Cant disable Rootless in Beta 5

[bisserwesser]

But then I get Mountain Lion recovery, and there is no Security Configuration there.

This and former betas spews out megabytes of error messages to the logs, among them this:

Aug 21 23:42:07 localhost kernel[0]: Sandbox: launchd(1) System Policy: deny(1) file-write-unlink /private/var/run/dyld_shared_cache_x86_64
Aug 21 23:42:07 localhost kernel[0]: Sandbox: launchd(1) System Policy: deny(1) file-write-flags /private/var/run/dyld_shared_cache_x86_64.map

Rootless prevents the system itself from deleting files that need to be deleted, and I thus want to manually intervene. But rootless cannot be disabled from the terminal anymore, and I have no recovery partition, and the internet recovery partition doesn't give me an option to disable rootless. Rootless simply cannot be disabled.

Furthermore, trying to report the error to Apple, I get a 500 error message when submitting.

This is such a great modern operating system… or more like a walled app garden intended to maximize Apple's monetizing scheme rather than giving the user full power of the system. It is Linux next for me, I have had it with these morons.

If there is no partition just do Command + R on boot.

 

[matreya]

This is such a great modern operating system… or more like a walled app garden intended to maximize Apple's monetizing scheme rather than giving the user full power of the system. It is Linux next for me, I have had it with these morons.

Whinge...whine... good bye...

Apple are doing their damnedest to repel the people (I call them that loosely) trying to exploit security holes in OS X to steal your data..

 

[XboxMySocks]

Doesn't work anymore in Beta 5. The menu item "Security Configuration" doesn’t exist anymore after the Recovery Update 2.0 but you can deactivate it via the terminal in OS X Recovery with 'csrutil disable'.

However, I’m not able to change app icons in the Applications folder anymore even though SIP is disabled. Really frustrating. Something else must’ve changed.

False - you may have booted into your other partition's Recovery Partition. Taken on 15A263E Partition Update 2.0

 

[umzyi]

I can confirm that sip has been disabled. I have booted into 10.11 recovery partition and it doesn't exist there any more. See the screenshot.

 

[XboxMySocks]

I can confirm that sip has been disabled. I have booted into 10.11 recovery partition and it doesn't exist there any more. See the screenshot.

That is not 10.11's recovery partition.

 

[redheeler]

That is not 10.11's recovery partition.

It is. I have checked and Security Configuration is gone from the menu with the latest update installed. The Terminal method does work however, which wouldn't be the case in Yosemite Recovery.

 

[XboxMySocks]

It is. I have checked and Security Configuration is gone from the menu with the latest update installed. The Terminal method does work however, which wouldn't be the case in Yosemite Recovery.

Explain the picture I just posted then? It's on the latest update as well.

 

[redheeler]

Explain the picture I just posted then? It's on the latest update as well.

Are you sure? What build is shown in About OS X Utilities?

My MacBook Air is still on the previous build 303 and has Security Configuration present.

 

[XboxMySocks]

Dunno how this happens - Build 303 but the firmware update has been installed and is present in App Store.

Your guess is as good as mine...?

 

[Oberhorst]

False - you may have booted into your other partition's Recovery Partition.

I have no other partition. On my MacBook Air is only one OS and that’s OS X El Capitan Beta 5. I updated from Yosemite.

I found out however that I can change the icons with drag & drop. No idea why CMD + C/CMD + V doesn’t work anymore.

 

[KALLT]

This and former betas spews out megabytes of error messages to the logs, among them this:

Aug 21 23:42:07 localhost kernel[0]: Sandbox: launchd(1) System Policy: deny(1) file-write-unlink /private/var/run/dyld_shared_cache_x86_64
Aug 21 23:42:07 localhost kernel[0]: Sandbox: launchd(1) System Policy: deny(1) file-write-flags /private/var/run/dyld_shared_cache_x86_64.map

Rootless prevents the system itself from deleting files that need to be deleted, and I thus want to manually intervene. But rootless cannot be disabled from the terminal anymore, and I have no recovery partition, and the internet recovery partition doesn't give me an option to disable rootless. Rootless simply cannot be disabled.

It’s a beta. That is normal. It is Apple’s responsibility to fix these errors and even if they don’t that doesn’t mean your system isn’t working normally. This is precisely why SIP exists, to stop people and programs from messing with things they don’t even have to mess with. Moreover, that you don’t have a fully updated recovery partition is not intended, as the system should create one upon installation and maintain it. Maybe it’s a good idea to do a clean install at one point, perhaps it will be updated once the final release is rolled out.

 

[xgman]

I hope they allow some way do disable this security feature in the final or this may be the first time I don't upgrade. Maybe we will eventually need the "jailbreak" equivalent for OSX. I hate that they might not let power users do what they do.

 

[leman]

I hope they allow some way do disable this security feature in the final or this may be the first time I don't upgrade. Maybe we will eventually need the "jailbreak" equivalent for OSX. I hate that they might not let power users do what they do.

This is just the same panic-laden 'bla bla bla' as the bisserwesser person does above. I am a power user. I can't think of a valid reason that I would need write access to the system files. You only need it if you want to hack the core OS. Which you should not do with OS X in the first place. Need that much flexibility? Use Linux/BSD. OS X is a complex system of open-source, proprietary and modified open-source components. Hacking them can result in unexpected behaviour. Don't do it unless you have perfect understanding of how the OS works. Which you clearly don't, otherwise you wouldn't complain about SIP.

Need a custom kernel driver? A system-wide extension? Want to install some third-party daemon or service? No need to disable rootless for that. Apple provides you with write access to all the relevant locations of the filesystem and it gives you a rich set of API to cater to any possible need you might have.

 

[Fangio]

I hope they allow some way do disable this security feature in the final or this may be the first time I don't upgrade. Maybe we will eventually need the "jailbreak" equivalent for OSX. I hate that they might not let power users do what they do.

What actually happened in DP7 / PB5 is

• in Recovery, the Security Configuration checkbox that was accessible via menu is gone
• the Terminal method via csrutil was updated
• csrutil has been further refined and allows more commands to specifically configure certain parts of SIP.

See also this post in Pike's Universum: csrutil updated in DP7 for details.

Here's a screenshot with all SIP options disabled



Note that it's still stating: enabled (Custom Configuration). I'd say this still is a somewhat confusing bug because I'm able to run unsigned kexts with this config.

However it doesn't seem they are further developing csrutil with the goal to not allow users to disable SIP in the end. Actually as mentioned above, they have enhanced csrutil to give advanced users more options.

 

[MrNomNoms]

Regarding the unsigned driver, what driver are you using? shouldn't need to use to disable rootless to install a driver as long as the driver is signed and the installer puts it in the /Library directory where third party kernel extensions go. Regarding the nvram thing, IIRC I thought that they disabled the ability to disable rootless mode in the latest beta build - I remember reading somewhere that they had.

 

[Fangio]

Regarding the unsigned driver, what driver are you using?

HDMIAudio for example. Currently it looks like it will probably never get signed. And there's more.

The custom config above is just a proof of concept so no worries. I do not intend to keep the system that way as more specific configurations are possible now.

 

[redheeler]

I can't think of a valid reason that I would need write access to the system files. You only need it if you want to hack the core OS.

So changing the folder icons, for example, would be considered hacking the core OS?

OS customization is probably the main reason most people disable rootless. XtraFinder, cDock, Flavours (if a 10.11 version existed), etc. Also simply changing system icons.

I doubt most people who disable rootless do it to "hack the core OS".

 

[XboxMySocks]

So changing the folder icons, for example, would be considered hacking the core OS?

OS customization is probably the main reason most people disable rootless. XtraFinder, cDock, Flavours (if a 10.11 version existed), etc. Also simply changing system icons.

I doubt most people who disable rootless do it to "hack the core OS".

FWIW I doubt most people trying it hack the core OS would need to disable rootless

 

[Shirasaki]

But then I get Mountain Lion recovery, and there is no Security Configuration there.

This and former betas spews out megabytes of error messages to the logs, among them this:

Aug 21 23:42:07 localhost kernel[0]: Sandbox: launchd(1) System Policy: deny(1) file-write-unlink /private/var/run/dyld_shared_cache_x86_64
Aug 21 23:42:07 localhost kernel[0]: Sandbox: launchd(1) System Policy: deny(1) file-write-flags /private/var/run/dyld_shared_cache_x86_64.map

Rootless prevents the system itself from deleting files that need to be deleted, and I thus want to manually intervene. But rootless cannot be disabled from the terminal anymore, and I have no recovery partition, and the internet recovery partition doesn't give me an option to disable rootless. Rootless simply cannot be disabled.

Furthermore, trying to report the error to Apple, I get a 500 error message when submitting.

This is such a great modern operating system… or more like a walled app garden intended to maximize Apple's monetizing scheme rather than giving the user full power of the system. It is Linux next for me, I have had it with these morons.

Maybe a system other than OS X , such as Windows, could solve this problem.

But yeah, Windows can only help this in file level. Other changes must be done under OS X.

 

[KALLT]

Regarding the nvram thing, IIRC I thought that they disabled the ability to disable rootless mode in the latest beta build - I remember reading somewhere that they had.

Correct. Although SIP is still stored in NVRAM, you can’t add it as a boot argument using root (the whole point of SIP is that root cannot be trusted). Only the csrutil operation can do it and it can only be fully executed from the recovery system.

 

[rojh]

Well, I just visited this forum today. Just went and reformatted my mac back to mavericks weeks ago. I gave up with el capitan. So much headache from disabling rootless and stuff. I guess I have to wait for 10.12? Really a disappointment. Apple really doesnt do anything good and new for the past few years.

 

[SG-]

it sounds like a beta OS isn't for you, move along now and come back when it's out.