[Guide] How to Disable SIP (System Integrity Protection)?


Cyberdevs

Supervisor
Staff member
Joined
Aug 29, 2018
Messages
54
Motherboard
GA-Z170X-Gaming 5
CPU
Intel Core i7 6700K
Graphics
AMD Radeon Pro 580
OS X/macOS
10.15 (Beta)
Bootloader
Clover (UEFI)
Mobile Phone
iOS
SIP (System Integrity Protection)
According to Wikipedia: System Integrity Protection (SIP, sometimes referred to as rootless) is a security feature of Apple's macOS operating system introduced in OS X El Capitan. It comprises a number of mechanisms that are enforced by the kernel. A centerpiece is the protection of system-owned files and directories against modifications by processes without a specific "entitlement", even when executed by the root user or a user with root privileges (sudo).

Apple says that the root user can be a significant risk factor to the system's security, especially on systems with a single user account on which that user is also the administrator. System Integrity Protection is enabled by default, but can be disabled.

CsrActiveConfig values and their functions:

CsrActiveConfig=0x0​
SIP is fully enabled​
CsrActiveConfig=0x3​
SIP is partially disabled​
CsrActiveConfig=0x67​
SIP is fully disabled​

There are several other like 0x3E7 which eventually disables more protections than 0x67 but it’s not a good idea to disable all those protection measures which make macOS more vulnerable.


How to change CsrActievConfig using Clover:

There are two ways to do that, first method is changing the value of the CsrActiveConfig in the config.plist using Clover Configurator and the second once is to use Clover’s GUI and making those changes to the config.plist before booting into macOS.

If you change the value in the config.pllist by using Clover Configurator or any other plist editors when you save the file it will permanently change the SIP on each boot but if you use the second method it won’t change the config.plist permanently which means if you reboot the macOS it clover will read the value of the config.plist and load the SIP according to the setting in that file.


Here’s some illustrations to show you how to use both methods:

Method 1
Using Clover Configurator and the config.plist:

  1. Mount the EFI partition where Clover is installed.
  2. Open the config.plist with whatever application the you like
  3. Navigate to “Rt Variable”and change the value of the CsrActiveConfig to the value that you like
  4. Save the config.plist and reboot
Rt Variables.PNG

Method 2
Using Clover’s GUI:

1. Once you turn the computer on, when the Clover’s GUI is loaded just navigate to “Options” using the arrow keys and the press Enter/Return

screenshot0.png

2. Under Options menu navigate down to System Parameters->

screenshot1.png

3. Navigate down to System Integrity Protection ->

screenshot2.png

4. Select the options that you want to disable by selecting them and then pressing Enter/Return on the keyboard

screenshot3.png

5. Once you selected the options that you want the SIP to allow navigate down to the bottom of the list and the select “Return” and continue to do so until you see the Clover’s main GUI

6. Select the volume that you want to boot from and then you can check the state of the SIP by using the Terminal commands


Open macOS Terminal and type the command below:
csrutil status
 

Attachments

Last edited: