Original link: How to disable SIP system integrity protection? SIP system integrity shutdown method – FCPX template station
Many Mac users report that after installing some software, they are prompted that there is no mountable file system (or other). It may be that the SIP system integrity is not turned off. Let’s take a look at how to turn off SIP system integrity.
What is SIP?
System Integrity Protection is a security technology in macOS that helps prevent potentially malicious software from modifying protected files and folders on your Mac. System Integrity Protection limits the root user account and what the root user can do on protected portions of the Mac operating system.
This may not be easy for some newcomers to understand. Let’s put it another way. SIP is similar to Windows firewall and rooting Android phones. This should solve many people’s confusion.
To better understand what SIP can do, we need to first understand a concept: sandboxing.
Sandbox
macOS has introduced a sandbox mechanism since the 10.6 system, which stipulates that applications published to the Mac App Store must use and comply with sandbox conventions. The sandbox places strict restrictions on system files, hardware information, networks, etc. that applications access. This prevents malicious apps from attacking the system through system vulnerabilities and obtaining control permissions. It also prevents applications from performing unsafe operations without permission. system failure, thereby ensuring the security of your macOS system.
The sandbox is equivalent to giving each App an independent space. You can only play in your own small world. To obtain resources outside your own space, you must obtain authorization (this also has restrictions, and you can only obtain limited resources).
Now you have an overview of what a sandbox is. As mentioned above, because applications in the Mac App Store must follow sandbox conventions, the software in the Apple App Store runs in a sandbox and cannot access and modify the underlying files of the system. Therefore, if most software wants to be more powerful, If I want to put it on the AppStore, I can only release the castrated version. Many excellent software are not listed on the Apple Store because they require some resource permissions outside the sandbox. Therefore, some software adopts dual versions, divided into official full-featured versions and App Store streamlined versions. It is for this reason, such as Tencent Lemon and the like. system applications.
You should be able to see that Apple takes great pains to ensure everyone’s system security.
Security segmentation of macOS applications
To sum up, we can divide macOS applications into these three categories according to security:
Type | Description | Security Level |
---|---|---|
Sandbox operation | Strictly adhere to Apple’s sandbox mechanism and can only access limited directories and perform limited operations | High |
SIP is not closed and does not run in a sandbox | Except for the protected files at the bottom of the system, any file can be accessed and modified after user authorization | 中 |
Turn off SIP and run without sandboxing | Almost all system files can be accessed and modified. | Low |
The impact of turning off SIP
After turning off SIP, running the application will no longer prompt:
- xxx is damaged and cannot be opened. You should move it to the Trash. Solution
- Can’t open xxx because it’s from an unidentified developer
- xxxx cannot be opened because Apple cannot check it for malware
In other words, as long as the application itself can run, no matter whether the application is signed/notarized or not, no matter whether the application is malicious or not, it will run directly in your system after you open it. At this time, your computer will be transparent and there is no security. In other words, it can operate all the files in your system. If this application is a malicious application, and if you accidentally authorize it, then it can perform any operations on your system without your permission.
So if it is not necessary, fcpxBox strongly does not recommend that you turn off SIP! ! ! If you must use an application that requires turning off SIP, you must judge whether the source of the application is safe.
Close SIP
Check SIP status
Before turning off SIP system integrity, we first check whether SIP system integrity protection is enabled.
Open the terminal and enter the following command and press Enter:
csrutil status
You will see one of the following messages indicating the SIP status
Not closed enabled
:
System Integrity Protection status: enabled.
Closed disabled
:
System Integrity Protection status: disabled
If it is not closed, you need to close SIP!
ARM M1
ARM M1 processor shutdown SIP steps
- Shut down
- Press and hold the power button until the screen below appears, then click
Options
, clickContinue
- Click
Utilities
on the menu bar, then clickTerminal
- Enter
csrutil disable
, then press Enter which is thereturn
key
- Type
y
and press the Enter orreturn
key. Enter your computer password and press Enter which is thereturn
key
- After a while,
System Integrity Protection is off.
appears, proving that SIP has been successfully closed. Typereboot
and press Enter, which is thereturn
key, to restart the computer.
If later To enable SIP again, just replace csrutil disable
in step 5 above with csrutil enable
.
Intel processor
macOS 11.x Big Sur (Intel processor) and the following systems shut down SIP steps:
- Shut down and then restart your Mac. Hold down Command + R while booting to enter Recovery mode.
- After entering Recovery mode, open the terminal, as shown in the figure:
- Enter the command csrutil disable on the terminal and press Enter.
- Click the Apple icon in the upper left corner, then click Restart