MacOS – Os X El Capitan: will System Integrity Protection patch .AppleSetupDone exploit/hack

macosSecurity

I'm unsure whether this was possible in OS X Yosemite, however OS X Mavericks has a security flaw in which : Should a individual have physical access to a computer, he need only launch in Single User Mode, mount the hard drive and remove the file ".AppleSetupDone" in the Directory "/var/db/". In doing so, tricking the computer into thinking it is its first ever launch and allowing the individual to setup a new Admin account.

OS X El Capitan apparently has this new security feature known as System Integrity Protection, which limits root access to an array of Directories including: /system, /bin, /sbin, /usr, /etc, /tmp and /var.

My Question is:

Will System Integrity Protection protect the executable .AppleSetupDone from deletion, and the subsequent exploit?

Best Answer

No. .AppleSetupDone isn't an executable, it's just an empty file. SIP does not include /tmp or /var. These are directories that need to remain write able during normal use.

Background

My environment

Host

Windows 10
VMWare Workstation 12 (patched to run macOS)

Guest

macOS High Sierra 10.13.4

I originally tried adding macosguest.forceRecoveryModeInstall = "TRUE" to my .vmx config. This allowed me to boot into recovery and could disable SIP but then I couldn't get the VM to boot normally, even after removing that line.

The solution to this problem I found was to just delete the .nvram file. Unfortunately, that's where the flag to disable SIP is stored so when my VM came back up SIP was enabled again.

My Solution

From the Terminal, run the following commands (thanks to G5tube for this suggestion)
```
 sudo nvram "recovery-boot-mode=unused"
 sudo reboot recovery
```
The second command will reboot your Mac instantly, so better save any unfinished work first.
Once the Mac has rebooted into the Recovery / Installer system (you may have to choose your language first): From the menu bar, click Utilities > Terminal
Run csrutil disable from the terminal, followed by reboot
Once your VM has rebooted normally you can verify that SIP was disabled by opening a terminal and running csrutil status

To turn SIP back on, follow the same steps as above but run csrutil enable at the recovery terminal instead.

MacOS – Permanently Disabling System Integrity Protection

There should be no extra step required - in fact, reading through the excellent article linked from that question, I found this…

Because SIP’s configuration is stored in NVRAM, SIP’s protection settings will apply to the entire machine and will persist even if the OS is reinstalled.

This would perhaps imply your NVRAM is not correctly holding data -
perhaps try a reset, Cmd ⌘ Opt ⌥ P R at the chimes & keep holding until you hear the chimes a second time.

Source : System Integrity Protection – Adding another layer to Apple’s security model

If after resetting NVRAM one time, you can’t make SIP status stick the next steps are to repair and wipe your drive and then seek hardware service is a freshly erased and reinstalled OS won’t allow you to disable SIP.