I am running macOS High Sierra.
I was wondering how system services (e.g. Time Machine with the protected backup directories) could modify the directories that root cannot access. I was trying to modify the backup directory premissions to allow Read/Write access to all users (with root) and got this output (I had to replace my computer name with asterisks for privacy reasons):
*****:Time Machine root# chmod -R 0777 Backups.backupdb/
chmod: Unable to change file mode on Backups.backupdb//.RecoverySets/1/com.apple.recovery.boot/boot.efi: Operation not permitted
chmod: Unable to change file mode on Backups.backupdb//*****: Operation not permitted
[...]
However, Time Machine can tamper with the files even though root can not.
I know that in the Get Info dialog is says that the user system can have Read/Write access.
Is is even possible to have a user be able to access a file when root can not or is is just Apple indicating that the system can access it?
UPDATE:
I have been notified that Time Machine backups are a different story altogether with Time Machine Backup Protection. However, I still don’t know about how System Integrity Protection doesn’t block other things (e.g. Updates from the App Store).
Best Answer
Time Machine backup protection isn't related to System Integrity Protection — SIP is for protecting system files. Instead, TMSafetyNet.kext is responsible for enforcing protection of backups and permitting Time Machine to make changes only.
You can edit backups using the ‘bypass’ CLI tool.
Append the tool you want to use at the end as if you were using it normally, for example:
This protection of backups predates the introduction of SIP, but I imagine the file protection feature of SIP was inspired by how the Time Machine backups protection works, so they have their similarities.