How to grant root access to user files in Mojave

mojavepermissionrootrsync

I upgraded my laptop to Mojave. For years, my backup strategy has included using rsync (MacPorts rsync 3.1.3) to copy files to a file server. This stopped working properly, now showing some errors indicating permission problems with opendir and get_xattr_data, specifically with certain ~/Library folders.

I use launchd to run rsync inside a script located in /usr/local/bin.

As part of my troubleshooting, I went into Terminal and su'd to root. Then cd'd to my user's ~/Library and tested access in some of the folders. The system reported permission denied.

Through Security & Privacy, I gave rsync Full Disk Access, but that didn't resolve the issue.

I'm assuming this is an issue resulting from Mojave's security or privacy settings as I've never seen root not have permission to files. In order to resume my backup processes, I need root/launchctl to be able to access files.

What has changed in Mojave that is limiting root's access?
How do I mitigate this limitation as it relates to rsync?

The possible duplicate seems to confirm the need to adjust settings in Security & Privacy, but so far adding Terminal and rsync to the list of allowed apps does not allow the backup to succeed. I'm working to add the script I use to run the backup, and will adjust my question when I get that tested.

Best Answer

As documented in this post among some other places, MacOS Mojave implements additional security protocols that even affect root's access to user data.

The solution in the linked question provides the basic method I used to resolve my issue.

For custom-built scripts that will run through launchd, the administrator of the computer on which the script is to be run must add that script to Security & Privacy to give that "app" permission to access user data.

It was not necessary to add launchd or rsync (in my case) to Security & Privacy.

I have not researched if there is a way to do this via Terminal, which it seems would be necessary for those administering a large number of clients.

========

Update: I've also learned that if you add a script, and you later make changes to that script, you need to delete it from the Security & Privacy-->Full Disk Access, then add it again. Perhaps macOS creates a hash that is checked?

========

Update w/ Catalina: I do not recall if I had System Integrity Protection disabled on Mojave, but it appears to be required to be disabled in Catalina. I know SIP doesn't have to be disabled for OS versions prior to these.

Disabling macOS SIP allowed the script in question to start running again. This is not ideal, so I'll be researching other approaches.

Related Solutions

Rsync errors, but only when run in launchd

Your running in different contexts when you use launchd and iterm2. With iterm2 your profile gets run but your profile isn't run when you use launchd.

Some programmers invoke there profile from their launchd script. I do everything so it works without the need to run my profile.

I suggest you cd to whatever directory you ended up in iterm2.

I wrote a little function to display all my terminal settings. Run this in iterm2 and launchd while sending output to a file and compare.

settings () 
{ 
    ( echo "---------- env ----------";
    env;
    echo "--------- set ----------";
    set;
    echo "--------- export ----------";
    export;
    echo "--------- export -f ----------";
    export -f;
    echo "--------- alias ----------";
    alias;
    echo "--------- set -o ----------";
    set -o;
    echo "--------- shopt ----------";
    shopt;
    echo "--------- enable -a ----------";
    enable -a ) | less
}

for terminal you can copy & paste settings to terminal.

settings >>/Users/mac/xset
cat xset

MacOS – How to Get Root Access in Mojave

Root isn’t what you need, SIP must be disabled if you desire to modify the system files while booted from the same system as the files to be edited.

A centerpiece is the protection of system-owned files and directories against modifications by processes without a specific "entitlement", even when executed by the root user or a user with root privileges (sudo).

^{https://en.wikipedia.org/wiki/System_Integrity_Protection}

macOS Recovery is part of the built-in recovery system of your Mac. First, boot to recovery, then open terminal from recovery and run sudo -s to become root. Then you are clear to make modifications to the normal system on the Macintosh HD volume.

https://support.apple.com/en-us/HT201314

You could also run the disable from recovery and restart it you want to opt out of protection indefinitely and not just temporarily.

https://support.apple.com/en-us/HT204899

I’m generally not doing that but your system, your call totally.

Best Answer

Related Solutions

Rsync errors, but only when run in launchd

MacOS – How to Get Root Access in Mojave

Related Question