├── README.md ├── SIPFix.sh └── edu.utah.scl.SIPFix.plist /README.md: -------------------------------------------------------------------------------- 1 | # disable_sip 2 | This script is used in the recovery partition to automatically disable SIP. 3 | ## Contents 4 | 5 | * [Download](#download) - Get the script. 6 | * [Contact](#contact) - How to reach us 7 | * [Purpose](#purpose) - What is this script for? 8 | * [Usage](#usage) - Details of invocation 9 | 10 | ## Download 11 | 12 | [Download the latest version of disable_sip here!](../../releases/) 13 | 14 | 15 | ## Contact 16 | 17 | If you have any comments, questions, or other input, either [file an issue](../../issues) or [send an email to us](mailto:mlib-its-mac-github@lists.utah.edu). Thanks! 18 | 19 | ## Purpose 20 | [System Integrity Protection](https://en.wikipedia.org/wiki/System_Integrity_Protection) (SIP), sometimes referred to as rootless, is a security feature implemented in "OS X El Capitan". It protects certain system processes, files and folders from being modified or tampered with by other processes even when executed by the root user or by a user with [root privileges](https://en.wikipedia.org/wiki/Superuser) (sudo). Apple says that the root user can be a significant risk factor to the system’s security, especially on systems with a single user account on which that user is also the administrator. System Integrity Protection is enabled by default, but can be disabled. 21 | 22 | Since we haven’t migrated completely to our new client management system, called [Casper Suite](https://www.jamfsoftware.com/products/casper-suite/), we decided to temporarily disable SIP since it conflicts with our current client management system called [Radmind](http://rsug.itd.umich.edu/software/radmind/). Radmind operates as a tripwire with the ability to detect any modifications to the file system and reverse those changes to a known state. We also had hardware that required running the latest OS at the time, "OS X El Capitan" that needed to be deployed. 23 | 24 | We didn’t want to touch every system to disable or enable System Integrity Protection (SIP), so, we developed a automated method of disabling it during "OS X El Capitan" upgrade. This process will be discussed at this presentation. 25 | 26 | ## Usage 27 | The bash script `SIPFix.sh` and the Launch Daemons Property List `edu.utah.scl.SIPFix.plist` are used to disable SIP in a modified recovery partition. 28 | 29 | The Recovery Partition is a [disk image](https://en.wikipedia.org/wiki/Apple_Disk_Image) (dmg) that is stored in the Recovery HD partition on the main hard drive or in the OS X Installer Package. The `BaseSystem.dmg` is the disk image that the Recovery Partition uses to boot the system. For the Recovery HD, `BaseSystem.dmg` can be found in the `com.apple.recovery.boot` folder. For the OS X Installer, it can be found in the `Contents/SharedSupport/InstallerESD.dmg` in the Installer Package. The disk image mounts as read-only. To customize the Recovery Partition to disable SIP during installation or each time you boot from the Recovery Partition follow these steps: 30 | 31 | 1. Make a copy of the original disk image 32 | 2. Convert the disk image to a read/write disk image using Disk Utility. 33 | 3. Add the SIP Disable script to `/usr/local/bin` 34 | 4. Add the Launch Daemons Property List to `/Library/LaunchDaemons` 35 | 5. Remove Safari to make room for the script. 36 | 6. Compress the disk image back to a read-only image. 37 | 7. Replace the original disk image with the modified one. 38 | 39 | You can use these above steps to add whatever customization, like an application or administrative tool to the recovery partition. However, the recovery partition is a specific disk quota and you could get an error like this if your modifications don’t leave enough disk space. `Error (async): The new recovery partition would be too large (-69668)` 40 | 41 | For detailed instructions on how to modfiy the recovery parition, check out: [Automatic Disabling SIP with El Capitan Upgrade](https://apple.lib.utah.edu/?p=1444) 42 | 43 | -------------------------------------------------------------------------------- /SIPFix.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ########################################## 4 | # Copyright (c) 2016 University of Utah Student Computing Labs. 5 | # All Rights Reserved. 6 | # 7 | # Permission to use, copy, modify, and distribute this software and 8 | # its documentation for any purpose and without fee is hereby granted, 9 | # provided that the above copyright notice appears in all copies and 10 | # that both that copyright notice and this permission notice appear 11 | # in supporting documentation, and that the name of The University 12 | # of Utah not be used in advertising or publicity pertaining to 13 | # distribution of the software without specific, written prior 14 | # permission. This software is supplied as is without expressed or 15 | # implied warranties of any kind. 16 | ########################################## 17 | 18 | echo "SIP Fix Starting" 19 | 20 | /usr/bin/csrutil disable 21 | 22 | echo "SIP Fix Finished" 23 | 24 | -------------------------------------------------------------------------------- /edu.utah.scl.SIPFix.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | edu.utah.scl.SIPFix 7 | ProgramArguments 8 | 9 | /usr/bin/SIPFix.sh 10 | 11 | RunAtLoad 12 | 13 | LaunchOnlyOnce 14 | 15 | StandardOutPath 16 | /var/log/SIPFix.log 17 | StandardErrorPath 18 | /var/log/SIPFix.error.log 19 | 20 | 21 | --------------------------------------------------------------------------------