-2

Suppose I have a .plist that I cannot edit without disabling SIP.

Can I disable SIP once, copy the .plist to a rw-r--r-- file in ~, replace the original with a symlink to the copy, re-enable SIP and then be able to update the item whenever I want?

WGroleau
  • 4,869
  • 7
  • 44
  • 77
  • You have to assume that when the operating system checks for changes, it is not going to follow the symbolic link. My guess is that it would. – David Anderson Feb 13 '20 at 04:11
  • I have no reason to expect it is checking for changes. SIP apparently works by extended attributes. But it might be checking the attributes of the other end of the link. – WGroleau Feb 13 '20 at 05:49
  • @WGroleau What's the file in question? And what's your system version? – klanomath Feb 13 '20 at 08:34
  • You could just give it a try yourself, and then come back and answer your own question. – user3439894 Feb 13 '20 at 13:55
  • Although the Q&A might benefit other “opportunities,” my immediate case is a PressAndHold .plist. And if know one actually knows the answer, I do intend to go through the inconvenient experiment myself. – WGroleau Feb 13 '20 at 16:52

2 Answers2

1

Partial answer: If the symlinked file is one of the PressAndHold plists, it does not work.

With `…/Keyboard-en*.plist moved to a subdirectory, and copied to a non-SIP directory, I replaced what was moved-and-copied with symlinks to the copies. Press And Hold popups were no longer available. Removing the soft links and copying the originals back up restored the feature without even needing a log-out.

The copies linked were root:wheel with mode rw-r--r--, same as the originals. Changing the link modes to lrw-r--r-- did not restore the feature.

According to https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/ all directory trees protected by SIP are listed in /System/Library/Sandbox/rootless.conf which does NOT list /System/Library or /System/Library/Input\ Methods.  Nevertheless, the files I am currently wanting to work on are below /System/Library/Input\ Methods and are protected.

WGroleau
  • 4,869
  • 7
  • 44
  • 77
0

To respond to your example about relocating a file in a SIP-protected area such as /System and replacing it with a symlink to the relocated file: Yes, in principle, that would work — the symlink will be able to be dereferenced and the intended data will be readable from the user-writable target file. However, there is the potential caveat that whatever generates the specific file may just remove your symlink and replace it with a regular file, thereby undoing your efforts, or whatever reads the file may expect a regular file rather than a symlink, thereby impacting functionality.

To answer your question directly as you've worded it, however: You wouldn't really be "overriding" SIP. The purpose of SIP is to only allow certain tasks to be performed by the kernel, such as writing to certain filesystem locations. By replacing such a file with a symlink to a file that doesn't reside in such a region, you are circumventing the need to be the kernel in order to write data to a place where another process will then read it; but as mentioned before, that process may be designed so that such circumvention doesn't work as you intend.

Ultimately, you should just try it for whatever specific application you're trying to affect and find out the results for yourself.

Jivan Pal
  • 1,215
  • 10
  • 20
  • The kernel is not going to write to the file I have in mind. But a software update might. But the file defines some useful text features I’d like to enhance. Making it editable would allow me to keep improving without having to toggle SIP for every change. But the possibility that the text handler might balk at a symlink is the reason for the question. I remember way back in 10.2 that Contacts refused to function if it’s DB was a symlink or an NFS mount. – WGroleau Feb 13 '20 at 07:46
  • @klanomath Root is still a user, as opposed to the kernel itself – Jivan Pal Feb 13 '20 at 12:23
  • @WGroleau What is the file in question? – Jivan Pal Feb 13 '20 at 12:24
  • Hmmm, before I try the experiment, I want to backup the originals in another directory. First attempt at doing so failed: https://apple.stackexchange.com/questions/382056/disabled-sip-but-still-cant-make-changes – WGroleau Feb 13 '20 at 21:14
  • You likely need to ensure everything is mounted with write permissions: try sudo mount -uw /. – Jivan Pal Feb 14 '20 at 03:50