bootstrap_guest.sh => disable system integrity protection on OS X 10.11

[rodionovd]

There's a new thing in OS X 10.11 called SIP (system integrity protection) aka «Rootless». Basically it takes all privileges away from root: you can no longer write to protected system locations, modify system files and so on.

That's no good for us, and right now we have an ability to disable it on 10.11 machines with the new boot argument:

$ sudo nvram boot-args="rootless=0"

Although Apple may (and they are going to) remove this argument in a release version of the OS. Let's just hope that there will be a workaround we could use.

Resources

• «Security and Your Apps» — video and slides from Apple
• Notes from Thursday Security Lab — again, some Q&A from Apple on the subject

[deadbits]

Haven't seen any movement on this but figured I'd chime in JIC. On newer versions of OS X, where that^ command has been removed, you can disable SIP like this:

• Reboot OS X into Recovery mode
  • Reboot system while holding cmd+r keys
• Click the Utilities navigation menu
• Select/Open the Terminal application within this menu
  • Within Terminal, run the command csrutil disable && reboot

After reboot, SIP is disabled and you have real root access again. To reverse this, simply do the same thing but run csrutil enable, and to verify it's worked or its current state from the OS X terminal just run csrutil status and it'll spit out if SIP is enabled or not.

Hope this can be of use