I am still suffering many pains related to my recent transition to a new MacBook that is running the latest Mac OS 10.15 Catalina OS.
Today I wasted hours learning about "System Integrity Protection" changes in Catalina that cause unix system utilities such as cron to get "Operation not permitted" errors when they try to access certain system paths.
This is described by Apple on this web page and provides a list of paths that are restricted:
System Integrity Protection includes protection for these parts of the system:I learned about this because any script and all child processes that are executed by cron will get "Operation not permitted" errors until you grant them access.
Apps that are pre-installed with OS X
- /System
- /usr
- /bin
- /sbin
- /var
Paths and apps that third-party apps and installers can continue to write to include:
- /Applications
- /Library
- /usr/local
Open "System Preferences" > "Security & Privacy" > "Privacy" > "Full Disk Access".
Open Finder, click "Go" > "Go to Folder...", type in the path that includes the utility in and drag the utility into the list to grant "Full Disk Access".
You have to go out of your way to add cron and each system utility and application to be granted "Full Disk Access".
See /System/Library/Sandbox/rootless.conf for a complete list of protected paths.
I understand that most Mac users aren't UNIX nerds and don't use these features. I understand that restricting access for these utilities has probably reduced the security risk from malware and cyberattacks.
I understand that most Mac users aren't UNIX nerds and don't use these features. I understand that restricting access for these utilities has probably reduced the security risk from malware and cyberattacks.
However, I still have to ask why does Apple make these radical changes in every new release of Mac OS and why do they not have clear documentation about the impacts and work-arounds? There must be UNIX nerds at Apple who experience these same pains and they could make sure that documentation is updated.
I can't find any way from the command-line to make these updates or to list which applications are granted access. I can only do it in the GUI with these exact steps. I also can't figure out how to modify the list of paths that are guarded by System Integrity Protection. I wish I could modify the list of paths that each utility and application are allowed to access. Please let me know if you figure out how these things.
No comments:
Post a Comment
Please be respectful of others when commenting.