Terminal command to tell if a macOS directory is SIP-protected

Starting with El Capitan (OS X 10.11), Apple started using System Integrity Protection (SIP) in macOS, so that certain directories would be not writable, even by root. Here’s a quick reference for a couple of commands you can use to see if a directory or file is SIP-protected, as that may change from macOS version to macOS version.

Method 1

ls -lO (that’s a lowercase L, followed by a capital o, not the number 0), and look for restricted.

Example: ls -lO /Library/Updates/
total 2224
-rw-r--r--@ 1 root wheel restricted 181 Jul 29 10:22 PPDVersions.plist
-rw-r--r--@ 1 root wheel restricted 1130219 Jul 29 10:22 ProductMetadata.plist
-rw-r--r-- 1 root wheel restricted 260 Jul 29 10:17 index.plist

Method 2

xattr -l (that’s a lowercase L) and then the name of the directory. Look for com.apple.rootless

Example: xattr -l /Library/Updates/
com.apple.rootless: SoftwareUpdate

Special thanks to @revolize and @Magneto on the MacAdmins Slack!





Leave a Reply

Your email address will not be published. Required fields are marked *