KB Logo

TOLIS Group Knowledge Base

Browse KB by category:
Go to KB #:
Glossary
Email   Bookmark



Apple SIP prevents access to special folders causing "Permission denied" errors

Views: 499
Votes: 1
Posted: 05 Mar, 2019
With the release of Apple's Mojave (10.14) version of macOS, they have taken the filesystem hardening to an extreme configuring certain folder locations as "off limits" for applications - even if those applications are running with root-level privileges.  The result of this is the failure of BRU backup operations since the BRU I/O engine is not allowed to access the content of these folders.

The only solution for this currently is to disable SIP on any Mojave-based systems that you backup using BRU Server or BRU Producer's Edition.  While this eliminates the increased hardening, it does NOT change your Mac's general security.

To disable SIP requires that you reboot your Mojave system into the Recovery OS.  To do this, reboot your system and press
CMD-R when the startup chime sounds.  Once in the recovery mode, select the Utility menu and open a Terminal .  Within the Terminal, execute:

csrutil disable

When you reboot your system, you can check the status by opening a Terminal and executing

csrutil status

This will report whether SIP is enabled or disabled.

Once disabled, the BRU I/O engine will be able to properly access all areas of your system disk(s).

This does not change any other permissions on your system.  It simply removes the iOS-oriented changes to the macOS operating system.

To restore the prior SIP setting, reboot into the Recover system and execute:

csrutil enable

What about "Full Disk Access" whitelisting in "System Preferences" -> "Security and Privacy"?

Unfortunately, Apple did not take into account command line helper applications and system daemons when they designed this feature.  While you can add the /usr/local/bin/bru, /usr/local/bru-server/agent, and /usr/local/bru-server/bru binaries to the list, they are not handled properly by the system.  The whitelist only enables bundled applications (apps that are actually bundles and end in the .App or other recognized bundle extension).

We have requested that Apple provide a whitelist mechanism for console apps and daemons that are NOT bundled, but we are now at Apple's whim as to when, or even if, this will be implemented.

Others in this Category
document Multiple Tape Devices, One BRU Server System. Can this be done?
document Will BRU Server support my "???" hardware?
document How does BRU Server use the ports 14441 to 14450 for backup operations?
document Does BRU Server provide 64-bit support?
document I have a new Fibre-Channel drive/library, but BRU Server is having a hard time using it, why?
» More Articles



RSS
Powered by KnowledgebasePublisher
Page Load Time: 0.033657 seconds / 33.657 milliseconds.
Page File Size: 22661 bytes.