How do I overcome "Operation not permitted" when attempting to edit a file as root (admin)? [duplicate]

Apple has introduced System Integrity Protection, also known as "rootless", with OS X 10.11, El Capitan. I understand this is a step for general protection against malware but as a developer I need write access to some of the files it locks away.

How do I disable this protection?


Note: disabling System Integrity Protection is dangerous, and makes your system more vulnerable to malware.

As Apple puts it in the developer documentation about SIP:

Warning

Disable SIP only temporarily to perform necessary tasks, and reenable it as soon as possible. Failure to reenable SIP when you are done testing leaves your computer vulnerable to malicious code.

If you are simply trying to configure system development tools such as vim, python2, ruby and so on, you almost certainly want to be just installing community-maintained versions from Homebrew and configuring those instead. The system-provided tools may be convenient to bootstrap, but if you require SIP exceptions for your daily workflow you are almost certainly doing things in a way which will break in a future version of the operating system, and may break applications and other system functionality in the meanwhile.

Valid reasons to disable SIP yourself might be:

  • if you're doing research on malware yourself in a disposable environment, such as in a macOS virtual machine
  • if you are attempting to modify core operating system functionality for deployment in a highly-specialized environment such as a public-facing kiosk
  • if you require a legacy kernel extension such as MacFUSE on an M1 mac

Also important beyond the security implications is the fact that anything you do on a mac with SIP disabled will not work on anyone else's mac unless they also disable it first. If you're developing mac apps, then your system becomes less useful as a testbed because you don't know if your code only works because you hacked your system. If you're developing for another platform such as deployment to a web server, then you can't share your development environment setup with other developers on your team without compromising their security as well.

Here's how to do it if you really need to:

Apple's documentation covers disabling SIP, About System Integrity Protection on your Mac and Configuring System Integrity Protection.

An article on lifehacker.com lists these steps:

  1. Reboot your Mac into Recovery Mode by restarting your computer and holding down Command+R until the Apple logo appears on your screen.
  2. Click Utilities > Terminal.
  3. In the Terminal window, type in csrutil disable and press Enter.
  4. Restart your Mac.

You can verify whether a file or folder is restricted by issuing this ls command using the capital O (and not zero 0) to modify the long listing flag:

ls -lO /System /usr 

Look for the restricted text to indicate where SIP is enforced.

By default (=SIP enabled), the following folders are restricted (see Apple Support page):

/System
/usr
/bin
/sbin
Apps that are pre-installed with OS X

... and the following folders are free:

/Applications
/Library
/usr/local

It's possible to disable SIP by booting to Recovery HD and running the following command:

csrutil disable

enter image description here

It is also possible to enable SIP protections and selectively disable aspects of it, by adding one or more flags to the csrutil enable command. All require being booted from Recovery in order to set them:

Enable SIP and allow installation of unsigned kernel extensions

csrutil enable --without kext

enter image description here

Enable SIP and disable filesystem protections

csrutil enable --without fs

enter image description here

Enable SIP and disable debugging restrictions

csrutil enable --without debug

enter image description here

Enable SIP and disable DTrace restrictions

csrutil enable --without dtrace

enter image description here

Enable SIP and disable restrictions on writing to NVRAM

csrutil enable --without nvram

enter image description here

I also have a post available with more information about SIP:

System Integrity Protection – Adding another layer to Apple’s security model


If the goal is to really just disable System Integrity Protection then booting into the Recovery HD partition as previously recommended in the other answers here via Command+r on boot is not the fastest way to do this.

You can combine single user mode boot with recovery HD boot in an undocumented startup key combination:

  • https://support.apple.com/en-us/HT204904 covers normal recovery
  • hold Command+r+s to boot into Single User Recovery Mode.

This gets you just into the bare minimum environment that is needed for this directly.


It would be safer to modify /etc/paths so that /usr/local/bin is merely before usr/bin. That way you can do your development work within /usr/local/bin without having to disable SIP.

Clean installations of the OS have ordered /etc/paths this way since El Capitan, but if you were upgrading the OS from Yosemite or earlier, you'd have to modify the path order manually.


If all you need is to access /usr/local, take a look at this page: http://web.archive.org/web/20160117204214/https://github.com/Homebrew/homebrew/blob/master/share/doc/homebrew/El_Capitan_and_Homebrew.md

The idea is to temporarily disable SIP using csrutil disable, add /usr/local, use chflags to set that directory to non-restricted

 sudo mkdir /usr/local && sudo chflags norestricted /usr/local && sudo chown -R $(whoami):admin /usr/local

and then re-enable SIP using csrutil enable.

If /usr/local already exists at the time of your upgrade, then even the above isn't necessary. You can simply run

sudo chown -R $(whoami):admin /usr/local