What is SIP
When trying to make a softlink, I encounter a system error:
$ sudo ln -sf /usr/local/bin/rpm /usr/bin/rpm
Password: xxx
ln: /usr/bin/rpm: Operation not permitted
After reseach, it’s caused by MacOS’s security protection called System Integrity Protection.
It is enabled in 10.11 onward. It is aimed at preventing MacOS X compromise by malicious code, whether intentionally or accidentally, and essentially what SIP does is lock down specific system level locations in the file system while simultaneously preventing certain processes from attaching to system-level processes.
csrutil : enable & disable SIP
To turn SIP off, we can use csrutil, but you will encounter another error:
$ csrutil status
System Integrity Protection status: enabled.
$ csrutil disable
csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS.
The reason is, SIP is stored in NVRAM rather than in the file system itself. As a result, this configuration applies to all installations of OS X across the entire machine and persists across OS X installations that support System Integrity Protection.
Apple has a detailed instruction for it : Configuring System Integrity Protection
To enable or disable System Integrity Protection, you must boot to Recovery OS and run the csrutil(1) command from the Terminal.
- Boot to Recovery OS by restarting your machine and holding down the Command and R keys at startup.
- Launch Terminal from the Utilities menu.
- Enter the following command: $ csrutil enable
- Reboot is required.