How to disable SIP system integrity protection? SIP system integrity shutdown method

Original link: How to disable SIP system integrity protection? SIP system integrity shutdown method – FCPX template station

Many Mac users report that after installing some software, they are prompted that there is no mountable file system (or other). It may be that the SIP system integrity is not turned off. Let’s take a look at how to turn off SIP system integrity.

What is SIP?

System Integrity Protection is a security technology in macOS that helps prevent potentially malicious software from modifying protected files and folders on your Mac. System Integrity Protection limits the root user account and what the root user can do on protected portions of the Mac operating system.

This may not be easy for some newcomers to understand. Let’s put it another way. SIP is similar to Windows firewall and rooting Android phones. This should solve many people’s confusion.

To better understand what SIP can do, we need to first understand a concept: sandboxing.

Sandbox

macOS has introduced a sandbox mechanism since the 10.6 system, which stipulates that applications published to the Mac App Store must use and comply with sandbox conventions. The sandbox places strict restrictions on system files, hardware information, networks, etc. that applications access. This prevents malicious apps from attacking the system through system vulnerabilities and obtaining control permissions. It also prevents applications from performing unsafe operations without permission. system failure, thereby ensuring the security of your macOS system.

The sandbox is equivalent to giving each App an independent space. You can only play in your own small world. To obtain resources outside your own space, you must obtain authorization (this also has restrictions, and you can only obtain limited resources).

Now you have an overview of what a sandbox is. As mentioned above, because applications in the Mac App Store must follow sandbox conventions, the software in the Apple App Store runs in a sandbox and cannot access and modify the underlying files of the system. Therefore, if most software wants to be more powerful, If I want to put it on the AppStore, I can only release the castrated version. Many excellent software are not listed on the Apple Store because they require some resource permissions outside the sandbox. Therefore, some software adopts dual versions, divided into official full-featured versions and App Store streamlined versions. It is for this reason, such as Tencent Lemon and the like. system applications.

You should be able to see that Apple takes great pains to ensure everyone’s system security.

Security segmentation of macOS applications

To sum up, we can divide macOS applications into these three categories according to security:

Type Description Security Level
Sandbox operation Strictly adhere to Apple’s sandbox mechanism and can only access limited directories and perform limited operations High
SIP is not closed and does not run in a sandbox Except for the protected files at the bottom of the system, any file can be accessed and modified after user authorization
Turn off SIP and run without sandboxing Almost all system files can be accessed and modified. Low

The impact of turning off SIP

After turning off SIP, running the application will no longer prompt:

  1. xxx is damaged and cannot be opened. You should move it to the Trash. Solution
  2. Can’t open xxx because it’s from an unidentified developer
  3. xxxx cannot be opened because Apple cannot check it for malware

In other words, as long as the application itself can run, no matter whether the application is signed/notarized or not, no matter whether the application is malicious or not, it will run directly in your system after you open it. At this time, your computer will be transparent and there is no security. In other words, it can operate all the files in your system. If this application is a malicious application, and if you accidentally authorize it, then it can perform any operations on your system without your permission.

So if it is not necessary, fcpxBox strongly does not recommend that you turn off SIP! ! ! If you must use an application that requires turning off SIP, you must judge whether the source of the application is safe.

Close SIP

Check SIP status

Before turning off SIP system integrity, we first check whether SIP system integrity protection is enabled.

Open the terminal and enter the following command and press Enter: 

csrutil status

You will see one of the following messages indicating the SIP status

Not closed enabled:

System Integrity Protection status: enabled.

Closed disabled:

System Integrity Protection status: disabled

If it is not closed, you need to close SIP!

ARM M1

ARM M1 processor shutdown SIP steps
  • Shut down
  • Press and hold the power button until the screen below appears, then click Options, click Continue
  • Click Utilities on the menu bar, then click Terminal
  • Enter csrutil disable, then press Enter which is the return key
  • Type y and press the Enter or return key. Enter your computer password and press Enter which is the return key
  • After a while, System Integrity Protection is off. appears, proving that SIP has been successfully closed. Type reboot and press Enter, which is the return key, to restart the computer.

If later To enable SIP again, just replace csrutil disable in step 5 above with csrutil enable.

Intel processor

macOS 11.x Big Sur (Intel processor) and the following systems shut down SIP steps:
  1. Shut down and then restart your Mac. Hold down Command + R while booting to enter Recovery mode.
  2. After entering Recovery mode, open the terminal, as shown in the figure:
  3. Enter the command csrutil disable on the terminal and press Enter.
  4. Click the Apple icon in the upper left corner, then click Restart