Browse KB by category:
Go to KB #:
Apple SIP prevents access to special folders causing "Permission denied" errors
With the release of Apple's Mojave (10.14) version of macOS, they have taken the filesystem hardening to an extreme configuring certain folder locations as "off limits" for applications - even if those applications are running with root-level privileges. The result of this is the failure of BRU backup operations since the BRU I/O engine is not allowed to access the content of these folders.
The only solution for this currently is to disable SIP on any Mojave-based systems that you backup using BRU Server or BRU Producer's Edition. While this eliminates the increased hardening, it does NOT change your Mac's general security.
To disable SIP requires that you reboot your Mojave system into the Recovery OS. To do this, reboot your system and press
CMD-R when the startup chime sounds. Once in the recovery mode, select the Utility menu and open a Terminal . Within the Terminal, execute:
When you reboot your system, you can check the status by opening a Terminal and executing
This will report whether SIP is enabled or disabled.
Once disabled, the BRU I/O engine will be able to properly access all areas of your system disk(s).
This does not change any other permissions on your system. It simply removes the iOS-oriented changes to the macOS operating system.
To restore the prior SIP setting, reboot into the Recover system and execute:
What about "Full Disk Access" whitelisting in "System Preferences" -> "Security and Privacy"?
Unfortunately, Apple did not take into account command line helper applications and system daemons when they designed this feature. While you can add the /usr/local/bin/bru, /usr/local/bru-server/agent, and /usr/local/bru-server/bru binaries to the list, they are not handled properly by the system. The whitelist only enables bundled applications (apps that are actually bundles and end in the .App or other recognized bundle extension).
We have requested that Apple provide a whitelist mechanism for console apps and daemons that are NOT bundled, but we are now at Apple's whim as to when, or even if, this will be implemented.
Powered by KnowledgebasePublisher