Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

antoine23

macrumors member
Original poster
Sep 26, 2023
33
2
I was wondering if there is still a tool somewhere to check for system integrity, to verify that the system read-only partition has not been modified for instance, and if it has, recover to a previous snapshot.

Any ideas ?

Back in the days if the system would fail somehow one of the recommended actions was fixing permissions

Now we have SIP plus read-only system partition so fixing permissions is no longer a thing.
 
Last edited:
I don't want to modify a system volume, I'm looking for a tool to check for its integrity and maybe even repair it, like fixing permissions used to do
If SIP is enabled, the volume is not modified, intact. You can’t fix anything file/folder related, like permissions, on a read-only volume.
What you should check for is APFS related errors. There can be a few :)
https://forums.macrumors.com/thread...is-not-the-currently-booted-snapshot.2378429/
https://forums.macrumors.com/threads/disc-utility-warning.2376773/
https://forums.macrumors.com/threads/apfs-or-mac-os-extended-for-external-hdd.2386349/post-32089488


APFS snapshots
https://support.apple.com/en-gb/guide/disk-utility/dskuf82354dc/mac
https://support.apple.com/guide/disk-utility/dskuf82354dc/mac
"Repair volumes, then containers, then disks"
https://support.apple.com/en-us/HT210898
https://support.apple.com/HT210898
 
Thanks, I will check that.

Actually, I thought there were tools to compare APFS snapshots, check the system volume is not corrupt, and if so, repair it and so on.

Diskutility is for the filesystem only, it cannot repair a file that has been corrupted somehow. Maybe with a snapshot, but there should be one to pick from in the first place.

I think Apple has overly relied on a read-only system volume to not provide any tools to check that it actually remains that way.

It's not even clear if APFS snapshots are automatically created before any update (manual or automatic)
 
You should read up about signed system volumes (SSV), which are used since macOS 11. In short, macOS installations are cryptographically validated during installation and updating as well as on boot and at runtime. The system computes hashes of the system volume and compares them against the hashes that Apple provides. It will refuse to boot if it finds any inconsistencies. Furthermore, since macOS 11, the system no longer merely loads from a read-only system volume, but from an APFS snapshot of that system volume.

You can check whether this feature is active with: csrutil authenticated-root status.
 
  • Like
Reactions: Brian33
I was wondering if there is still a tool somewhere to check for system integrity, to verify that the system read-only partition has not been modified for instance, and if it has, recover to a previous snapshot.
If the machine boots, you can be sure the system has not been modified.

This is because macOS boots from a signed read-only snapshot of the operating system. Every machine running the same OS version has the same system, bit for bit. If even one bit has been modified from Apple's specification, the signature check will fail and the computer won't boot.
 
  • Like
Reactions: Brian33
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.