Friday, January 24, 2020

System Integrity Protection in Mac OS 10.15 causes Operation not permitted errors

I am still suffering many pains related to my recent transition to a new MacBook that is running the latest Mac OS 10.15 Catalina OS.

Today I wasted hours learning about "System Integrity Protection" changes in Catalina that cause unix system utilities such as cron to get "Operation not permitted" errors when they try to access certain system paths.

This is described by Apple on this web page and provides a list of paths that are restricted:
System Integrity Protection includes protection for these parts of the system:
  • /System
  • /usr
  • /bin
  • /sbin
  • /var
Apps that are pre-installed with OS X
Paths and apps that third-party apps and installers can continue to write to include:
  • /Applications
  • /Library
  • /usr/local
I learned about this because any script and all child processes that are executed by cron will get "Operation not permitted" errors until you grant them access.

Open "System Preferences" > "Security & Privacy" > "Privacy" > "Full Disk Access".
Open Finder, click "Go" > "Go to Folder...", type in the path that includes the utility in and drag the utility into the list to grant "Full Disk Access".

You have to go out of your way to add cron and each system utility and application to be granted "Full Disk Access".

See /System/Library/Sandbox/rootless.conf for a complete list of protected paths.

I understand that most Mac users aren't UNIX nerds and don't use these features. I understand that restricting access for these utilities has probably reduced the security risk from malware and cyberattacks.

However, I still have to ask why does Apple make these radical changes in every new release of Mac OS and why do they not have clear documentation about the impacts and work-arounds? There must be UNIX nerds at Apple who experience these same pains and they could make sure that documentation is updated.

I can't find any way from the command-line to make these updates or to list which applications are granted access.  I can only do it in the GUI with these exact steps.  I also can't figure out how to modify the list of paths that are guarded by System Integrity Protection.  I wish I could modify the list of paths that each utility and application are allowed to access.  Please let me know if you figure out how these things.

No comments:

Post a Comment

Comment Guidelines: In your first comment, please explain if you agree or disagree with statements made in the post. Please also be respectful of others at all times. Pretend like this is a competition to see who can be the most mature and the most intelligent. And remember, you have the right to remain silent. Anything you post here can and will be used against you. I will not delete your posts just because you are embarrassed that your comments make you look like an idiot. Others may or may not treat you with the same respect you have treated them. And finally, thanks for reading and thanks for your comments!