SIP (rootless) disabled by default now?

Erdbeertorte

Suspended
Original poster
May 20, 2015
1,180
500
Hey,

I made a clean install of 10.11.1 and installed the 10.11.2 beta update.

The terminal just displays:

...$ csrutil status

System Integrity Protection status: disabled.


In older versions it displayed always enabled as status, also after entering "csrutil disable" in the recovery partitions' terminal. But there were some options listed and each of them were shown as disabled. Now it's just that single line and I did not disable it.

Is this new in the beta of 10.11.2 or is it in the final version of 10.11.1 too?
 

maflynn

Moderator
Staff member
May 3, 2009
67,041
34,121
Boston
It would be foolish for apple to disable it by default. Its a security measure that protects the clear majority of users.
 
  • Like
Reactions: PowerBook-G5

KALLT

macrumors 603
Sep 23, 2008
5,149
3,193
Did you disable it before the reinstallation? It might have persisted from the your last installation.
 
  • Like
Reactions: !!!

chrfr

macrumors G3
Jul 11, 2009
9,982
3,755
Hey,

I made a clean install of 10.11.1 and installed the 10.11.2 beta update.
SIP status is retained in NVRAM, not the filesystem, so a clean install will not reenable it. SIP remains enabled by default in even developer builds of OS X.
 
  • Like
Reactions: maflynn

maflynn

Moderator
Staff member
May 3, 2009
67,041
34,121
Boston
SIP status is retained in NVRAM, not the filesystem, so a clean install will not reenable it. SIP remains enabled by default in even developer builds of OS X.
Interesting, I did not know that. Its good to know, though I don't understand why that is the case.
 
  • Like
Reactions: !!!

Weaselboy

Moderator
Staff member
Jan 23, 2005
30,689
10,469
California
SIP status is retained in NVRAM, not the filesystem, so a clean install will not reenable it. SIP remains enabled by default in even developer builds of OS X.
Just curious in light of this... is someone has disabled SIP, then resets NVRAM... does it default back to SIP enabled? Anybody tested this.
 

chrfr

macrumors G3
Jul 11, 2009
9,982
3,755
Just curious in light of this... is someone has disabled SIP, then resets NVRAM... does it default back to SIP enabled? Anybody tested this.
I believe it does, yes.
The other side effect of this is that any boot drive on a given computer will also retain SIP status set in the other boot drive; you cannot have two 10.11 boot environments on the same computer which have different SIP status.
 
  • Like
Reactions: Weaselboy

Weaselboy

Moderator
Staff member
Jan 23, 2005
30,689
10,469
California
I believe it does, yes.
The other side effect of this is that any boot drive on a given computer will also retain SIP status set in the other boot drive; you cannot have two 10.11 boot environments on the same computer which have different SIP status.
It does. The setting in NVRAM just overrides the behaviour of the OS.
Thanks... I assumed this was the case since it made sense, but had not tested.
 

KALLT

macrumors 603
Sep 23, 2008
5,149
3,193
Interesting, I did not know that. Its good to know, though I don't understand why that is the case.
Perhaps its just a neater solution. Writing directly into the file system of another partition to change a setting may be unnecessarily risky. NVRAM just stores a variable that the system can work with at runtime.
 

Erdbeertorte

Suspended
Original poster
May 20, 2015
1,180
500
I never disabled it on the new iMac and also changed the RAM and reseted the NVRAM several times. But I did not check the status before. So I don't know if the 10.11.2 update disabled it or the final version of 10.11.1.

On my MacBook Pro I am using El Capitan since the first developer beta and it was always enabled by default after a clean install, I think even after every update, but I can't remember exactly.

And every time I disabled it and checked the status in the Terminal, it was displayed as enabled but showed that all options are disabled, now these options are gone and it just says disabled. In Disk Utility the status strangely never changes from enabled to disabled.
 

Erdbeertorte

Suspended
Original poster
May 20, 2015
1,180
500
Back on 10.11.1 now. This is what I meant, if SIP has been disabled by myself I got that output (also on the developer betas before):

...$ csrutil status

System Integrity Protection status: enabled (Custom Configuration).

Configuration:
Apple Internal: disabled
Kext Signing: disabled
Filesystem Protections: disabled
Debugging Restrictions: disabled
DTrace Restrictions: disabled
NVRAM Protections: disabled

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.



And on 10.11.2 it's just that and it was disabled by default:

...$ csrutil status

System Integrity Protection status: disabled.
 

KALLT

macrumors 603
Sep 23, 2008
5,149
3,193
They probably just clarified the output. Disabling all these functions is the equivalent of turning SIP off.
 

dogslobber

macrumors 68040
Oct 19, 2014
3,989
6,331
Apple Campus, Cupertino CA
Hey,

I made a clean install of 10.11.1 and installed the 10.11.2 beta update.

The terminal just displays:

...$ csrutil status

System Integrity Protection status: disabled.


In older versions it displayed always enabled as status, also after entering "csrutil disable" in the recovery partitions' terminal. But there were some options listed and each of them were shown as disabled. Now it's just that single line and I did not disable it.

Is this new in the beta of 10.11.2 or is it in the final version of 10.11.1 too?
It's enabled for me:

mbp14:~ dogslobber$ csrutil status
System Integrity Protection status: enabled.
mbp14:~ dogslobber$ sw_vers -productVersion
10.11.2
mbp14:~ dogslobber$
 

h9826790

macrumors G5
Apr 3, 2014
14,476
7,016
Hong Kong
I guess it's just cosmetic and a new way to display the status.

In fact, display SIP "disabled" is better than "enabled" but all relative functions off, which may confuse the user that SIP is actually enabled.
 

dogslobber

macrumors 68040
Oct 19, 2014
3,989
6,331
Apple Campus, Cupertino CA
I guess it's just cosmetic and a new way to display the status.

In fact, display SIP "disabled" is better than "enabled" but all relative functions off, which may confuse the user that SIP is actually enabled.
Custom configs look like they're just for developers. E.g. kext off makes sense if you're a kernel developer.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.