"restricted" folder/files in OS X El Capitan

Question

After upgrading from OS X Yosemite to OS X El Capitan Developer Preview, I tried to edit /System/Library/LaunchDaemons/ssh.plist to change the default SSH port to a custom one. This is the process I've been using for a couple of years.

The problem is that El Capitan doesn't allow me to change anything in this folder (not even with "sudo"). The folder and its files are marked as "restricted" when I list the contents with "ls -lO". The same folder listing in previous versions of OS X does not show "restricted".

Is this something new to OS X El Capitan? How can I edit files/folders that are "restricted"?

I found out this is due to a new feature introduced in El Capitan called "SIP" (System Intregrity Protection).

Read more here: https://forums.developer.apple.com/thread/4731?q=SIP

Unfortunately, no one suggested a way of editing "restricted" files/folders without actually disabling SIP.

There is no El Capitan Beta. Apple have released a Developer Preview of the OS and you should be directing issues to the [Apple Forums](http://developer.apple.com) — TheDarkKnight, Jun 11 '15 at 13:00
@TheDarkKnight, yes, I am aware and have already posted this question in the Apple Forums. — Spencer Müller Diniz, Jun 11 '15 at 16:38

score 78 · Accepted Answer · answered Oct 02 '15 at 15:14

78

You can also temporarily disable SIP the following way

reboot
as soon as you hear the "Mac sound" on the grey screen, press Cmd+R to enter Recovery mode
Open Utilities->Terminal
Run the command csrutil disable
Reboot, you'll land in the normal OS with SIP disabled
do all the changes you'd like to do
Reboot again
as soon as you hear the "Mac sound" on the grey screen, press Cmd+R to enter Recovery mode
Enable SIP with csrutil enable
Reboot again
done

answered Oct 02 '15 at 15:14

Johannes Weiss

52,533
16
102
136

Worked for me - I had to `chmod u+s /usr/sbin/pppd` to let SonicWall NetExtender start working again on El-Capitan and the instructions above made this possible. – Capt. Crunch Nov 20 '15 at 21:52
1

@Johannes Weiß Is it possible to disable SIP for a particular folder on a volume? – Ashutosh Dave Jan 12 '16 at 18:01
Worked for me with a 'wheel restricted' file in the Trash – Bisca Nov 07 '18 at 08:35

score 27 · Answer 2 · answered Jul 06 '15 at 07:51

27

Until 10.11 unprotects certain files in /System/Library or allows you to do it yourself, the only way without disabling SIP would be to make a different service by coping the file somewhere else, like:

sudo cp /System/Library/LaunchDaemons/ssh.plist /Library/LaunchDaemons/ssh.plist

And then instead of using the Sharing panel in System Preferences, you would manage the service yourself:

sudo launchctl unload /Library/LaunchDaemons/ssh.plist
sudo launchctl load -w /Library/LaunchDaemons/ssh.plist

answered Jul 06 '15 at 07:51

empedocle

1,862
1
14
25

1

Be sure to change the filename and the `Label` key inside the file, in order to avoid conflicts with the original launchd item. – Gordon Davisson Oct 04 '15 at 05:32
I think this is the best answer. You may want to edit and add a reminder that you'll either need to reboot or `sudo launchctl start com.openssh.sshd` (or whatever `Label` you've given) before it will actually start working. – n8henrie Oct 22 '15 at 06:15
Helps with org.apache.httpd.plist . Great suggestion and should be accepted as more "correct" way imo. – lifecoder Dec 17 '15 at 13:10
Until 10.11 *what* unprotects certain files? Some strange wording in this answer. – Brad Johnson Aug 12 '16 at 19:43
@BradleagheJohnson empedocle means "Until a revision of 10.11 unprotects..." – jhfrontz Sep 11 '16 at 18:03
+1 for the -w thing. I needed to permanently disable some service, without disabling SIP, unload with -w solved it. – Kaplan Ilya Jan 18 '17 at 14:09

djh · Answer 3 · 2015-10-03T05:53:06.483

I would suggest you try adding whatever arguments you need to a plist in /Library/Preferences/. For example, in my case I needed to make a slight alteration to mDNSResponder to add the AlwaysAppendSearchDomains flag. As suggested by "bwells" on the Apple developer forums, I just had to do

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist AlwaysAppendSearchDomains -bool YES
sudo launchctl load /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

This is a much cleaner approach and persists across reboots and should also survive an upgrade (at least during the betas my manual changes after disabling SIP were overwritten). Note, as far as I know this is new to El Capitan.

[Here's the relevant thread](https://forums.developer.apple.com/thread/17944). Does not seem to be working to use a custom SSH port, e.g. `sudo defaults write /Library/Preferences/ssh.plist SockServiceName -string $PORT` — n8henrie, Oct 05 '15 at 23:14

score 4 · Answer 4 · answered Oct 30 '15 at 13:09

4

You can also leave SIP enabled while disabling the filesystem management. Reboot in recovery mode and run:

csrutil enable --without fs

This will allow you to change permissions as needed.

answered Oct 30 '15 at 13:09

Michael Guthrie

512
1
4
11

Thanks. Wouldn't this defeat the security purpose of this new feature? – Capt. Crunch Nov 20 '15 at 21:54
@Amos SIP has many components. The file system protection is just one component. Yes, disabling it does defeat the security, but only of that specific function, not SIP entirely. – grg Apr 30 '17 at 11:14

score 2 · Answer 5 · answered May 10 '16 at 08:13

2

Just boot into "Recovery" mode by pressing "CMD+R" while rebooting.
Open Terminal
Your disk will be mounted in /Volumes/Macintosh HD
Delete files via "rm" : you have absolute control in that terminal.

answered May 10 '16 at 08:13

Mayank Jain

2,995
2
23
19

I only see a symlink to `/` in `/Volumes/`. How do you get the live system mounted? The procedure of the accepted answer did work, I'm just curious for next time. – Vampire Dec 13 '17 at 21:00
You need to mount the volume in recovery mode before opening Terminal. Alternately you can use 'diskutil mountDisk ' from the terminal. – user2892047 Dec 20 '18 at 17:30
You can use the "Disk Utility" graphical interface in recovery mode to mount your (encrypted) hard drive if you're not interested in learning the `diskutil` command line. – MarcH Mar 27 '19 at 22:02

score 1 · Answer 6 · edited Jan 13 '16 at 12:48

I use carbon copy cloner to make clonable backups... and have several in rotation.

According to mike at bombich "SIP only applies to the volume you're currently booted from, so [one can] boot from the backup volume to delete [files]".

I did use johannes' answer (recovery drive, csrutil enable/disable), but that requires reboot —> recovery drive —> turn sip off —> reboot —> delete crap —> reboot —> recovery drive —> turn sip back on —> reboot ... four reboots.

But booting from a clone and seeing the original drive as a secondary drive would allow you to delete problematic files in two reboots... yes?

score -1 · Answer 7 · answered Oct 15 '15 at 14:24

-1

You can "by pass" the SIP protection by modifying permissions on file via Finder app for the system group.

modifying permissions

It worked fine for me even after reboot, i'm running

ProductName: Mac OS X ProductVersion: 10.11 BuildVersion: 15A284

answered Oct 15 '15 at 14:24

Michaël Rivet

1
1

I'm not getting this to work -- I have R+W permissions for System just like you show, and I'm an Admin, but I still can't `sudo vim` (insufficient permissions) or add write permissions in Finder. I don't think System permissions is enough to allow a user (even root) to write to this file. – n8henrie Oct 20 '15 at 16:51

"restricted" folder/files in OS X El Capitan

7 Answers7

Linked

Related