PSA: Running Mac OS X csrutil Without a Recovery OS Partition

This blog post contains my notes for advanced users (Mac OS software developers and IT staff), not end-users.

Starting with Mac OS X El Capitan (10.11), some low-level system operations, like setting the NVRAM, are restricted by default by System Integrity Protection (SIP), which is controlled by the csrutil command.

However, the csrutil disable (or enable) command can only be run in a terminal after booting into a recovery OS partition (officially) or an installer (works for me, see below.)

Machines with a cloned OS often don’t have a recovery partition, or if they do, it doesn’t show up in the Startup Manager interfaces.

Even when there is a hidden recovery OS partition, versions of software starting with El Capitan have removed the Disk Util menu option to enable the recovery OS partition with Debug (apparently to hide the EFI partitions) when hidden. (Leave a note if you’ve used an older version of Diskutil to enable it. 🙂 )

You have 5 options of varying difficulty to choose from if you don’t want to do a full re-install of Mac OS X:

1) not that ez – install (ie. fix) your recovery partition, as recommended in most Internet How-to’s. Good luck, since most of the How to’s are incoherent. A suggestion would be to find one that talks only about one OS, preferably yours, instead of 4 or 5 versions.
2) ez – boot into a USB Mac OS El Capitan (or higher) installer, but don’t install. Just open the OS X Utilities ... Terminal menu and try csrutil disable. This worked for me, but if not, #5 below also worked for me.
3) didn’t try – install the recover partition to an external drive. My understanding is that this is intended for the Mac mini. Supposed to be ez.
4) didn’t try – try booting into a Lion installer and use the old Diskutil with debug mode to enable the hidden recovery HD partition. If you want to try that, boot into a Lion installer then open Terminal and type the following command, then open Diskutil last:

$ defaults write DUDebugMenuEnabled 1​

5) super ez – boot into a USB installer, use Utilities … Diskutil … resize your original drive for a new 25 GB OS partition and install to it. Since you’re doing a fresh install, a recovery hd partition will be automatically created. boot into that with Option+R and run csrutil disable and reboot again to activate. This sounds kind of round-about, but is really easy, idiot-proof, and worked for me.

You’ll end up with something like this:

$ diskutil list
/dev/disk0 (internal, physical):
#:                  TYPE NAME         SIZE     IDENTIFIER
0: GUID_partition_scheme             *500.1 GB disk0
1:                   EFI EFI          209.7 MB disk0s1
2:             Apple_HFS HardDisk     474.6 GB disk0s2
3:            Apple_Boot Recovery HD  650.0 MB disk0s3 # can't see
4:             Apple_HFS Untitled      24.0 GB disk0s4
5:            Apple_Boot Recovery HD  650.0 MB disk0s5 # from option #5
$ csrutil disable
Successfully disabled System Integrity Protection. Please restart the machine for the changes to take effect.
$ csrutil status
System Integrity Protection status: disabled.

Of course, when you’re done, run csrutil enable because that’s the default, and it protects the NVRAM from malware.

Terminology: “recovery OS partition” and “recovery HD partition” refer to the same thing, but the first is conceptual and the second is an actual disk partition intended for recovery and contains the recovery OS.

Also “Disk Util” is the Mac OS app, “Diskutil” is the on-boot menu option and “diskutil” is the CLI program. Again, the names vary but they all do the same thing, but available in different environments. Configuring System Integrity Protection
W: System Integrity Protection

This entry was posted in Tech. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.