dd operation not permitted, how to escape sandbox?

macos

I'm trying to recover a bad sector on my disk, and in doing so, need to write over the bad sector. Numerous sources on the web suggest using dd to do so, but doing so does not work:

$ sudo dd if=/dev/zero of=/dev/disk1 bs=512 count=1 seek=961575240
dd: /dev/disk1: Operation not permitted
$

I figured maybe there was some sort of check about doing this to a mounted filesystem, so I booted into single-user mode (which at least leaves is in read-only mode), but I still get the same error. Some additional messages about sandboxing are also displayed however.

Sandbox: dd(5) System Policy: deny(1) file-write-data /dev/disk1
Sandbox: dd(5) System Policy: deny(1) file-write-data /dev/disk1

Is there a way to allow dd out of the sandbox? I tried 

sudo sandbox-exec -p '(version 1) (allow default)' /bin/dd if=/dev/zero of=/dev/disk1 bs=512 count=1 seek=961575240

but that still gave the operation not permitted error.

This is on OS X 10.11 GM


I don't have a sacrificial computer to test this on, but I think you're running into the System Integrity Protection feature in El Capitan. Mostly, what SIP does is prevent you (even as root) from modifying system areas of the disk (/System, /sbin, /bin/ most of /usr, etc), messing with system processes, loading improperly signed kexts, etc. But in order to enforce that protection of system folders, it also prevents raw writes to the device the system volume is on. Yes, even if you're root (that's the point -- it's to limit the damage from malware that gets root access).

I think this limit won't apply in recovery mode. Hold Command-R as the computer starts, and it'll boot from a hidden emergency partition. Open Terminal (it's under the Utilities menu), and try the dd from there. dd might not exist on the recovery system (it's pretty minimal), but you can use /Volumes/Macintosh\ HD/bin/dd instead. You won't need sudo, you're already root.

If that doesn't work, try disabling SIP with csrutil disable, then rebooting normally (see Apple's doc on configuring SIP). Then, when you're done, I'd recommend reenabling it -- it's a useful security feature.


In my case I just had to change my ”System Preferences > Security & Privacy > Full Disk Access > Terminal“ or iTerm2.

After that dd worked fine without changing SIP/root or +r.

Related

TV disappears as audio device on single display
How do I make my new SSD my primary SSD and keep the old one as a secondary SSD?
Limited disk space keeps being filled on Windows 10
How can I connect my Surface Book 2 to two external monitors?
What is the discard option in `stty -a`? It uses `^O`
microsoft edge starts automatically
How to make a VM VirtualBox internet network the same on guest and host
Cannot get Weather widget to display on lock screen (WIndows 10)
How can I change the default drag and drop action on a folder in Windows 7?
How do I put double quotes in a string in vba?
Why do I always get the same sequence of random numbers with rand()?
Unable to access React instance (this) inside event handler [duplicate]