Mac Security

What Mac Users Need To Know About El Capitan Security

Justin Pot 19-10-2015

Mac users: OS X 10.11 El Capitan is here, and it’s pretty great OS X El Capitan is Here! Upgrade For A Smoother Mac Experience Mac OS X El Capitan is a subtle release: its biggest changes aren't visible — but you'll probably notice them anyway. Read More . Most users will get a noticeable performance boost, and there are some (relatively minor) new features.


But what’s the biggest change Apple made this time around? Security. OS X is now so locked down even root users can’t modify the operating system – let’s go over what that means, shall we?

System Integrity Protection: Root Has No Power Here

Remember this old cartoon?


Don’t get it? Well, in many UNIX-like systems – including OS X – the command sudo stands for superuser. Putting “sudo” in front a command, assuming your user account is an administrator, lets you do things you can’t otherwise.

Basically, if you’re a superuser, you can do anything – unless, of course, you’re running El Capitan. In this version of OS X you cannot edit core system files, at all, regardless of whether you’re root.


This is because of System Integrity Protection (SIP) – sometimes called rootless – a new feature that means users and third-party software, including malware, cannot change core system files.

To summarize, SIP means that:

  • Core system files cannot be re-written, even by root users.
  • Injecting code into protected processes is no longer permitted by the system.
  • Only signed kernel extensions can run – no exceptions.

The basic idea here is that if you can’t modify these core files, neither can malware or hackers. But there are some potential downsides, especially if you’re the kind of user who likes to hack or customize things.

System Directories Cannot Be Edited

In El Capitan, the contents of certain folders cannot be altered by the user or any program the user might choose to run. Which folders?

  • /System
  • /bin
  • /usr (except “/usr/local”)
  • /sbin

Testing this is simple: head to the Terminal and try to create a new directory in /System. It won’t work:


This means that you, and any programs you might choose to run, can’t make any changes to OS X – even if you’re a root user, and even if you type your password. This also means that malware and hackers can’t change anything in those folders.

Any application that worked in part by making changes to these folders isn’t going to work in El Capitan, full stop, without some sort of update.


And this change is retroactive, meaning if you’ve done anything to edit OS X in the past those changes are going to revert when you upgrade to El Capitan – but you can recover all the files and changes, if you want, they’re in /Library/SystemMigration.

No More Injecting Things Into Memory

Did you ever use EasySIMBL, which lets you customize almost anything on your Mac Customize Almost Anything On Your Mac With EasySIMBL From hiding the menubar when certain applications are open to embedding Instagram images within the official Twitter app, you can do things with EasySIMBL you probably didn't know were possible. Read More ? This program can add functionality to programs and OS X itself, and accomplishes this by injecting code into a currently-running program. For example: one plugin for EasySIMBL made Twitter’s official Mac client support embedded images from Instagram, a feature it doesn’t otherwise have.

This can be really cool, but it’s also using the exact methodology that a lot of common malware uses to do all sorts of nasty things. It’s no longer possible in El Capitan.


This breaks things like EasySIMBL, and the popular Flashlight plugin system for Spotlight Add Superpowers To Spotlight With This Unofficial Plugin System Bring Google, Wolfram Alpha, the weather and just about anything else to Spotlight. Read More , on El Capitan – but also prevents all sorts of theoretically possible malware.

No More Unsigned Kernel Extensions

Kernel extensions are pieces of software that interact directly with the system’s kernel. Most Mac users will probably never install a kernel extension, unless they need drivers for some sort of third party hardware.

And from now on all kernel extensions – including drivers – need to be signed in order to run. This means that if you rely on a piece of hardware that relies on an unsigned driver, that driver will not load in El Capitan – your device manufacturer needs to release a signed driver, or you’ll be unable to use your hardware.

Turning Off SIP/Rootless In El Capitan

These changes will, without question, improve security – but some people feel it’s not worth the loss of freedom.

Whether you agree with these complaints, or simply rely on apps or hardware that don’t work with SIP enabled, it’s possible to turn this security function off.

System Integrity Protection cannot be disabled from within the OS itself: you need to boot into OS X Recovery. Shut down your Mac, then hold CMD+R while it’s starting up.

What Mac Users Need To Know About El Capitan Security os x recovery

Once the system loads OS X Recovery, load the Terminal from the menubar, then type csrutil disable and hit Enter. If you later want to turn SIP/rootless back on, repeat this process, but type csrutil enable in the Terminal.

Alternatively, you could simply not install El Capitan for a while – you can get the great features without upgrading Don't Wait, Get OS X 11.10 El Capitan Features Right Now In Yosemite While there are a few nice new features and refinements coming to OS X 11.10, you can get most of the upcoming features by installing third-party software today. Read More anyway.

Other Various Security Patches

SIP isn’t the only new security feature in El Capitan – just the most noteworthy. You can read Apple’s long list of OS X security updates, if you like, but here’s a few highlights:

Security or Freedom?

I’ve talked about how El Capitan’s new security functions are the end of Mac customization El Capitan Means The End Of Mac Themes & Deep System Tweaks If you like customizing your Mac, Yosemite might be the last version of OS X that works for you. And that's too bad. Read More , and the comments I got surprised me – people basically said “So what?”.


Maybe more Mac users agree with this: that they’d rather have security features like SIP than the ability to tweak things. I want to know what you think: is there a tradeoff here, and is it worth it? Let’s talk this over in the comments.

Image Credits: “Sandwich” courtesy of XKCD

Related topics: Computer Security, OS X El Capitan.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Shane
    March 21, 2016 at 9:40 pm

    As long as they continue to provide a way to turn off and turn on additional security features such as SIP I think Apple is moving in the right direction. You want to mod shit as root, turn off extra protection, do your mods and then lock the mods in place by turning SIP back on. It's the best of both worlds. If you are advanced enough to modify system files you shouldn't have a problem following the process to turn SIP on and off.

    • Justin Pot
      March 22, 2016 at 1:33 am

      I agree, there's a way to turn it off if you care enough to look into it, but the vast majority of users aren't going to care. Those people are better off with the protection turned on, I think.

  2. Erique
    February 5, 2016 at 6:54 am

    LOL, again, Apple treating its customers like five year-olds...

    It's like a 60 year-old man being told by his parents he should still be suckling mom's breast

    What a bunch of jokers, first the pure comedy that is the new retina Macbook and now an operating system that is more restrictive than any computer node at Langley...

    Not only are Apple on their way to ending customization of the interface, soon they'll be doing all your computing for you, because Apple knows best...

  3. Anonymous
    October 20, 2015 at 1:34 pm

    No more unsigned kernel extensions ? What's that do to the Hackintosh community WRT running El Capitan ? (not that Apple cares about them, of course)

    • James Bruce
      October 20, 2015 at 2:07 pm

      It's easy to disable that bit if you restart into recovery mode. People who need to still can, I mean.

      • Justin Pot
        October 20, 2015 at 4:31 pm

        I'm thinking disabling rootless will be mandatory for Hackintosh users.

  4. Anonymous
    October 19, 2015 at 6:49 pm

    For as many users who don't customize anything or even use basic OS functions like tags in Finder, there are just as many who want intense customization for their work environment. Disabling csrutils is probably a decent overall compromise. A hidden setting for users motivated and unafraid of changing the system is much better than a blanket removal and reduces overall demand for support.

    I more or less treat OSX as a *nix. Not having root access is a non-starter but most people don't want or need it.

    • Justin Pot
      October 20, 2015 at 12:09 am

      Yeah, there are a lot of pros and cons to consider here I think.