 |
I’m happy to announce builders can now programmatically disable Apple System Integrity Safety (SIP) on their Amazon EC2 Mac cases. System Integrity Safety (SIP), often known as rootless, is a safety characteristic launched by Apple in OS X El Capitan (2015, model 10.11). It’s designed to guard the system from doubtlessly dangerous software program by proscribing the ability of the basis person account. SIP is enabled by default on macOS.
SIP safeguards the system by stopping modification of protected information and folders, proscribing entry to system-owned information and directories, and blocking unauthorized software program from choosing a startup disk. The first aim of SIP is to deal with the safety threat linked to unrestricted root entry, which may doubtlessly permit malware to realize full management of a tool with only one password or vulnerability. By implementing this safety, Apple goals to make sure the next degree of safety for macOS customers, particularly contemplating that many customers function on administrative accounts with weak or no passwords.
Whereas SIP gives glorious safety towards malware for on a regular basis use, builders would possibly often must quickly disable it for growth and testing functions. For example, when creating a brand new system driver or system extension, disabling SIP is critical to put in and check the code. Moreover, SIP would possibly block entry to sure system settings required on your software program to operate correctly. Quickly disabling SIP grants you the mandatory permissions to fine-tune applications for macOS. Nonetheless, it’s essential to do not forget that that is akin to briefly disabling the vault door for approved upkeep, not leaving it completely open.
Disabling SIP on a Mac requires bodily entry to the machine. You must restart the machine in restoration mode, then disable SIP with the csrutil command line instrument, then restart the machine once more.
Till immediately, you needed to function with the usual SIP settings on EC2 Mac cases. The bodily entry requirement and the necessity to boot in restoration mode made integrating SIP with the Amazon EC2 management aircraft and EC2 API difficult. However that’s now not the case! Now you can disable and re-enable SIP at will in your Amazon EC2 Mac cases. Let me present you the way.
Let’s see the way it works
Think about I’ve an Amazon EC2 Mac occasion began. It’s a mac2-m2.metallic occasion, working on an Apple silicon M2 processor. Disabling or enabling SIP is as simple as calling a brand new EC2 API: CreateMacSystemIntegrityProtectionModificationTask. This API is asynchronous; it begins the method of adjusting the SIP standing in your occasion. You possibly can monitor progress utilizing one other new EC2 API: DescribeMacModificationTasks. All I must know is the occasion ID of the machine I wish to work with.
Stipulations
On Apple silicon based mostly EC2 Mac cases and newer sort of machines, earlier than calling the brand new EC2 API, I need to set the ec2-user person password and allow safe token for that person on macOS. This requires connecting to the machine and typing two instructions within the terminal.
# on the goal EC2 Mac occasion # Set a password for the ec2-user person ~ % sudo /usr/bin/dscl . -passwd /Customers/ec2-user New Password: (MyNewPassw0rd) # Allow safe token, with the identical password, for the ec2-user # outdated password is the one you simply set with dscl ~ % sysadminctl -newPassword MyNewPassw0rd -oldPassword MyNewPassw0rd 2025-03-05 13:16:57.261 sysadminctl[3993:3033024] Trying to vary password for ec2-user… 2025-03-05 13:16:58.690 sysadminctl[3993:3033024] SecKeychainCopyLogin returned -25294 2025-03-05 13:16:58.690 sysadminctl[3993:3033024] Didn't replace keychain password (-25294) 2025-03-05 13:16:58.690 sysadminctl[3993:3033024] - Completed # The error in regards to the KeyChain is anticipated. I by no means related with the GUI on this machine, so the Login keychain doesn't exist # you possibly can ignore this error. The command under exhibits the record of keychains energetic on this session ~ % safety record "/Library/Keychains/System.keychain" # Confirm that the safe token is ENABLED ~ % sysadminctl -secureTokenStatus ec2-user 2025-03-05 13:18:12.456 sysadminctl[4017:3033614] Safe token is ENABLED for person ec2-user Change the SIP standing
I don’t want to connect with the machine to toggle the SIP standing. I solely must know its occasion ID. I open a terminal on my laptop computer and use the AWS Command Line Interface (AWS CLI) to retrieve the Amazon EC2 Mac occasion ID.
aws ec2 describe-instances --query "Reservations[].Situations[?InstanceType == 'mac2-m2.metal' ].InstanceId" --output textual content i-012a5de8da47bdff7Now, nonetheless from the terminal on my laptop computer, I disable SIP with the create-mac-system-integrity-protection-modification-task command:
echo '{"rootVolumeUsername":"ec2-user","rootVolumePassword":"MyNewPassw0rd"}' > tmpCredentials aws ec2 create-mac-system-integrity-protection-modification-task --instance-id "i-012a5de8da47bdff7" --mac-credentials fileb://./tmpCredentials --mac-system-integrity-protection-status "disabled" && rm tmpCredentials { "macModificationTask": { "instanceId": "i-012a5de8da47bdff7", "macModificationTaskId": "macmodification-06a4bb89b394ac6d6", "macSystemIntegrityProtectionConfig": {}, "startTime": "2025-03-14T14:15:06Z", "taskState": "pending", "taskType": "sip-modification" } }After the duty is began, I can examine its standing with the aws ec2 describe-mac-modification-tasks command.
{ "macModificationTasks": [ { "instanceId": "i-012a5de8da47bdff7", "macModificationTaskId": "macmodification-06a4bb89b394ac6d6", "macSystemIntegrityProtectionConfig": { "debuggingRestrictions": "", "dTraceRestrictions": "", "filesystemProtections": "", "kextSigning": "", "nvramProtections": "", "status": "disabled" }, "startTime": "2025-03-14T14:15:06Z", "tags": [], "taskState": "in-progress", "taskType": "sip-modification" }, ...The occasion initiates the method and a collection of reboots, throughout which it turns into unreachable. This course of can take 60–90 minutes to finish. After that, after I see the standing within the console changing into obtainable once more, I connect with the machine by SSH or EC2 Occasion Join, as standard.
➜ ~ ssh ec2-user@54.99.9.99 Warning: Completely added '54.99.9.99' (ED25519) to the record of recognized hosts. Final login: Mon Feb 26 08:52:42 2024 from 1.1.1.1 ┌───┬──┐ __| __|_ ) │ ╷╭╯╷ │ _| ( / │ └╮ │ ___|___|___| │ ╰─┼╯ │ Amazon EC2 └───┴──┘ macOS Sonoma 14.3.1 ➜ ~ uname -a Darwin Mac-mini.native 23.3.0 Darwin Kernel Model 23.3.0: Wed Dec 20 21:30:27 PST 2023; root:xnu-10002.81.5~7/RELEASE_ARM64_T8103 arm64 ➜ ~ csrutil --status System Integrity Safety standing: disabled. When to disable SIP
Disabling SIP must be approached with warning as a result of it opens up the system to potential safety dangers. Nonetheless, as I discussed within the introduction of this publish, you would possibly must disable SIP when creating system drivers or kernel extensions for macOS. Some older purposes may also not operate appropriately when SIP is enabled.
Disabling SIP can also be required to show off Highlight indexing. Highlight can assist you rapidly discover apps, paperwork, emails and different objects in your Mac. It’s very handy on desktop machines, however not a lot on a server. When there isn’t a must index your paperwork as they alter, turning off Highlight will launch some CPU cycles and disk I/O.
Issues to know
There are a few extra issues to find out about disabling SIP on Amazon EC2 Mac:
- Disabling SIP is out there by the API and AWS SDKs, the AWS CLI, and the AWS Administration Console.
- On Apple silicon, the setting is quantity based mostly. So if you happen to substitute the basis quantity, it is advisable disable SIP once more. On Intel, the setting is Mac host based mostly, so if you happen to substitute the basis quantity, SIP will nonetheless be disabled.
- After disabling SIP, it will likely be enabled once more if you happen to cease and begin the occasion. Rebooting an occasion doesn’t change its SIP standing.
- SIP standing isn’t transferable between EBS volumes. This implies SIP shall be disabled once more after you restore an occasion from an EBS snapshot or if you happen to create an AMI from an occasion the place SIP is enabled.
These new APIs can be found in all Areas the place Amazon EC2 Mac is out there, at no extra price. Strive them immediately.
How is the Information Weblog doing? Take this 1 minute survey!
(This survey is hosted by an exterior firm. AWS handles your data as described within the AWS Privateness Discover. AWS will personal the info gathered through this survey and won’t share the data collected with survey respondents.)
