hoakley June 19, 2019 Macs, Technology

What is SIP and when is it safe to turn it off?

System Integrity Protection – SIP – is one of the primary mechanisms which macOS uses to protect itself. Introduced relatively recently in El Capitan (2015), you’ll find various recommendations that to fix problems with macOS or even with some apps, you should turn SIP off first. I hope in this article to convince you that it’s never safe to turn it off, and that Catalina makes that even more important with its new read-only system volume.

In earlier days of Mac OS X, it wasn’t uncommon for key system files to become damaged or corrupted. Sometimes it was put down to disk errors, other times to an out-of-control extension or app, but we never wanted to think that it might have been deliberate. For once any malicious software gained access to the system, that Mac was doomed.

Before El Capitan, the only thing standing between system files and an attacker was the need to gain root privileges. SIP took all those system files out of reach of even the root user (consequently being referred to as rootless): using a combination of the rootless.conf file stored in /System/Library/Sandbox and the com.apple.rootless extended attribute, the contents of most system folders came under SIP’s protection. The only way that a user can circumvent this is by turning SIP off when booted into Recovery mode (or from a bootable macOS installer) and using the csrutil command from there.

Since El Capitan, Apple has steadily increased SIP’s coverage to include all its bundled apps and tools, but even in Mojave, they remain on the same volume as the rest of your startup folders, including the main Applications folder and user Home folders. This is changing with macOS 10.15 Catalina: when you install that, a new read-only volume is created and all those system files and folders are stored on that, set apart from Applications, your top-level Library folder, and user Home folders.

Remember that in APFS, volumes within the same Container share free space, so you don’t have to worry about managing free space between them. This further enhances protection, and to ensure that apps and other software can still find the system files that they might rely on, Catalina uses a form of bi-directional symbolic link, termed a firmlink, to make it appear that the two new volumes are still one.

The mechanism which enforces SIP has also grown other functions over this period, and one which is becoming prominent in Mojave 10.14.5 and Catalina is the hardening required for notarization of third-party apps: Jeff Johnson revealed this late last year. SIP is also responsible for enforcing strict security restrictions on kernel extensions, which are now required to be both specially signed and notarized (for those signed from 7 April 2019 onwards).

Before these recent changes to SIP, disabling it was often recommended as a first step when attempting to fix problems in macOS which were blamed on damaged services or Property Lists. I have had a steady succession of advanced users who have turned SIP off and then tried to repair what they thought were corrupted components within macOS. None of them, as far as I recall, was ever successful in tinkering in this way, and every case became rapidly worse once SIP was disabled and they started fiddling around with what should have been protected files.

If you think that, despite SIP being turned on, system files have become corrupted, the best solution is to reinstall them, either using the latest Combo updater for that version of macOS, or by reinstalling the whole of macOS. Then the installer takes control of SIP, and when it’s finished should leave it turned on for you.

With SIP enforcing security on kernel extensions and the protection of hardening which accompanies notarization, some may now start recommending that SIP is turned off to work around problems with third-party kernel extensions or apps. As with manually trying to patch macOS, this is a bit like smelling smoke in the building and responding by disabling the automatic sprinkler system in case it goes off. When you’ve got a problem, don’t turn the safety systems off, as that’s just when you need them most.

If you’re experiencing problems with kernel extensions or other software which are supposed now to be hardened and notarized, the problem isn’t with SIP, it’s with that third party software, and that is what you need to get fixed.

There may be, just may be, very rare circumstances in which turning SIP off might enable you to fix something critical. I can’t think of any situation, and have never turned SIP off myself. But if you really are absolutely certain it’s the only way forward, get a brightly-coloured sticky note, write in bold black letters SIP DISABLED, and stick it on the display of that Mac. Leave it there until you have not only turned SIP back on again, but have checked that it is properly enabled using LockRattler or a similar utility. You’d be surprised at the number of LockRattler users who only realised that they’d forgotten to turn SIP back on some weeks ago when they came to check using that utility.

And if any software vendor suggests that you should run your Mac with SIP disabled so that their software works, don’t trust them in the slightest. Look for an alternative product. Would you trust a mechanic who fixed a problem with your car by disabling the airbags and removing the seatbelts?

24Comments

Add yours

1

Joss on June 19, 2019 at 7:24 am

You forgot to mention one thing: before El Capitan system files were protected by the venerable Unix flags like “system no unlink”, plus (sometimes) the ACL “group:everyone deny delete”, and of course root:wheel being the file owner. Those are still in place in Mojave, and Apple will surely keep them for Catalina: so even if you disable SIP, boot, then mount the read-only system volume as read-write, and then elevate to root, most of your system will still be protected. To remove the sunlnk flag, you would need to boot into single user mode first, though it might also work from Recovery because, well, this is macOS. 😉 But I haven’t tried it from Recovery, only from single user mode. Then there’s the new Unix flag “restricted”, but I’m not sure if these files are protected from deletion, even if SIP is disabled. Haven’t tried that either. What I have tried is that you can remove, add or re-add the “restricted” flag from Recovery. But the gist is: macOS/OSX was always very safe, very, because it’s a Unix-based system. Expanding sunlnk to more files would have been sufficient, so I’m pretty sure SIP was never really about file protection, at least not primarily. That’s just a auxiliary functionality they concocted next to the other parts of SIP. As for turning of SIP, there are some use case I can think of, e.g. special forensic operations, and since the system volume is now read-only, I assume that more users as before (or their admins) will need to turn of SIP to tweak some stuff. Will logout hooks still work in Catalina? Will you still be able to edit paths, sudoers, hosts etc. pp.? If some of the more geeky operations don’t work anymore, then disabling SIP (in order to mount the system volume as read-write in order to modify files) will occur more often than ever.

LikeLiked by 1 person
- 2
  
  hoakley on June 19, 2019 at 11:56 am
  
  Thanks.
  Yes, I have oversimplified the situation before El Capitan, but this is about SIP rather than those other protections.
  I’m surprised that you think that previous protections were good enough. Anyway, we don’t have any choice. Some of us suspect that Apple is moving to a read-only system volume because of known vulnerabilities in SIP. I’m not sure what other purpose SIP could have been introduced for, although now the mechanism does considerably more, of course.
  I stand by what I have written above in respect of when it is safe to turn SIP off. Yes, forensic investigation is rather different, and a bit outside the subject area here. But the new read-only system volume does make provision for users still to have access to limited parts of the system where they need to.
  Frankly, anyone who turns SIP off and leaves it off (except for very specific and exceptional purposes, and I still can’t think of any for a user) is a fool and deserves everything that comes to them. It is one of macOS’s primary protections, not only against malware but against all sort of other issues which arise when system files get altered or corrupted.
  Howard.
  
  LikeLike
3

Adam on June 19, 2019 at 4:07 pm

You said “rootless.conf”.

The closest I could find is “/System/Library/Security/authorization.plist.” There is no “rootless.conf”.

Running 10.14.5.

Could you clarify what is the difference between rootless.conf and authorization.plist?

LikeLiked by 1 person
- 4
  
  hoakley on June 19, 2019 at 4:15 pm
  
  Sorry: that’s now /System/Library/Sandbox/rootless.conf and I am just correcting the article, thank you.
  That plist has, as far as I know, nothing to do with SIP, but other security authorisations.
  Howard.
  
  LikeLike
5

Duncan on June 19, 2019 at 11:53 pm

One decision that I have never understood with more recent versions of OS X is to hide the user’s ~/Library folder by default, yet still leave the /System and /Library folders visible.

I could see hiding all three by default to simplify/protect things for novice users, but what percentage of overall users ever need to poke around in /System, or even /Library without some sort of explicit instructions which could then tell how to reveal them as appropriate?

LikeLiked by 1 person
- 6
  
  hoakley on June 20, 2019 at 6:16 am
  
  I think that’s the point: few users are going to fiddle in /Library or /System/Library, so it’s relatively safe to leave them in plain view. Many users have fiddled in ~/Library, particularly with preference files, so hide that away so you can blame the user when they are having problems with preference files.
  They are a nightmare now – bad enough for developers who control what should be in them, and worse for users. I wonder if that’s the main reason, plus of course Containers and their crazy world, and iCloud, and all sorts of other things that Apple doesn’t want us to fiddle with.
  The other two Library folders are much more straightforward to deal with, except in their deepest recesses, which are also hidden away behind weird pathnames.
  Howard.
  
  LikeLike
7

EcleX on June 20, 2019 at 8:41 am

Thanks. Yet another reason a brand new Conflict Catcher for macOS would be great!
https://en.wikipedia.org/wiki/Conflict_Catcher

LikeLiked by 1 person
- 8
  
  hoakley on June 20, 2019 at 9:18 am
  
  I’m not sure where it might help with SIP, though?
  Howard.
  
  LikeLike
  - 9
    
    EcleX on June 20, 2019 at 9:48 am
    
    I actually meant in relation of what you said:
    
    “If you’re experiencing problems with kernel extensions or other software which are supposed now to be hardened and notarized, the problem isn’t with SIP, it’s with that third party software, and that is what you need to get fixed”.
    
    LikeLiked by 1 person
    - 10
      
      hoakley on June 20, 2019 at 11:20 am
      
      Conflict Catcher couldn’t go near those problems, I’m afraid.
      The problems arise when Mojave or Catalina expects an app or extension (or anything else) to be notarized, and as a result refuses to load/run it. Apparently some developers are telling their customers to work around these problems by turning SIP off, which disables that protection and allows the app/extension to run.
      There’s nothing that Conflict Catcher or any third party product can do about that: it’s up to the developers to get their apps/extensions properly notarized as Apple has instructed.
      Howard.
      
      LikeLike
11

Sip some tea instead of FUD.. on June 20, 2019 at 12:05 pm

“Divine Comedy” indeed!

LikeLiked by 1 person
12

Weekly News Summary for Admins — 2019-06-21 – Cebu Scripts on June 22, 2019 at 12:02 am

[…] What is SIP and when is it safe to turn it off? – Howard Oakley […]

LikeLike
13

Patrick on June 24, 2019 at 6:39 pm

Hi Howard
I’ve got a new mac and I want to inherit the TimeMachine history from the old one. I need to use “tmutil associatedisk …” It seems that it isn’t doing anything. I’ve read here (https://blog.wadetregaskis.com/tmutil-is-broken-by-sip-in-mojave/) that I need to disable SIP first. After your post I am a bit skeptical. Do you know anything about it?
Thanks! Patrick

LikeLiked by 1 person
- 14
  
  hoakley on June 24, 2019 at 9:23 pm
  
  Thanks.
  I didn’t attempt that when I upgraded late last year, but simply started a new backup series for my new Mac, which I keep alongside the old one.
  However, it sounds quite plausible. Don’t forget to turn it on again as soon as possible.
  Howard.
  
  LikeLike
15

Patrick on June 24, 2019 at 6:41 pm

Hi Howard
I’ve got a new mac and I want to inherit the TimeMachine history from the old one. I need to use “tmutil associatedisk …” It seems that it isn’t doing anything. I’ve read here (https://blog.wadetregaskis.com/tmutil-is-broken-by-sip-in-mojave/) that I need to disable SIP first. After your post I am a bit skeptical. Do you know anything about it?
Thanks! Patrick

LikeLiked by 1 person
- 16
  
  hoakley on June 24, 2019 at 10:38 pm
  
  The last info that I can see from Apple applies to Sierra, and says that if you migrate from your existing TM backup to your new system, you should definitely have the option to inherit those backups. Provided that you do migrate from the old system, when you enable TM backups you should be offered the choice of inheriting your old backups, or starting a new series. You therefore shouldn’t have to resort to tmutil at all.
  Howard.
  
  LikeLike
  - 17
    
    Patrick on June 25, 2019 at 1:36 pm
    
    Thanks Howard! This pointed me to the right direction. I just had to rename the macs name under ‘sharing’ to the old macs name and start a time-machine-backup. The new mac inherited the old backup-history automatically and after many hours when the first backup was complete, I could change the macs name again to the new name. After another (short) timemachine backup the machine name under Backups.backupd changed as well.
    Many thanks for writing blog post like these. I stumbled upon your page some weeks ago when I had to fsck my boot drive and discovered the local snapshots. Keep up the good work! Your posts are very instructive.
    
    LikeLiked by 1 person
    - 18
      
      hoakley on June 25, 2019 at 7:20 pm
      
      Thank you – and well done. I’m delighted that it worked out for you after all.
      Howard.
      
      LikeLike
19

Microwave_highvoltage on November 16, 2019 at 3:00 pm

What do you think about the following accusation?
With Macs, SIP at it’s core is merely a means to enforce DRM much like Kernel Patch Protection (PatchGuard) and DSE (Driver Signing Enforcement) have been to Windows-based machines.

LikeLiked by 1 person
- 20
  
  hoakley on November 16, 2019 at 5:03 pm
  
  I have seen such allegations about SIP and the T2 chip as ways to enforce DRM. I have yet to see any evidence, and not only that but those who make these claims appear unable to explain how they might work to do that.
  So I’m completely unconvinced, and consider it FUD.
  Howard.
  
  LikeLike
  - 21
    
    Microwave_highvoltage on November 26, 2019 at 5:40 pm
    
    Thanks for your opinion!
    
    LikeLiked by 1 person
- 22
  
  Joss on November 16, 2019 at 10:22 pm
  
  Not DRM in the classic sense. In terms of software, however, DRM would mean something like a protection against cracks, right? I.e. blocking them from runnning. I can only speak from my experiences on Mojave, and whether SIP is de facto DRM depends on the security settings that the developers burn into their runtime. Most software will run just fine as a crack, even notarized software. All you need to do is remove the quarantine XA to circumvent Gatekeeper. At the very most you need to re-sign the bundle, and an adhoc signature is sufficient in many cases. (Though not with apps that need TCC permissions or install privileged helpers: TCC tends not to stick after a reboot, and privileged helpers often just fail to install, which is more of a macOS security measure than DRM, of course.) But some apps are protected in a way that any change to the bundle after code-signing, hardening, notarization will make it fail at launch, unless you disable the fs part of SIP. So, System Integrity Protection, while primarily a security measure more finetuned than the legacy Unix protections, is also (in a sense) a framework for DRM provided by Apple, but enforced/applied by developers, if they so choose. Most developers don’t lock down their software completely, because they probably know that a fair amount of piracy (not too widespread) is actually good for business. And with Apple’s new protections in place, using cracks is not a walk in the park anymore as it used to be, and while SIP may be a bit of pita in this context, I actually see it as a welcome corrective that trims piracy down to what probably is a “fair amount”. I know lots of people who just gave up and bought the software instead, because it’s gotten pretty hard for the layman to make some cracks run on newer macOS systems. (Just my 2¢.)
  
  LikeLiked by 1 person
  - 23
    
    hoakley on November 16, 2019 at 10:48 pm
    
    I’m sorry, there are so many errors and misunderstandings there it’s hard to know how to start.
    SIP has no protective effects whatsoever on third party software, apart from a role in notarisation which isn’t relevant here. Third party software, whether supplied through App Store or direct by the developer, isn’t protected by SIP. SIP only protects those designated parts of the system software and Apple’s bundled apps. It has nothing whatsoever to do with Digital Rights Management, and doesn’t block anything from running.
    If you wish to ‘crack’ or mutilate apps, that’s simple: strip any quarantine flags and signatures. macOS runs unsigned software, even in Catalina. What it won’t do is run software with a broken signature, which will either be rejected by Gatekeeper (if you have left a quarantine flag), or the app will be crashed when trying to launch if the signature error is serious enough. That’s the whole point of having signatures.
    Where this comes unstuck is with sandboxed apps, which need entitlements which are baked into the signature – that’s nothing to do with DRM, it’s just the way the sandbox works.
    Developers can’t opt to use SIP. Apps can opt to use the sandbox (which is intended to protect the user and other processes), to be hardened (which is all about protection from malware, and nothing to do with DRM), and are now required to be notarized (which is to protect the user from malware). Developers don’t “lock down” their software except to protect it from being subverted by malware. This has nothing to do with protecting against piracy. Every one of my apps is signed, hardened, notarized, and checks its own integrity on launch, not to prevent piracy – it’s free for God’s sake! – but to ensure that what you run is what I built here on my Mac, and not malware.
    Of course, when a user behaves as if they are malware…
    Howard.
    
    LikeLike
24

Microwave_highvoltage on November 26, 2019 at 6:12 pm

But I reckon that on newer macOSes there have been enforcements that prevent us from debugging some apps with special entitlements (?), or maybe hardened ones (?).
Not being able to debug a media process might protect decrypted or unscrambled content that might be present in that app.

On a Windows-note, if you managed to run an unsigned (or even test-signed?) driver in the kernel the PMP (Protected Media Path) would be no longer usable and Windows Media Player would throw a DRM error.
IIRC this behavior was introduced with Vista.
Of course you could always run a driver by means of an exploit and then still be able to listen to DRM content. Windows wouldn’t know your code was running.

At least there have been rumors about dtrace no longer functioning with some non-root apps even though you were root.
Are those measures enforced by entirely different means than SIP then?
Why shouldn’t you debug non-root apps then?

LikeLiked by 1 person