How to avoid "Operation not permitted" on macOS when `sudo` and `bypass` don't do the trick

Asked 25/9, 2019 at 14:7 Answered 25/6 at 17:37

On macOS (High Sierra) when I attempt to list the file at the path

/private/var/db/ConfigurationProfiles/Store

I get the error "Operation not permitted". Using sudo doesn't better it and even employing the bypass helper doesn't change anything:

sudo /System/Library/Extensions/TMSafetyNet.kext/Contents/Helpers/bypass ls -l /private/var/db/ConfigurationProfiles/Store

gives "Operation not permitted" as well. How can I list/access the file under the path /private/var/db/ConfigurationProfiles/Store?

Additional info:

An list of the the enclosing directory via ls -al /private/var/db/ConfigurationProfiles displays:

drwxr-xr-x   5 root  wheel   160 13 Apr  2018 .
drwxr-xr-x  85 root  wheel  2720 28 Sep 06:27 ..
drwxr-xr-x@  4 root  wheel   128 16 Dec  2017 Settings
drwx------   3 root  wheel    96  1 Oct 21:56 Setup
ls: Store: Operation not permitted

Consistently, but rather strangely Store cannot be listed. This happens both when executing ls as current user and via sudo.

Guilty answered 25/9, 2019 at 14:7 Comment(10)

Could you give us the ls -la of /private/var/db/ConfigurationProfiles? – Billposter 1/10, 2019 at 6:18

@Billposter See my question. I have added the relevant details. – Guilty 1/10, 2019 at 12:16

did you try sudo ls -la too? – Billposter 1/10, 2019 at 12:49

Yes, as mentioned in the question it happens both as current user and via sudo. – Guilty 1/10, 2019 at 12:51

Do you have system integrity on (csrutil status)? -> this is the most probable reason you will have to disable the protection to see the file. Did you verified your disk? – Billposter 1/10, 2019 at 12:53

@Billposter SIP is enabled. Haven't verified disk yet. Will do that next. – Guilty 1/10, 2019 at 13:19

You need to disable SIP in order to view .../Store – Billposter 1/10, 2019 at 13:27

I guess the question is: what are you trying to do? There is likely another way of interrogating the system for that info. – Marlomarlon 1/10, 2019 at 13:36

@Billposter Why on earth do I have to disable SIP when I just want to view a directory? I do not change anything! - I thought SIP is about modifications to some areas of the filesystem... – Guilty 1/10, 2019 at 23:1

@Marlomarlon I just compare the start up disk to a backup - and of course I can exclude Store but I want to understand why... – Guilty 1/10, 2019 at 23:3

Most probable reason is the system integrity protection (SIP) - csrutil is the command line utility. You need to disable it to view the directory.

To view your status you need to:

csrutil status

To disable it (which is usually a bad idea):

csrutil disable (then you will probably need to reboot).

To enable it (which should be turned back on when you are done):

csrutil enable

Billposter answered 1/10, 2019 at 12:47 Comment(3)

I can confirm that disabling SIP solves the access issue: Then sudo ls -al /private/var/db/ConfigurationProfiles/Store lists the content of that directory. - This is not the solution I was hoping for, but it is a solution (and probably the only possible one). – Guilty 2/10, 2019 at 10:26

@Guilty well that is how the MacOS works. If SIP it is covered by SIP the "ordinary" user does not have an access, to guard the system from the ordinary users. – Billposter 2/10, 2019 at 10:33

Disabling SIP is using a bulldozer to open a door. Full Disk Access is the key, as explained above. – Empedocles 17/12, 2022 at 19:14

TWO things you can try below...

Sometimes "operation not permitted" relates to permissions, so one thing you can try to solve the problem is to go into the permissions for the folder in question.

Open Finder, and get to the folder which is giving you the failed operations (such as "ls").
Right-click the folder, and select "Get Info"
Add users to have read/write permission for the folder; aka, add your user profile (you).

Another thing which could be causing the problem... It could be that Terminal app itself isn't able to access the data via privacy fireballing. To solve that:

Click on Apple symbol top left and select "System Preferences"
Open "Security & Privacy"
Select the "Privacy" menu
On the left-hand side, select "Full Disk Access"
on lower left, click the lock and enter your MacOS password or swipe your finger (eyes).
Click the plus button on the right to add Terminal app to the list of things with Full Disk Access. Make sure Terminal is checked when you're done.
reset the lock, and you're done.
shut down Termainal, then restart it.

This should allow Terminal access to the folder in question.

for more info: https://osxdaily.com/2018/10/09/fix-operation-not-permitted-terminal-error-macos/

Magruder answered 5/12, 2021 at 16:1 Comment(3)

As mentioned by the OP, turning off SIP is not really a useful solution. I was thrown off by the first part of this answer (changing file permission is an obvious thing to try). But the second part of this answer is, IMHO, THE correct answer. Under "Privacy" there is also a "Files and Folders" item. In my case, the offending directory, Documents, was not checked. I checked it, and voilà, I can access the Documents folder from the iTerm app. So I think this answer is the best answer. – Paint 3/3, 2022 at 0:31

Operation not permitted never relates to permissions - ignore the misleading first part which can only fix Permission Denied errors. – Empedocles 17/12, 2022 at 19:30

Enabling Full Disk Access for iTerm did not help in my case - trying to modify a file in /System/Library/CoreServices/PowerChimeapp. And wasn't able to enable Files and Folders for iTerm. – Prehistory 28/5 at 1:39

Most probable reason is the system integrity protection (SIP) - csrutil is the command line utility. You need to disable it to view the directory.

To view your status you need to:

csrutil status

To disable it (which is usually a bad idea):

csrutil disable (then you will probably need to reboot).

To enable it (which should be turned back on when you are done):

csrutil enable

Billposter answered 1/10, 2019 at 12:47 Comment(3)

@Guilty well that is how the MacOS works. If SIP it is covered by SIP the "ordinary" user does not have an access, to guard the system from the ordinary users. – Billposter 2/10, 2019 at 10:33

Disabling SIP is using a bulldozer to open a door. Full Disk Access is the key, as explained above. – Empedocles 17/12, 2022 at 19:14

If the file is not locally created in mac system and downloaded from some website, the quarantine flag is set on downloads to prevent drive-by and other security shenanigans.

Remove the quarantine flag:

xattr -d com.apple.quarantine <filename> (to remove in single file)
xattr -d -r com.apple.quarantine <foldername> (to remove in all file inside a folder)

Leviticus answered 25/6 at 17:37 Comment(0)

Recommended topics

Hot tags