csrutil should allow re-enabling of SIP from booted OS
| Originator: | frogor | ||
| Number: | rdar://29425667 | Date Originated: | 29-Nov-2016 12:43 PM |
| Status: | Open | Resolved: | |
| Product: | macOS | Product Version: | 10.12.1 |
| Classification: | Security | Reproducible: | Always |
This is a duplicate of rdar://29403930 Summary: csrutil does not have an option to reset the SIP status back to "All On". If you are already booted, there's absolutely no automated way to re-enable SIP on a device, or even at all without NetBoot, which doesn't work with 802.1x. csrutil should allow you to re-enable (only) SIP despite being logged in. It would provide enterprise a way to guarantee SIP gets enabled even if someone disables it. Steps to Reproduce: 1. Disable SIP from Recovery Partition. 2. Restart and log into mac OS 10.12 as normal. 3. `sudo csrutil enable` Expected Results: SIP should be re-enabled on next reboot. Actual Results: `csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS.` Version: 10.12.1 16B2555 Notes: Configuration: This occurs in every 10.11 and 10.12 install with SIP.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!