How do I disable System Integrity Protection (SIP) AKA "rootless" on macOS?
Apple has introduced System Integrity Protection, also known as "rootless", with OS X 10.11, El Capitan. I understand this is a step for general protection against malware but as a developer I need write access to some of the files it locks away.
How do I disable this protection?
Solution 1:
Apple's documentation covers disabling SIP, About System Integrity Protection on your Mac and Configuring System Integrity Protection.
An article on lifehacker.com lists these steps:
- Reboot your Mac into Recovery Mode by restarting your computer and holding down Command+R until the Apple logo appears on your screen.
- Click Utilities > Terminal.
- In the Terminal window, type in
csrutil disable
and press Enter.- Restart your Mac.
You can verify whether a file or folder is restricted by issuing this ls
command using the capital O (and not zero 0) to modify the long listing flag:
ls -lO /System /usr
Look for the restricted text to indicate where SIP is enforced.
By default (=SIP enabled), the following folders are restricted (see Apple Support page):
/System
/usr
/bin
/sbin
Apps that are pre-installed with OS X
... and the following folders are free:
/Applications
/Library
/usr/local
Solution 2:
It's possible to disable SIP by booting to Recovery HD and running the following command:
csrutil disable
It is also possible to enable SIP protections and selectively disable aspects of it, by adding one or more flags to the csrutil enable
command. All require being booted from Recovery in order to set them:
Enable SIP and allow installation of unsigned kernel extensions
csrutil enable --without kext
Enable SIP and disable filesystem protections
csrutil enable --without fs
Enable SIP and disable debugging restrictions
csrutil enable --without debug
Enable SIP and disable DTrace restrictions
csrutil enable --without dtrace
Enable SIP and disable restrictions on writing to NVRAM
csrutil enable --without nvram
I also have a post available with more information about SIP:
System Integrity Protection – Adding another layer to Apple’s security model
Solution 3:
If the goal is to really just disable System Integrity Protection then booting into the Recovery HD partition as previously recommended in the other answers here via Command+r on boot is not the fastest way to do this.
You can combine single user mode boot with recovery HD boot in an undocumented startup key combination:
- https://support.apple.com/en-us/HT204904 covers normal recovery
- hold Command+r+s to boot into Single User Recovery Mode.
This gets you just into the bare minimum environment that is needed for this directly.
Solution 4:
It would be safer to modify /etc/paths
so that /usr/local/bin
is merely before usr/bin
. That way you can do your development work within /usr/local/bin
without having to disable SIP.
Clean installations of the OS have ordered /etc/paths
this way since El Capitan, but if you were upgrading the OS from Yosemite or earlier, you'd have to modify the path order manually.