I am trying to do the following on my Mac (10.6.7):
sudo chown myusername:wheel ./entries
but Unix/Mac is returning "Operation not permitted". When I ls -lash
the culprit file, it looks as follows:
8 -rwxrwxrwx 1 myusername staff 394B Apr 26 23:26 entries
I've tried sudo
and sudo su
; nothing works. Any ideas what's up?
I'm trying to chmod
files I've copied from my old Ubuntu box. Most of the files have successfully chmod
'ed recursively; just this one is stuck and I don't understand why.
Answer
Yes, Mac has many enhancements to Unix in the area of files. Ignoring the whole resource fork thing which is not used much anymore, there are:
- the standard Unix permissions
ugo
rwx
and so on. Normal Unix tools apply. - ACL's, viewable with
ls -le
and changeable withchmod [ -a | +a | =a ]
. - file flags viewable with
ls -lO
(Capital oh, not zero) and changeable withchflags
. - extended attributes, viewable with
ls -l@
(attribute keys only) and viewable and changeable withxattr
. (Usexattr -h
for help ifman xattr
does not give you anything.) - Starting with OS X 10.11 "El Capitan", System Integrity Protection (SIP) further protects some files from changes from ordinary processes, even when using
sudo
to run asroot
. Files protected by SIP will be listed byls -lO
as having therestricted
flag and/or be listed byls -l@
as having thecom.apple.rootless
attribute.
You can be denied operations on a file because of Unix permissions, ACLs, file flags, or SIP. To fully unlock a file:
sudo chmod -N file # Remove ACLs from file
sudo chmod ugo+rw file # Give everyone read-write permission to file
sudo chflags nouchg file # Clear the user immutable flag from file
sudo chflags norestricted file # Remove the SIP protection from file
sudo xattr -d com.apple.rootless file # Remove SIP protection from file
If System Integrity Protection (SIP) is enabled, sudo chflags norestricted
and sudo xattr -d com.apple.rootless
will also return an "Operation not permitted" error. To clear the flag and/or attribute you need to boot into macOS Recovery and either run the commands from Terminal (you may have to first use Disk Utility to unlock and mount your boot drive, then remember your files will be under /Volumes/Macintosh HD
or whatever your boot drive is named) or disable SIP altogether and then reboot and the commands should then work. Be aware, however, that future OS updates will likely restore the restricted
flag and com.apple.rootless
attribute to any files you removed it from.
Disabling SIP is not recommended as it removes lots of protection against malware and accidental damage, plus it is not necessary when you can simply remove the protection on a per-file basis. If you do disable SIP, re-enable it when you are done making changes.
Note that if ls -lO
shows the schg
flag is set, you have to get into single-user mode to unset it. I'm not going to get into that here as there are bigger questions about why the file has that flag set and why you are trying to mess with it and what the consequences will be.
No comments:
Post a Comment