SIP (System Integrity Protection)

Apple's new El Capitan feature SIP (System Integrity Protection) aka "rootless" will have some interesting impacts that will impede workflows for administrators.


- If you Netboot across subnets, you will no longer be able to use bless. Apple's view is if someone can target a machine to boot to a non 10.11 OS, they can bypass SIP. This will prevent any unathorized boot methods.


- You will be able to write to certain privileged folders through the use of a package signed with a valid Apple Developer code signing certificate.


More soon on SIP if I can find the right engineer.

Replies

something like:

sudo launchctl unload -w /System/Library/LaunchDaemons/ssh.plist


Create a replacement ssh.plist in /Library/LaunchDaemons with your changes.


sudo launchctl load -w //Library/LaunchDaemons/ssh.plist


(I'm using the legacy syntax here; haven't memorized the "new" syntax yet)

Hi Greg,

What do you mean by 'new syntex'?

does the launchctl command doesn't work any more?


in the past i used it see the running services by using: launchctl list

will that won't work anymore on El-Capitan?


Is their an alternative to the launchctl API in El-Capitan?


Thanks,

"What do you mean by 'new syntex'?"


Sorry to be blunt, but: `man launchctl`


The syntax/commands we've used since 10.4 is now "legacy" and there are a whole new set of subcommands. Read. Learn. Love.

SIP has a list of Apple and third-party exceptions stored in the following location:


/System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths


This is in addition to the list of exceptions defined in the following location:


/System/Library/Sandbox/rootless.conf


Contents of /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths as of 10.11 Developer Beta 8


/System/Library/CFMSupport
/System/Library/CoreServices/Applications/Directory Utility.app/Contents/PlugIns/ADmitMac.daplug
/System/Library/CoreServices/CoreTypes.bundle/Contents/Library/iLifeSlideshowTypes.bundle
/System/Library/CyborgRAT.kext
/System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleRTL815XComposite109.kext
/System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleRTL815XEthernet109.kext
/System/Library/Filesystems/DAVE
/System/Library/Filesystems/fusefs_txantfs.fs
/System/Library/Filesystems/ufsd_NTFS.fs
/System/Library/Fonts/encodings.dir
/System/Library/Fonts/fonts.dir
/System/Library/Fonts/fonts.list
/System/Library/Fonts/fonts.scale
/System/Library/HuaweiDataCardDriver.kext
/System/Library/LaunchAgents/com.paragon.NTFS.notify.plist
/System/Library/LaunchDaemons/com.absolute.rpcnet.plist
/System/Library/LaunchDaemons/com.intel.haxm.plist
/System/Library/LaunchDaemons/com.seagate.TBDecorator.plist
/System/Library/LaunchDaemons/de.novamedia.nmnetmgrd.plist
/System/Library/PrivateFrameworks/BrowserKit.framework
/System/Library/PrivateFrameworks/Helium.framework
/System/Library/PrivateFrameworks/LiveType.framework
/System/Library/PrivateFrameworks/ProKit.framework
/System/Library/PrivateFrameworks/iLifeSlideshow.framework
/System/Library/QuickTime/QuickTimeMPEG2.component
/System/Library/QuickTime/WiretapDataHandler.component
/System/Library/Services/KAVService.service
/System/Library/Services/Send to Kindle.workflow
/System/Library/StartupItems
/System/Library/USBExpressCardCantWake_Huawei.kext
/sbin/amconfig
/sbin/fsck_ufsd_NTFS
/sbin/mount_cifs
/sbin/mount_fusefs_txantfs
/sbin/mount_ufsd_NTFS
/sbin/mount_vmhgfs
/sbin/newfs_fusefs_txantfs
/sbin/newfs_ufsd_NTFS
/sbin/rpctool
/usr/X11
/usr/bin/FAHClient
/usr/bin/FAHCoreWrapper
/usr/bin/FAHViewer
/usr/bin/VBoxAutostart
/usr/bin/VBoxBalloonCtrl
/usr/bin/VBoxHeadless
/usr/bin/VBoxManage
/usr/bin/VBoxVRDP
/usr/bin/VirtualBox
/usr/bin/cups-calibrate
/usr/bin/escputil
/usr/bin/extlookup2hiera
/usr/bin/facter
/usr/bin/gnutar
/usr/bin/kashell
/usr/bin/kav
/usr/bin/nortonscanner
/usr/bin/nortonsettings
/usr/bin/nvconfigurator
/usr/bin/nvpmgr
/usr/bin/phidgetwebservice21
/usr/bin/puppet
/usr/bin/shake
/usr/bin/stkLaunchAgent.sh
/usr/bin/testpattern
/usr/bin/vagrant
/usr/bin/vboxwebsrv
/usr/discreet
/usr/include/gutenprint
/usr/lib/cshost
/usr/lib/gutenprint
/usr/lib/libMatroxMpeg2IFrameCodec.dylib
/usr/lib/libUFSDNTFS.dylib
/usr/lib/libgutenprint.2.0.3.dylib
/usr/lib/libgutenprint.2.dylib
/usr/lib/libgutenprint.a
/usr/lib/libgutenprint.dylib
/usr/lib/libgutenprint.la
/usr/lib/libnv6.dylib
/usr/lib/libnv6audit.dylib
/usr/lib/libnv6cli.dylib
/usr/lib/libnv6****.dylib
/usr/lib/libnv6foreignras.dylib
/usr/lib/libnv6foreignrast.dylib
/usr/lib/libnv6gui.dylib
/usr/lib/libnv6guit.dylib
/usr/lib/libnv6http.dylib
/usr/lib/libnv6jobs.dylib
/usr/lib/libnv6jobst.dylib
/usr/lib/libnv6json.dylib
/usr/lib/libnv6jsont.dylib
/usr/lib/libnv6ndmp.dylib
/usr/lib/libnv6plugin.dylib
/usr/lib/libnv6plugint.dylib
/usr/lib/libnv6reports.dylib
/usr/lib/libnv6reportst.dylib
/usr/lib/libnv6scsi.dylib
/usr/lib/libnv6stats.dylib
/usr/lib/libnv6statst.dylib
/usr/lib/libnv6t.dylib
/usr/lib/libnv6xctl.dylib
/usr/lib/libnv6xpm.dylib
/usr/lib/libphidget21.jnilib
/usr/lib/libwkextmac.dylib
/usr/lib/pkgconfig/gutenprint.pc
/usr/libexec/aksusbd
/usr/libexec/com.matrox.vpg.Agent
/usr/libexec/com.matrox.vpg.MaxAgent
/usr/libexec/cups/backend/cifs
/usr/libexec/hasplmd
/usr/netvault
/usr/sbin/AELWriter
/usr/sbin/cups-genppd.5.2
/usr/sbin/cups-genppdupdate
/usr/sbin/fsctl_ufsd
/usr/sbin/jamf
/usr/sbin/jamfAgent
/usr/sbin/nipalsm
/usr/sbin/nmnetmgrd
/usr/sbin/nmnetmgrd_launchd
/usr/sbin/nmnetmgrd_launchd_MT
/usr/sbin/palModuleMgr.sh
/usr/sbin/proxyhelper
/usr/sbin/qmasterca
/usr/sbin/qmasterd
/usr/sbin/qmasterprefs
/usr/sbin/qmasterqd
/usr/sbin/rpc.net
/usr/sbin/rpcset
/usr/sbin/rpcstartup
/usr/sbin/setbufsize
/usr/share/cshost
/usr/share/cups/calibrate.ppm
/usr/share/cups/usb
/usr/share/doc/facter
/usr/share/doc/puppet
/usr/share/gutenprint
/usr/share/locale/ca/gutenprint_ca.po
/usr/share/locale/cs/gutenprint_cs.po
/usr/share/locale/da/gutenprint_da.po
/usr/share/locale/de/gutenprint_de.po
/usr/share/locale/el/gutenprint_el.po
/usr/share/locale/en_GB/gutenprint_en_GB.po
/usr/share/locale/es/gutenprint_es.po
/usr/share/locale/fi/gutenprint_fi.po
/usr/share/locale/fr/gutenprint_fr.po
/usr/share/locale/gl/gutenprint_gl.po
/usr/share/locale/hu/gutenprint_hu.po
/usr/share/locale/it/gutenprint_it.po
/usr/share/locale/ja/gutenprint_ja.po
/usr/share/locale/nb/gutenprint_nb.po
/usr/share/locale/nl/gutenprint_nl.po
/usr/share/locale/pl/gutenprint_pl.po
/usr/share/locale/pt/gutenprint_pt.po
/usr/share/locale/ru/gutenprint_ru.po
/usr/share/locale/sk/gutenprint_sk.po
/usr/share/locale/sl/gutenprint_sl.po
/usr/share/locale/sv/gutenprint_sv.po
/usr/share/locale/tr/gutenprint_tr.po
/usr/share/locale/uk/gutenprint_uk.po
/usr/share/locale/vi/gutenprint_vi.po
/usr/share/locale/zh_CN/gutenprint_zh_CN.po
/usr/share/locale/zh_TW/gutenprint_zh_TW.po

I never found SIP under Utilities in Recovery mode. Where is it ? 😕

I have no SIP under Utilities when booting in Recovery Mode. Where is the bloody thing ?

See this forum post:


https://forums.developer.apple.com/thread/15149

???

Doesn't tell where SIP is under Utilities in R-Mode…😕

Apple have removed the GUI with the Recovery HD update. Now the supported way to control SIP is using the csrutil command from the Terminal in Recovery Mode (only - doesn't work while booted normally). For example:

csrutil disable


-Max.

I must be dumb, but how do you access Terminal in R-Mode ???

Utilities menu (Menubar)

Dumb myself, mixed up (Disk) Utility and Utilities. 😝