dd operation not permitted, how to escape sandbox?
I'm trying to recover a bad sector on my disk, and in doing so, need to write over the bad sector. Numerous sources on the web suggest using dd to do so, but doing so does not work:
$ sudo dd if=/dev/zero of=/dev/disk1 bs=512 count=1 seek=961575240
dd: /dev/disk1: Operation not permitted
$
I figured maybe there was some sort of check about doing this to a mounted filesystem, so I booted into single-user mode (which at least leaves is in read-only mode), but I still get the same error. Some additional messages about sandboxing are also displayed however.
Sandbox: dd(5) System Policy: deny(1) file-write-data /dev/disk1
Sandbox: dd(5) System Policy: deny(1) file-write-data /dev/disk1
Is there a way to allow dd out of the sandbox? I tried
sudo sandbox-exec -p '(version 1) (allow default)' /bin/dd if=/dev/zero of=/dev/disk1 bs=512 count=1 seek=961575240
but that still gave the operation not permitted error.
This is on OS X 10.11 GM
I don't have a sacrificial computer to test this on, but I think you're running into the System Integrity Protection feature in El Capitan. Mostly, what SIP does is prevent you (even as root) from modifying system areas of the disk (/System, /sbin, /bin/ most of /usr, etc), messing with system processes, loading improperly signed kexts, etc. But in order to enforce that protection of system folders, it also prevents raw writes to the device the system volume is on. Yes, even if you're root (that's the point -- it's to limit the damage from malware that gets root access).
I think this limit won't apply in recovery mode. Hold Command-R as the computer starts, and it'll boot from a hidden emergency partition. Open Terminal (it's under the Utilities menu), and try the dd
from there. dd
might not exist on the recovery system (it's pretty minimal), but you can use /Volumes/Macintosh\ HD/bin/dd
instead. You won't need sudo
, you're already root.
If that doesn't work, try disabling SIP with csrutil disable
, then rebooting normally (see Apple's doc on configuring SIP). Then, when you're done, I'd recommend reenabling it -- it's a useful security feature.
In my case I just had to change my ”System Preferences > Security & Privacy > Full Disk Access > Terminal“ or iTerm2.
After that dd
worked fine without changing SIP/root or +r.