Skip to content

Instantly share code, notes, and snippets.

@darwin
Last active February 14, 2023 13:27
Show Gist options
  • Save darwin/8e9192f0f2996b0f77c103e6bade1d9f to your computer and use it in GitHub Desktop.
Save darwin/8e9192f0f2996b0f77c103e6bade1d9f to your computer and use it in GitHub Desktop.
TotalFinder: `csrutil enable --without debug --without fs` no longer works as expected under macOS 11.x
# in recovery mode
❯ csrutil enable --without debug
# note that prior macOS 11.0 this would disable "Debugging Restrictions"
# since macOS 11.0 it seems to be disabling "Apple Internal" and "Filesystem Protections"
❯ csrutil status
System Integrity Protection status: unknown (Custom Configuration).
Configuration:
Apple Internal: disabled
Kext Signing: enabled
Filesystem Protections: disabled
Debugging Restrictions: enabled
DTrace Restrictions: enabled
NVRAM Protections: enabled
BaseSystem Verification: enabled
This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.
# in recovery mode
❯ csrutil disable --with kext --with dtrace --with nvram --with basesystem
# this seems to do what we wanted, not sure what Apple Internal does
❯ csrutil status
System Integrity Protection status: unknown (Custom Configuration).
Configuration:
Apple Internal: disabled
Kext Signing: enabled
Filesystem Protections: disabled
Debugging Restrictions: disabled
DTrace Restrictions: enabled
NVRAM Protections: enabled
BaseSystem Verification: enabled
This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.
❯ sw_vers
ProductName: macOS
ProductVersion: 11.1
BuildVersion: 20C5048k
@petere
Copy link

petere commented Feb 27, 2021

My observation is that csrutil enable --without debug actually still works correctly. In my case, I'm using it to disable the disablement of the DYLD_* environment variables. I also see the wrong csrutil status output that you show. But I think it's actually the status output that is wrong, not what the enable/disable commands do.

@skull-squadron
Copy link

The workaround works on Monterey too. GJ.

@kayjeiem
Copy link

Does this mean one can install and use totalfinder with this workaround?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment