australia
Rootless will be the first thing to go if I stay with OS X. I HATE iOS because it just cripples you as a user. God, I can't tell you how many times I want to modify the hosts file on my iPad and I can't. Ugg, the more OS X becomes like iOS I just cringe.
I can edit /etc/hosts just fine.