KB Logo

TOLIS Group Knowledge Base

Browse KB by category:
Go to KB #:
Glossary
Email   Bookmark



Apple SIP prevents access to special folders causing "Permission denied" errors

Views: 1072
Votes: 3
Posted: 05 Mar, 2019
With the release of Apple's Mojave (10.14) version of macOS, they have taken the filesystem hardening to an extreme configuring certain folder locations as "off limits" for applications - even if those applications are running with root-level privileges.  The result of this is the failure of BRU backup operations since the BRU I/O engine is not allowed to access the content of these folders.

The only solution for this currently is to disable SIP on any Mojave-based systems that you backup using BRU Server or BRU Producer's Edition.  While this eliminates the increased hardening, it does NOT change your Mac's general security.

To disable SIP requires that you reboot your Mojave system into the Recovery OS.  To do this, reboot your system and press
CMD-R when the startup chime sounds.  Once in the recovery mode, select the Utility menu and open a Terminal .  Within the Terminal, execute:

csrutil disable

When you reboot your system, you can check the status by opening a Terminal and executing

csrutil status

This will report whether SIP is enabled or disabled.

Once disabled, the BRU I/O engine will be able to properly access all areas of your system disk(s).

This does not change any other permissions on your system.  It simply removes the iOS-oriented changes to the macOS operating system.

To restore the prior SIP setting, reboot into the Recover system and execute:

csrutil enable

What about "Full Disk Access" whitelisting in "System Preferences" -> "Security and Privacy"?

Unfortunately, Apple did not take into account command line helper applications and system daemons when they designed this feature.  While you can add the /usr/local/bin/bru, /usr/local/bru-server/agent, and /usr/local/bru-server/bru binaries to the list, they are not handled properly by the system.  The whitelist only enables bundled applications (apps that are actually bundles and end in the .App or other recognized bundle extension).

We have requested that Apple provide a whitelist mechanism for console apps and daemons that are NOT bundled, but we are now at Apple's whim as to when, or even if, this will be implemented.

Others in this Category
document I have two NIC/Ethernet cards in my system, how do I tell BRU Server which one to use?
document SCSI Compatibility Issues Under Mac OS X
document Correcting "Error: (0x05:0x3B0D) Medium destination element full" error messages
document How do I control my tape library with the libctl (tm) command on Mac OS X?
document BRU Server doesn't backup mounted volumes, why?
» More Articles



RSS
Powered by KnowledgebasePublisher
Page Load Time: 0.03135 seconds / 31.35 milliseconds.
Page File Size: 22679 bytes.