SIP (System Integrity Protection)

Spoke with an engineer regarding this yesterday. They don't anticipate this option being removed for the final release (similar to Yosemite's signed kext method).

I also asked whether this option would be deprecated next year (again similar to the kext signing) and they did not anticipate it being deprecated. Who knows what happens between now and OS X 10.12.

So, I've noticed that SIP restricts write access do System/Library/LaunchDaemons.

Question is... How would I go about changing the default SSH port? In previous versions of OS X, I would just edit the ssh.plist file in this directory. Now, with SIP, this is no longer possible. What's the politically correct way of doing this on a SIP enabled Mac?

If they already have root on the booted system I think authenticated restart would get around FilveVault 2.

sudo fdesetup authrestart

OS X: Macs that support authenticated restart with FileVault

https://support.apple.com/en-us/HT202918

And today the story has changed. The argument will be taken away either before final release or once released to public.

You can modify files in /private/etc so this would be the recommended approach. Only the /etc symlink is protected by SIP.

something like:

sudo launchctl unload -w /System/Library/LaunchDaemons/ssh.plist

Create a replacement ssh.plist in /Library/LaunchDaemons with your changes.

sudo launchctl load -w //Library/LaunchDaemons/ssh.plist

(I'm using the legacy syntax here; haven't memorized the "new" syntax yet)

Hi Greg,

What do you mean by 'new syntex'?

does the launchctl command doesn't work any more?

in the past i used it see the running services by using: launchctl list

will that won't work anymore on El-Capitan?

Is their an alternative to the launchctl API in El-Capitan?

Thanks,

"What do you mean by 'new syntex'?"

Sorry to be blunt, but: `man launchctl`

The syntax/commands we've used since 10.4 is now "legacy" and there are a whole new set of subcommands. Read. Learn. Love.

SIP has a list of Apple and third-party exceptions stored in the following location:

/System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths

This is in addition to the list of exceptions defined in the following location:

/System/Library/Sandbox/rootless.conf

Contents of /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths as of 10.11 Developer Beta 8

/System/Library/CFMSupport
/System/Library/CoreServices/Applications/Directory Utility.app/Contents/PlugIns/ADmitMac.daplug
/System/Library/CoreServices/CoreTypes.bundle/Contents/Library/iLifeSlideshowTypes.bundle
/System/Library/CyborgRAT.kext
/System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleRTL815XComposite109.kext
/System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleRTL815XEthernet109.kext
/System/Library/Filesystems/DAVE
/System/Library/Filesystems/fusefs_txantfs.fs
/System/Library/Filesystems/ufsd_NTFS.fs
/System/Library/Fonts/encodings.dir
/System/Library/Fonts/fonts.dir
/System/Library/Fonts/fonts.list
/System/Library/Fonts/fonts.scale
/System/Library/HuaweiDataCardDriver.kext
/System/Library/LaunchAgents/com.paragon.NTFS.notify.plist
/System/Library/LaunchDaemons/com.absolute.rpcnet.plist
/System/Library/LaunchDaemons/com.intel.haxm.plist
/System/Library/LaunchDaemons/com.seagate.TBDecorator.plist
/System/Library/LaunchDaemons/de.novamedia.nmnetmgrd.plist
/System/Library/PrivateFrameworks/BrowserKit.framework
/System/Library/PrivateFrameworks/Helium.framework
/System/Library/PrivateFrameworks/LiveType.framework
/System/Library/PrivateFrameworks/ProKit.framework
/System/Library/PrivateFrameworks/iLifeSlideshow.framework
/System/Library/QuickTime/QuickTimeMPEG2.component
/System/Library/QuickTime/WiretapDataHandler.component
/System/Library/Services/KAVService.service
/System/Library/Services/Send to Kindle.workflow
/System/Library/StartupItems
/System/Library/USBExpressCardCantWake_Huawei.kext
/sbin/amconfig
/sbin/fsck_ufsd_NTFS
/sbin/mount_cifs
/sbin/mount_fusefs_txantfs
/sbin/mount_ufsd_NTFS
/sbin/mount_vmhgfs
/sbin/newfs_fusefs_txantfs
/sbin/newfs_ufsd_NTFS
/sbin/rpctool
/usr/X11
/usr/bin/FAHClient
/usr/bin/FAHCoreWrapper
/usr/bin/FAHViewer
/usr/bin/VBoxAutostart
/usr/bin/VBoxBalloonCtrl
/usr/bin/VBoxHeadless
/usr/bin/VBoxManage
/usr/bin/VBoxVRDP
/usr/bin/VirtualBox
/usr/bin/cups-calibrate
/usr/bin/escputil
/usr/bin/extlookup2hiera
/usr/bin/facter
/usr/bin/gnutar
/usr/bin/kashell
/usr/bin/kav
/usr/bin/nortonscanner
/usr/bin/nortonsettings
/usr/bin/nvconfigurator
/usr/bin/nvpmgr
/usr/bin/phidgetwebservice21
/usr/bin/puppet
/usr/bin/shake
/usr/bin/stkLaunchAgent.sh
/usr/bin/testpattern
/usr/bin/vagrant
/usr/bin/vboxwebsrv
/usr/discreet
/usr/include/gutenprint
/usr/lib/cshost
/usr/lib/gutenprint
/usr/lib/libMatroxMpeg2IFrameCodec.dylib
/usr/lib/libUFSDNTFS.dylib
/usr/lib/libgutenprint.2.0.3.dylib
/usr/lib/libgutenprint.2.dylib
/usr/lib/libgutenprint.a
/usr/lib/libgutenprint.dylib
/usr/lib/libgutenprint.la
/usr/lib/libnv6.dylib
/usr/lib/libnv6audit.dylib
/usr/lib/libnv6cli.dylib
/usr/lib/libnv6****.dylib
/usr/lib/libnv6foreignras.dylib
/usr/lib/libnv6foreignrast.dylib
/usr/lib/libnv6gui.dylib
/usr/lib/libnv6guit.dylib
/usr/lib/libnv6http.dylib
/usr/lib/libnv6jobs.dylib
/usr/lib/libnv6jobst.dylib
/usr/lib/libnv6json.dylib
/usr/lib/libnv6jsont.dylib
/usr/lib/libnv6ndmp.dylib
/usr/lib/libnv6plugin.dylib
/usr/lib/libnv6plugint.dylib
/usr/lib/libnv6reports.dylib
/usr/lib/libnv6reportst.dylib
/usr/lib/libnv6scsi.dylib
/usr/lib/libnv6stats.dylib
/usr/lib/libnv6statst.dylib
/usr/lib/libnv6t.dylib
/usr/lib/libnv6xctl.dylib
/usr/lib/libnv6xpm.dylib
/usr/lib/libphidget21.jnilib
/usr/lib/libwkextmac.dylib
/usr/lib/pkgconfig/gutenprint.pc
/usr/libexec/aksusbd
/usr/libexec/com.matrox.vpg.Agent
/usr/libexec/com.matrox.vpg.MaxAgent
/usr/libexec/cups/backend/cifs
/usr/libexec/hasplmd
/usr/netvault
/usr/sbin/AELWriter
/usr/sbin/cups-genppd.5.2
/usr/sbin/cups-genppdupdate
/usr/sbin/fsctl_ufsd
/usr/sbin/jamf
/usr/sbin/jamfAgent
/usr/sbin/nipalsm
/usr/sbin/nmnetmgrd
/usr/sbin/nmnetmgrd_launchd
/usr/sbin/nmnetmgrd_launchd_MT
/usr/sbin/palModuleMgr.sh
/usr/sbin/proxyhelper
/usr/sbin/qmasterca
/usr/sbin/qmasterd
/usr/sbin/qmasterprefs
/usr/sbin/qmasterqd
/usr/sbin/rpc.net
/usr/sbin/rpcset
/usr/sbin/rpcstartup
/usr/sbin/setbufsize
/usr/share/cshost
/usr/share/cups/calibrate.ppm
/usr/share/cups/usb
/usr/share/doc/facter
/usr/share/doc/puppet
/usr/share/gutenprint
/usr/share/locale/ca/gutenprint_ca.po
/usr/share/locale/cs/gutenprint_cs.po
/usr/share/locale/da/gutenprint_da.po
/usr/share/locale/de/gutenprint_de.po
/usr/share/locale/el/gutenprint_el.po
/usr/share/locale/en_GB/gutenprint_en_GB.po
/usr/share/locale/es/gutenprint_es.po
/usr/share/locale/fi/gutenprint_fi.po
/usr/share/locale/fr/gutenprint_fr.po
/usr/share/locale/gl/gutenprint_gl.po
/usr/share/locale/hu/gutenprint_hu.po
/usr/share/locale/it/gutenprint_it.po
/usr/share/locale/ja/gutenprint_ja.po
/usr/share/locale/nb/gutenprint_nb.po
/usr/share/locale/nl/gutenprint_nl.po
/usr/share/locale/pl/gutenprint_pl.po
/usr/share/locale/pt/gutenprint_pt.po
/usr/share/locale/ru/gutenprint_ru.po
/usr/share/locale/sk/gutenprint_sk.po
/usr/share/locale/sl/gutenprint_sl.po
/usr/share/locale/sv/gutenprint_sv.po
/usr/share/locale/tr/gutenprint_tr.po
/usr/share/locale/uk/gutenprint_uk.po
/usr/share/locale/vi/gutenprint_vi.po
/usr/share/locale/zh_CN/gutenprint_zh_CN.po
/usr/share/locale/zh_TW/gutenprint_zh_TW.po

I never found SIP under Utilities in Recovery mode. Where is it ? 😕

I have no SIP under Utilities when booting in Recovery Mode. Where is the bloody thing ?

See this forum post:

https://forums.developer.apple.com/thread/15149

???

Doesn't tell where SIP is under Utilities in R-Mode…😕

Apple have removed the GUI with the Recovery HD update. Now the supported way to control SIP is using the csrutil command from the Terminal in Recovery Mode (only - doesn't work while booted normally). For example:

csrutil disable

-Max.

I must be dumb, but how do you access Terminal in R-Mode ???

Utilities menu (Menubar)

Dumb myself, mixed up (Disk) Utility and Utilities. 😝