I am trying to set the permissions on the Boot.plist file (Located in /Library/Preferences/SystemConfiguration) and it won't let me. I have clicked the lock and entered my password in Finder, and when I try to edit the permissions it says that I don't have the necessary permissions. When I try to do it with sudo chmod
, it says that I can't change the file permissions. (I can use sudo just fine) I've also tried using sudo vi
and it won't let me save it. I have tried using first aid too. I am running El Capitan on a Macbook Pro Retina 13 inch early 2013.
MacOS – Cannot change permissions on com.apple.Boot.plist
macospermission
Best Answer
You're running into System Integrity Protection (SIP) that prevents modification of various system files and directories when it is enabled (which by default it is in El Capitan (OSX 10.11). It is meant to provide more security from malware that attempts to modify the system for its own uses.
SIP can be disabled if need be and disabling it would allow changes to be made to the files and directories that are normally protected by SIP. Since Apple intends for these protected items to not be modified by anyone other than Apple (or other validated signers approved by Apple for particular software produced by them) I have my doubts about whether, once the permissions were modified, SIP could be reenabled without disabling execution of the machine (disabled "temporarily" by software, not by permanently disabling the hardware). So it comes down to weighing whether one wants to disable SIP to make certain modifications that could not be made otherwise or decide that those modifications are not important enough to disable SIP's protections. (One reason one may want to disable SIP would be to allow certain programs to run on the machine that will not run with SIP enabled.) I could be wrong here but I believe that disabling SIP's protections would reduce security no more than if one stuck with Yosemite (OSX 10.10) which doesn't have SIP enabled as fully as El Capitan. Also, Apple provides a warning that if SIP is disabled you will be running an unsupported configuration that is likely to break in the future and leave your machine in an unknown state.
So the first part is determining whether to disable or enable SIP based on your own situation and considering the various pros and cons. If one decides to disable SIP it can only be done in the Recovery console (that's not quite true but in general it is; there are other ways for machines that can't be booted into the Recovery console). The steps are:
Within Terminal enter the line
Reboot the machine either by restarting from the Apple Menu or by entering the following command in Terminal:
After rebooting the machine you can check to see if SIP is disabled by invoking Terminal and entering:
which should display the following: