"restricted" folder/files in OS X El Capitan

Question

After upgrading from OS X Yosemite to OS X El Capitan Developer Preview, I tried to edit /System/Library/LaunchDaemons/ssh.plist to change the default SSH port to a custom one. This is the process I've been using for a couple of years.

The problem is that El Capitan doesn't allow me to change anything in this folder (not even with "sudo"). The folder and its files are marked as "restricted" when I list the contents with "ls -lO". The same folder listing in previous versions of OS X does not show "restricted".

Is this something new to OS X El Capitan? How can I edit files/folders that are "restricted"?

---

I found out this is due to a new feature introduced in El Capitan called "SIP" (System Intregrity Protection).

Read more here: https://forums.developer.apple.com/thread/4731?q=SIP

Unfortunately, no one suggested a way of editing "restricted" files/folders without actually disabling SIP.

Answer 1

You can also temporarily disable SIP the following way

1. reboot
2. as soon as you hear the "Mac sound" on the grey screen, press Cmd+R to enter Recovery mode
3. Open Utilities->Terminal
4. Run the command csrutil disable
5. Reboot, you'll land in the normal OS with SIP disabled
6. do all the changes you'd like to do
7. Reboot again
8. as soon as you hear the "Mac sound" on the grey screen, press Cmd+R to enter Recovery mode
9. Enable SIP with csrutil enable
10. Reboot again
11. done

Answer 2

Until 10.11 unprotects certain files in /System/Library or allows you to do it yourself, the only way without disabling SIP would be to make a different service by coping the file somewhere else, like:

sudo cp /System/Library/LaunchDaemons/ssh.plist /Library/LaunchDaemons/ssh.plist 

And then instead of using the Sharing panel in System Preferences, you would manage the service yourself:

sudo launchctl unload /Library/LaunchDaemons/ssh.plist sudo launchctl load -w /Library/LaunchDaemons/ssh.plist