SIP (rootless) disabled by default now?

Discussion in 'OS X El Capitan (10.11)' started by Erdbeertorte, Nov 1, 2015.

  1. Erdbeertorte macrumors demi-goddess

    Erdbeertorte

    Joined:
    May 20, 2015
    Location:
    Castle Grayskull, Eternia
    #1
    Hey,

    I made a clean install of 10.11.1 and installed the 10.11.2 beta update.

    The terminal just displays:

    ...$ csrutil status

    System Integrity Protection status: disabled.


    In older versions it displayed always enabled as status, also after entering "csrutil disable" in the recovery partitions' terminal. But there were some options listed and each of them were shown as disabled. Now it's just that single line and I did not disable it.

    Is this new in the beta of 10.11.2 or is it in the final version of 10.11.1 too?
     
  2. MrNomNoms macrumors 65816

    MrNomNoms

    Joined:
    Jan 25, 2011
    Location:
    Wellington, New Zealand
    #2
    Might have to do with the fact that you're on a developer stream rather than a stable consumer version - 10.11.1 is still saying that SIP is enabled.
     
  3. leman macrumors 604

    Joined:
    Oct 14, 2008
  4. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #4
    It would be foolish for apple to disable it by default. Its a security measure that protects the clear majority of users.
     
  5. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #5
    Did you disable it before the reinstallation? It might have persisted from the your last installation.
     
  6. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #6
    SIP status is retained in NVRAM, not the filesystem, so a clean install will not reenable it. SIP remains enabled by default in even developer builds of OS X.
     
  7. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #7
    Interesting, I did not know that. Its good to know, though I don't understand why that is the case.
     
  8. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #8
    Just curious in light of this... is someone has disabled SIP, then resets NVRAM... does it default back to SIP enabled? Anybody tested this.
     
  9. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #9
    I believe it does, yes.
    The other side effect of this is that any boot drive on a given computer will also retain SIP status set in the other boot drive; you cannot have two 10.11 boot environments on the same computer which have different SIP status.
     
  10. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #10
    It does. The setting in NVRAM just overrides the behaviour of the OS.
     
  11. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #11
    Thanks... I assumed this was the case since it made sense, but had not tested.
     
  12. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #12
    Perhaps its just a neater solution. Writing directly into the file system of another partition to change a setting may be unnecessarily risky. NVRAM just stores a variable that the system can work with at runtime.
     
  13. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #13
    You're right and it being in the NVRAM may in of itself be a security setting.
     
  14. Erdbeertorte thread starter macrumors demi-goddess

    Erdbeertorte

    Joined:
    May 20, 2015
    Location:
    Castle Grayskull, Eternia
    #14
    I never disabled it on the new iMac and also changed the RAM and reseted the NVRAM several times. But I did not check the status before. So I don't know if the 10.11.2 update disabled it or the final version of 10.11.1.

    On my MacBook Pro I am using El Capitan since the first developer beta and it was always enabled by default after a clean install, I think even after every update, but I can't remember exactly.

    And every time I disabled it and checked the status in the Terminal, it was displayed as enabled but showed that all options are disabled, now these options are gone and it just says disabled. In Disk Utility the status strangely never changes from enabled to disabled.
     
  15. Erdbeertorte thread starter macrumors demi-goddess

    Erdbeertorte

    Joined:
    May 20, 2015
    Location:
    Castle Grayskull, Eternia
    #15
    Back on 10.11.1 now. This is what I meant, if SIP has been disabled by myself I got that output (also on the developer betas before):

    ...$ csrutil status

    System Integrity Protection status: enabled (Custom Configuration).

    Configuration:
    Apple Internal: disabled
    Kext Signing: disabled
    Filesystem Protections: disabled
    Debugging Restrictions: disabled
    DTrace Restrictions: disabled
    NVRAM Protections: disabled

    This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.



    And on 10.11.2 it's just that and it was disabled by default:

    ...$ csrutil status

    System Integrity Protection status: disabled.
     
  16. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #16
    They probably just clarified the output. Disabling all these functions is the equivalent of turning SIP off.
     
  17. dogslobber macrumors 68020

    dogslobber

    Joined:
    Oct 19, 2014
    Location:
    Apple Campus, Cupertino CA
    #17
    It's enabled for me:

    mbp14:~ dogslobber$ csrutil status
    System Integrity Protection status: enabled.
    mbp14:~ dogslobber$ sw_vers -productVersion
    10.11.2
    mbp14:~ dogslobber$
     
  18. h9826790 macrumors 604

    h9826790

    Joined:
    Apr 3, 2014
    Location:
    Hong Kong
    #18
    I guess it's just cosmetic and a new way to display the status.

    In fact, display SIP "disabled" is better than "enabled" but all relative functions off, which may confuse the user that SIP is actually enabled.
     
  19. dogslobber macrumors 68020

    dogslobber

    Joined:
    Oct 19, 2014
    Location:
    Apple Campus, Cupertino CA
    #19
    Custom configs look like they're just for developers. E.g. kext off makes sense if you're a kernel developer.
     

Share This Page