How do I disable System Integrity Protection (SIP) AKA "rootless" on macOS?

Apple has introduced System Integrity Protection, also known as "rootless", with OS X 10.11, El Capitan. I understand this is a step for general protection against malware but as a developer I need write access to some of the files it locks away.

How do I disable this protection?


Solution 1:

Apple's documentation covers disabling SIP, About System Integrity Protection on your Mac and Configuring System Integrity Protection.

An article on lifehacker.com lists these steps:

  1. Reboot your Mac into Recovery Mode by restarting your computer and holding down Command+R until the Apple logo appears on your screen.
  2. Click Utilities > Terminal.
  3. In the Terminal window, type in csrutil disable and press Enter.
  4. Restart your Mac.

You can verify whether a file or folder is restricted by issuing this ls command using the capital O (and not zero 0) to modify the long listing flag:

ls -lO /System /usr 

Look for the restricted text to indicate where SIP is enforced.

By default (=SIP enabled), the following folders are restricted (see Apple Support page):

/System
/usr
/bin
/sbin
Apps that are pre-installed with OS X

... and the following folders are free:

/Applications
/Library
/usr/local

Solution 2:

It's possible to disable SIP by booting to Recovery HD and running the following command:

csrutil disable

enter image description here

It is also possible to enable SIP protections and selectively disable aspects of it, by adding one or more flags to the csrutil enable command. All require being booted from Recovery in order to set them:

Enable SIP and allow installation of unsigned kernel extensions

csrutil enable --without kext

enter image description here

Enable SIP and disable filesystem protections

csrutil enable --without fs

enter image description here

Enable SIP and disable debugging restrictions

csrutil enable --without debug

enter image description here

Enable SIP and disable DTrace restrictions

csrutil enable --without dtrace

enter image description here

Enable SIP and disable restrictions on writing to NVRAM

csrutil enable --without nvram

enter image description here

I also have a post available with more information about SIP:

System Integrity Protection – Adding another layer to Apple’s security model

Solution 3:

If the goal is to really just disable System Integrity Protection then booting into the Recovery HD partition as previously recommended in the other answers here via Command+r on boot is not the fastest way to do this.

You can combine single user mode boot with recovery HD boot in an undocumented startup key combination:

  • https://support.apple.com/en-us/HT204904 covers normal recovery
  • hold Command+r+s to boot into Single User Recovery Mode.

This gets you just into the bare minimum environment that is needed for this directly.

Solution 4:

It would be safer to modify /etc/paths so that /usr/local/bin is merely before usr/bin. That way you can do your development work within /usr/local/bin without having to disable SIP.

Clean installations of the OS have ordered /etc/paths this way since El Capitan, but if you were upgrading the OS from Yosemite or earlier, you'd have to modify the path order manually.