How to recreate /usr/local with SIP/rootless mode on El Capitan?
With rootless mode enabled (a.k.a System Integrity Protection) it turns out you can remove /usr/local
but cannot recreate it:
$ sudo rm -rf /usr/local
$ sudo mkdir /usr/local
mkdir: /usr/local: Operation not permitted
How to (re)create /usr/local
or any such folder?
/usr/local
has been both re-creatable and writable on El Capitan since 2015-10-21 when Apple released /System/Library/Sandbox/Compatibility.bundle
version 12 in software update 031-40358 patching 10.11 and 10.11.1, and installed as part of the 10.11.2 update, 10.11.2 combo update, and 10.11.2 clean installs. You do not need to do anything special unless you have not updated to the latest point release of El Capitan.
A patched system will have compatibility bundle greater than or equal to 12 and show
iMac-TMP:~ joe$ grep /usr/local /System/Library/Sandbox/rootless.conf
* /usr/local
iMac-TMP:~ joe$ grep /usr/local /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths
/usr/local
iMac-TMP:~ joe$ defaults read /System/Library/Sandbox/Compatibility.bundle/Contents/Info.plist CFBundleVersion
12.0
iMac-TMP:~ joe$
An unpatched system will have compatibility bundle less than 12.0 and not have the /usr/local
entry in /System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths
.
The simplest and most secure way is to:
- reboot into recovery (
CMD
+R
) - start Disk Utility
- from the menu, select
Macintosh HD
and either Unlock if encrypted otherwise Mount - once
Macintosh HD
is mounted, close Disk Utility - start a Terminal from the Disk Utility menu
Now run the following commands:
mkdir "/Volumes/Macintosh HD/usr/local"
chflags norestricted "/Volumes/Macintosh HD/usr/local"
ls -lOd "/Volumes/Macintosh HD/usr/local"
drwxr-xr-x 2 root wheel - 68 17 Mar 09:24 /Volumes/Macintosh HD/usr/local
exit
Or, as one simple command:
mkdir "/Volumes/Macintosh HD/usr/local"; chflags norestricted "/Volumes/Macintosh HD/usr/local"; ls -lOd "/Volumes/Macintosh HD/usr/local"; drwxr-xr-x 2 root wheel - 68 17 Mar 09:24 /Volumes/Macintosh HD/usr/local; exit
Finally, quit Terminal and reboot into OS X.
References:
- https://openradar.appspot.com/23093676
- https://github.com/Homebrew/legacy-homebrew/issues/40837#issuecomment-120762533
- What is the "rootless" feature in El Capitan, really?