4 Replies
      Latest reply on Sep 24, 2015 4:27 PM by emorig
      rtrouton Level 1 Level 1 (0 points)

        There is a new tool to manage SIP, available in both the Recovery environment and in OS X:


        `/usr/bin/csrutil`

         

        Running `/usr/bin/csrutil` by itself prints out a listing of currently available commands:

         

        computername:~ username$ /usr/bin/csrutil
        usage: csrutil <command>
        Modify the System Integrity Protection configuration. All configuration changes apply to the entire machine.
        Available commands:
        
        
            clear
                Clear the existing configuration. Only available in Recovery OS.
            disable
                Disable the protection on the machine. Only available in Recovery OS.
            enable
                Enable the protection on the machine. Only available in Recovery OS.
            status
                Display the current configuration.
        
        
            netboot
                add <address>
                    Insert a new IPv4 address in the list of allowed NetBoot sources.
                list
                    Print the list of allowed NetBoot sources.
                remove <address>
                    Remove an IPv4 address from the list of allowed NetBoot sources.
        computername:~ username$
        


        `/usr/bin/csrutil disable` - Turns SIP off of the boot drive. Must be run from Recovery with a reboot to take effect.

        If run while SIP already disabled, command does nothing.

         

         

        When disabled, running `/usr/bin/csrutil status` on the boot drive will give the following output:

         

        computename:~ username$ csrutil status
        System Integrity Protection status: enabled (Custom Configuration).
        
        
        Configuration:
          Apple Internal: disabled
          Kext Signing: disabled
          Filesystem Protections: disabled
          Debugging Restrictions: disabled
          DTrace Restrictions: disabled
          NVRAM Protections: disabled
        
        
        This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.
        

         

         

        Bug filed about this output - openradar dot appspot dot com slash 22361698

         

         

         

         

        `/usr/bin/csrutil enable` - Turns SIP on for the boot drive. Must be run from Recovery with a reboot to take effect. If run while SIP already enabled, command does nothing.

         

         

        When enabled, running `/usr/bin/csrutil status` on the boot drive will give the following output:

         

        computername:~ username$ csrutil status
        System Integrity Protection status: enabled.
        computername:~ username$
        

         

         

        Note: If you run `/usr/bin/csrutil enable` followed by `/usr/bin/csrutil disable` (or vice-versa) only the first command is actually run.

         

         

        `/usr/bin/csrutil netboot add` - Adds an IPv4 address to the list of allowed NetBoot sources. Must be run from Recovery.

         

        `/usr/bin/csrutil netboot list` - Prints the list of allowed NetBoot sources. Can be run from either Recovery or the boot drive.

         

        `/usr/bin/csrutil netboot add` - Removes an IPv4 address from the list of allowed NetBoot sources. Must be run from Recovery.

         

        `/usr/bin/csrutil clear` - Resets SIP status and clears NetBoot list. After reboot, SIP is enabled if it was not previously. Running `csrutil netboot list` shows that no NetBoot IPs are listed.

        • Re: New SIP management command line tool
          rtrouton Level 1 Level 1 (0 points)

          Here's a script I've written for reporting on SIP's status. It's not working entirely like it should in Beta 7, thanks to Beta 7's csrutil reporting the wrong status if it's disabled*, but it should be good enough otherwise for reporting.

           

          #!/bin/bash
          
          
          osvers_major=$(sw_vers -productVersion | awk -F. '{print $1}')
          osvers_minor=$(sw_vers -productVersion | awk -F. '{print $2}')
          
          
          # Checks to see if the OS on the Mac is 10.x.x. If it is not, the
          # following message is displayed without quotes:
          #
          # "Unknown Version Of Mac OS X"
          
          
          if [[ ${osvers_major} -ne 10 ]]; then
            echo "Unknown Version of Mac OS X"
          fi
          
          
          # Checks to see if the OS on the Mac is 10.11.x or higher.
          # If it is not, the following message is displayed without quotes:
          #
          # "System Integrity Protection Not Available For" followed by the version of OS X.
          
          
          if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -lt 11 ]]; then
            echo "System Integrity Protection Not Available For `sw_vers -productVersion`"
          fi
          
          
          if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 11 ]]; then
          
          # Checks System Integrity Protection status on Macs
          # running 10.11.x or higher
          
          
            SIP_status=`/usr/bin/csrutil status | awk '/status/ {print $5}' | sed 's/\.$//'`
          
          
            if [ $SIP_status = "disabled" ]; then
                result=Disabled
            elif [ $SIP_status = "enabled" ]; then
                result=Active
            fi
             echo "$result"
          fi
          

           

           

          *Bug report filed for this issue. Receiving System Integrity Protection status: enabled (Custom Configuration) is confusing. The Custom Configuration is that System Integrity Protection is disabled, but the status message may cause the reader to believe that System Integrity Protection’s protection is still enabled.

            • Re: New SIP management command line tool
              bruienne Level 1 Level 1 (0 points)

              In poking at the changes made to the SIU framework for my own project's needs (AutoNBI) I noticed some SIP-specific allowances that were added to modify Netbooting permissions for the target system. This indicated to me that NetInstall and NetBoot images by default have the 'csrutil' tool included in a Recovery mode-like way, which I have been able to verify since then. This means thatcsrutil is able to make changes from a NetInstall/NetBoot environment which thus far seemed to only possible from the Recovery partition. The relevant code is from 'addBSDPSources.sh' which adds a list of IPs from a file named 'bsdpSources.txt' in the 'Packages/Extras' folder to the list of whitelisted Netboot IPs on the host being imaged. This may be point towards a general best practice for Mac Admins' workflows in order to minimize the impact of restricted 'bless' functionality in normal runtime mode OS X.

               

              extrasDir="/System/Installation/Packages/Extras"
              theFile="${extrasDir}/bsdpSources.txt"
              
              
              if [ -f "${theFile}" ]; then
                while read ENTRY
                do
                # Run csrutil on each entry in the file
                csrutil netboot add "${ENTRY}"
                done < "${theFile}"
              fi
              
            • Re: New SIP management command line tool
              emorig Level 1 Level 1 (0 points)

              I am looking for advice. Here is what I did:

               

              • Started with a MacBook Pro 17" (early 2008) running "production" Yosemite 10.10.5 with the latest patches and updates.
              • Installed OS X 10.10 Yosemite on an external hard drive, then updated it to the latest. (So the Recovery Partition would be the latest version.)
              • Used Carbon Copy Cloner to clone the production Yosemite to the external drive as a backup. Removed the external drive and rebooted.
              • Ran the OS X 10.11 El Capitan GM Candidate installer on the internal drive Yosemite. It installed El Capitan as expected.

               

              My goal is to test various "questionable" old software (e.g., Timbuktu Pro 8.8.5) under El Capitan.

               

              HERE IS MY QUESTION:

              If I want to restore the "production" Yosemite to the internal drive, should I run "csrutil disable" or "csrutil clear" first to restore the nvram boot-args to a known state before wiping the drive and restoring Yosemite?  (If so, which should I run - "disable" or "clear"?)