Thread by @EBADTWEET, If you're trying to mount the root volume as writeable on macOS [...]

Damien Sorresso

EBADTWEET

If you're trying to mount the root volume as writeable on macOS Big Sur, here's some stuff to know.

1. The root volume is now a cryptographically sealed apfs snapshot. Every single bit of the fsroot tree and file contents are verified when they are read from disk.

2. It is no longer possible to boot a "live" filesystem, that is, one which can be written to.

3. You can instead disable authentication of the root volume by booting to recovery and running `csrutil authenticated-root disable` in Terminal.

4. Once you've done that, you can mount the live version of the root filesystem, make modifications to that, and then make a new snapshot. You can then boot from that snapshot.

5. Synthetic symlinks and directories still work just fine in a Signed System Volume.

6. Mounting the live filesystem after disabling root authentication can be done via

$ sudo mount -o nobrowse -t apfs /dev/diskNsM /path/to/mntpoint

7. diskNsM can be obtained by running `mount`, looking for the root mount's device, and chopping off the last s, e.g. if your root is /dev/disk1s2s3, you'll mount /dev/disk1s2

8. The mount point is anything you choose. Once you've got the live mount at /path/to/mntpoint, you can modify stuff. After your modifications are complete, run

$ sudo bless --folder /path/to/mntpoint/System/Library/CoreServices --bootefi --create-snapshot

Then reboot, and you'll be booted from the new snapshot you created, with your modifications honored. Authentication is disabled.

Note that this leaves you open to evil maid attacks, so exercise care when using this workflow.

You can follow @EBADTWEET.

Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: