2

I have a remote 2012 mac mini running Sierra. Long ago I was doing some troubleshooting and had created a secondary copy of the system on the machine. Once I had finished whatever I was doing (which I don't even remember anymore) I got my working system running again and deleted the alternate one. Trouble is since it contains system files, they are locked down by SIP and can't be deleted without disabling SIP. Which of course can only be done from recovery mode, which requires having a display and keyboard attached to the machine in question. Which I don't have.

Is there any way to:

  1. Disable SIP without using recovery mode at all? I have found other threads (such as here and here) about this and the consensus appears to be "no", but I thought I would reiterate the question here to be thorough. Or,
  2. Empty the trash of protected items without having to disable SIP first?

The machine is running Sierra and SIP is definitely enabled currently (csrutil status).

JVC
  • 2,811
  • 1
    The security behind SIP is that you can't disable it without u mounting the boot volume first and that requires direct "console" access. As to your second question, Trash isn't protected and as far as items covered by SIP, you simply cannot move then to the Trash. So, that's more of an issue. Can you expand on that issue rather than re-ask an already answered question? – Allan Sep 07 '20 at 15:41
  • @Allan I'm not sure what you mean that SIP-protected items cannot be moved to trash. They most certainly can... they just can't be emptied. I moved an entire System directory to the Trash, and most of it did in fact delete, but a handful of Library files refuse to delete, giving me "Some items in the trash cannot be deleted because of SIP" – JVC Sep 07 '20 at 15:45
  • I meant they can't be deleted. You did this with SIP enabled? – Allan Sep 07 '20 at 16:07
  • 1
    SIP shouldn't give a damn about files on a non-boot drive. They're not 'system files' they're just 'stuff on a drive'. Perms can be ignored too, so you should be able to do anything you like. If they can't be deleted it's because the current system thinks they belong to it. – Tetsujin Sep 07 '20 at 17:18
  • @Allan Yes they were moved to trash with SIP enabled. They were not the active system at the time, of course. – JVC Sep 07 '20 at 17:19
  • @Tetsujin This is the boot drive, hence the problem. – JVC Sep 07 '20 at 17:19
  • Did you create two systems on one partition? The files you cannot delete are being considered part of the currently booted system, otherwise you could delete them. – Tetsujin Sep 07 '20 at 17:21
  • @Tetsujin This was years ago so I really don't remember the details. But I know I did create a second/alternate system on the drive while troubleshooting something. I don't remember how or exactly why I did this, it might have been to test an OS update before committing to it, but I can't be sure. If these files were a part of the current system I would expect to be able to restore them via "put back", but there is no such option. Interesting observation however. – JVC Sep 07 '20 at 17:28
  • As you're not going to be able to disable SIP remotely, you might need to look into shrinking a partition to create a new one. Set up a clean OS on there & migrate user data from the borked one, or pull user data off to your local machine for safety. I don't know of any tool that could pick this apart otherwise. – Tetsujin Sep 07 '20 at 17:35
  • It's sounding more and more like the genuine answer is simply "No, these are impossible." I may just break down and connect a physical keyboard and display to it in order to solve this nuisance. And that's really all it is anyway, a nuisance. Thanks all. And anyone who wishes to make their "no" answer an actual answer, I will gladly accept it. – JVC Sep 07 '20 at 17:37
  • @Tetsujin: You are correct. SIP only applies to the boot volume. So another OS X or macOS installed on a different volume would not be protected by SIP. This is true when installed in a different partitions or (in the case of APFS) the same partition. The problem the OP is have probably has nothing to do with SIP. – David Anderson Sep 07 '20 at 21:43

1 Answers1

1

Disable SIP without using recovery mode at all? I have found other threads (such as here and here) about this and the consensus appears to be "no", but I thought I would reiterate the question here to be thorough.

System Integrity Protection cannot be disabled from a normal mode boot (from ones's Desktop). The Apple provided method is to use csrutil disable from Terminal while booted to macOS Recovery. What good would it be if it could be disabled from a normal mode boot? (Rhetorical question!)

As mentioned by David Anderson in a comment, one could use rEFInd to disable SIP, however, this cannot be done from a normal mode boot (from ones's Desktop) and would require having rEFInd installed and rebooting the system to rEFInd, which you'd have no control of from a headless-system without a keyboard.

Empty the trash of protected items without having to disable SIP first?

From a normal mode boot (from one's Desktop), no, however one can delete the various .Trashes and .Trash directories from Terminal in macOS Recovery without disabling SIP and then reboot back to normal mode boot and those directories will be recreated.

What good would SIP be if one could bypass its restrictions from a normal mode boot? (Rhetorical question!)

Obviously, you'll need to temporarily add a keyboard and monitor to the Mac mini to boot to macOS Recovery in order to resolve the issue.

user3439894
  • 58,676
  • Thanks, adding a keyboard and display is clearly the only way to solve this then since Recovery mode is always required. Ah well, thanks again for the confirmation. – JVC Sep 07 '20 at 18:22
  • It is a minor point, but SIP can also be disabled using rEFInd. So booting to macOS Recovery is not the only way. Also, using rEFInd would not work on a Mac without at least a keyboard attached. – David Anderson Sep 07 '20 at 21:48
  • @David Anderson, In this particular use case it's a very minor point since it cannot be disabled from a normal mode boot (from one's Desktop) even with rEFInd, and it would also have to be installed separately as it's not a part of macOS. – user3439894 Sep 08 '20 at 00:19
  • The rEFInd Boot Manager can be configured to boot from a flash drive. The rEFInd Boot Manager does not require macOS. The rEFInd Boot Manager can also be configured to allow SIP to be enabled or disabled from rEFInd. If you know the correct key sequence, then you could disable SIP without the use of a monitor, but this would require a keyboard. – David Anderson Sep 08 '20 at 01:27
  • @David Anderson, It's totally irrelevant from where you run rEFInd as it still has to be installed, it's not a part of macOS and cannot disable SIP from normal mode boot of macOS. That said, in this particular case SIP does not even need to be disabled as the files/folders can be deleted by deleting the various .Trashes and .Trash directories from Terminal in macOS Recovery without disabling SIP and then reboot back to normal mode boot and those directories will be recreated. So rEFInd isn't even need here. – user3439894 Sep 08 '20 at 01:44
  • Sorry, I did not realize that you updated your answer before posting my last comment. – David Anderson Sep 08 '20 at 01:57