Page History

macOS security

Nigel Stanger edited this page 12 days ago

Clone this wiki locally

Turn off System Integrity Protection (SIP)

See instructions here:

The short version is to boot into single user mode/recovery, then csrutil (en|dis)able; reboot.

You can check SIP status with csrutil status.

Remotely reboot encrypted Mac

If the boot volume is encrypted with FileVault, the system requires user authentication to decrypt the volume before it can boot. This is a problem if you reboot the machine remotely, because none of the useful servers (SSH, VNC) are running yet.

sudo fdesetup authrestart -delayminutes -1 caches the authentication/decryption credentials and restarts the machine. -delayminutes -1 means you can reboot at your discretion, otherwise it will reboot in the specified number of minutes. Enter the FileVault recovery key when asked (you have it your password manager, right?). It seems to imply you can use user authentication as well, but I haven’t tried this.


Remove quarantine attribute

Sometimes apps get stuck with this attached, which causes them to be excessively sandboxed.

sudo xattr -r -d *app bundle*

Apple-provided find (in /usr/bin) has -xattr and -xattrname primaries that are handy for doing a bunch at once:

# -0 because stupid Mac file naming
/usr/bin/find . -xattrname -print0 | xargs -0 sudo xattr -r -d

Gnu find doesn’t have these.

Repair permissions under El Capitan and later

Disk Utility no longer provides this. Run it from the command line instead:

Verify: sudo /usr/libexec/repair_packages --verify --standard-pkgs /

Repair: sudo /usr/libexec/repair_packages --repair --standard-pkgs --volume /