How do I overcome "Operation not permitted" when attempting to edit a file as root (admin)? [duplicate]
Apple has introduced System Integrity Protection, also known as "rootless", with OS X 10.11, El Capitan. I understand this is a step for general protection against malware but as a developer I need write access to some of the files it locks away.
How do I disable this protection?
Note: disabling System Integrity Protection is dangerous, and makes your system more vulnerable to malware.
As Apple puts it in the developer documentation about SIP:
Warning
Disable SIP only temporarily to perform necessary tasks, and reenable it as soon as possible. Failure to reenable SIP when you are done testing leaves your computer vulnerable to malicious code.
If you are simply trying to configure system development tools such as vim
, python2
, ruby
and so on, you almost certainly want to be just installing community-maintained versions from Homebrew and configuring those instead. The system-provided tools may be convenient to bootstrap, but if you require SIP exceptions for your daily workflow you are almost certainly doing things in a way which will break in a future version of the operating system, and may break applications and other system functionality in the meanwhile.
Valid reasons to disable SIP yourself might be:
- if you're doing research on malware yourself in a disposable environment, such as in a macOS virtual machine
- if you are attempting to modify core operating system functionality for deployment in a highly-specialized environment such as a public-facing kiosk
- if you require a legacy kernel extension such as MacFUSE on an M1 mac
Also important beyond the security implications is the fact that anything you do on a mac with SIP disabled will not work on anyone else's mac unless they also disable it first. If you're developing mac apps, then your system becomes less useful as a testbed because you don't know if your code only works because you hacked your system. If you're developing for another platform such as deployment to a web server, then you can't share your development environment setup with other developers on your team without compromising their security as well.
Here's how to do it if you really need to:
Apple's documentation covers disabling SIP, About System Integrity Protection on your Mac and Configuring System Integrity Protection.
An article on lifehacker.com lists these steps:
- Reboot your Mac into Recovery Mode by restarting your computer and holding down Command+R until the Apple logo appears on your screen.
- Click Utilities > Terminal.
- In the Terminal window, type in
csrutil disable
and press Enter.- Restart your Mac.
You can verify whether a file or folder is restricted by issuing this ls
command using the capital O (and not zero 0) to modify the long listing flag:
ls -lO /System /usr
Look for the restricted text to indicate where SIP is enforced.
By default (=SIP enabled), the following folders are restricted (see Apple Support page):
/System
/usr
/bin
/sbin
Apps that are pre-installed with OS X
... and the following folders are free:
/Applications
/Library
/usr/local
It's possible to disable SIP by booting to Recovery HD and running the following command:
csrutil disable
It is also possible to enable SIP protections and selectively disable aspects of it, by adding one or more flags to the csrutil enable
command. All require being booted from Recovery in order to set them:
Enable SIP and allow installation of unsigned kernel extensions
csrutil enable --without kext
Enable SIP and disable filesystem protections
csrutil enable --without fs
Enable SIP and disable debugging restrictions
csrutil enable --without debug
Enable SIP and disable DTrace restrictions
csrutil enable --without dtrace
Enable SIP and disable restrictions on writing to NVRAM
csrutil enable --without nvram
I also have a post available with more information about SIP:
System Integrity Protection – Adding another layer to Apple’s security model
If the goal is to really just disable System Integrity Protection then booting into the Recovery HD partition as previously recommended in the other answers here via Command+r on boot is not the fastest way to do this.
You can combine single user mode boot with recovery HD boot in an undocumented startup key combination:
- https://support.apple.com/en-us/HT204904 covers normal recovery
- hold Command+r+s to boot into Single User Recovery Mode.
This gets you just into the bare minimum environment that is needed for this directly.
It would be safer to modify /etc/paths
so that /usr/local/bin
is merely before usr/bin
. That way you can do your development work within /usr/local/bin
without having to disable SIP.
Clean installations of the OS have ordered /etc/paths
this way since El Capitan, but if you were upgrading the OS from Yosemite or earlier, you'd have to modify the path order manually.
If all you need is to access /usr/local, take a look at this page: http://web.archive.org/web/20160117204214/https://github.com/Homebrew/homebrew/blob/master/share/doc/homebrew/El_Capitan_and_Homebrew.md
The idea is to temporarily disable SIP using csrutil disable
, add /usr/local
, use chflags to set that directory to non-restricted
sudo mkdir /usr/local && sudo chflags norestricted /usr/local && sudo chown -R $(whoami):admin /usr/local
and then re-enable SIP using csrutil enable
.
If /usr/local
already exists at the time of your upgrade, then even the above isn't necessary. You can simply run
sudo chown -R $(whoami):admin /usr/local