MacOS – Cannot change permissions on com.apple.Boot.plist

macospermission

I am trying to set the permissions on the Boot.plist file (Located in /Library/Preferences/SystemConfiguration) and it won't let me. I have clicked the lock and entered my password in Finder, and when I try to edit the permissions it says that I don't have the necessary permissions. When I try to do it with sudo chmod, it says that I can't change the file permissions. (I can use sudo just fine) I've also tried using sudo vi and it won't let me save it. I have tried using first aid too. I am running El Capitan on a Macbook Pro Retina 13 inch early 2013.

Best Answer

You're running into System Integrity Protection (SIP) that prevents modification of various system files and directories when it is enabled (which by default it is in El Capitan (OSX 10.11). It is meant to provide more security from malware that attempts to modify the system for its own uses.

SIP can be disabled if need be and disabling it would allow changes to be made to the files and directories that are normally protected by SIP. Since Apple intends for these protected items to not be modified by anyone other than Apple (or other validated signers approved by Apple for particular software produced by them) I have my doubts about whether, once the permissions were modified, SIP could be reenabled without disabling execution of the machine (disabled "temporarily" by software, not by permanently disabling the hardware). So it comes down to weighing whether one wants to disable SIP to make certain modifications that could not be made otherwise or decide that those modifications are not important enough to disable SIP's protections. (One reason one may want to disable SIP would be to allow certain programs to run on the machine that will not run with SIP enabled.) I could be wrong here but I believe that disabling SIP's protections would reduce security no more than if one stuck with Yosemite (OSX 10.10) which doesn't have SIP enabled as fully as El Capitan. Also, Apple provides a warning that if SIP is disabled you will be running an unsupported configuration that is likely to break in the future and leave your machine in an unknown state.

So the first part is determining whether to disable or enable SIP based on your own situation and considering the various pros and cons. If one decides to disable SIP it can only be done in the Recovery console (that's not quite true but in general it is; there are other ways for machines that can't be booted into the Recovery console). The steps are:

  • Restart the machine and boot into the Recovery Console which is done by holding the Command and R keys down when restarting. (I'd like to add that if you didn't know how to get into the Recovery console then you probably shouldn't be doing this anyway.)
  • Open the Terminal Program by selecting Terminal in the Utilities menu.

  • Within Terminal enter the line

    csrutil disable

  • Reboot the machine either by restarting from the Apple Menu or by entering the following command in Terminal:

    reboot

  • After rebooting the machine you can check to see if SIP is disabled by invoking Terminal and entering:

    csrutil status

    which should display the following:

    System Integrity Protection status: enabled (Custom Configuration).  

Configuration:  
   Apple Internal: disabled  
   Kext Signing: disabled  
   Filesystem Protections: disabled  
   Debugging Restrictions: disabled  
   DTrace Restrictions: disabled  
   NVRAM Protections: disabled  

This is an unsupported configuration, likely to break in the 
future and leave your machine in an unknown state.
Related Question