I am trying to do the following on my Mac (10.6.7):
sudo chown myusername:wheel ./entries
but Unix/Mac is returning "Operation not permitted". When I ls -lash
the culprit file, it looks as follows:
8 -rwxrwxrwx 1 myusername staff 394B Apr 26 23:26 entries
I've tried sudo
and sudo su
; nothing works. Any ideas what's up?
I'm trying to chmod
files I've copied from my old Ubuntu box. Most of the files have successfully chmod
'ed recursively; just this one is stuck and I don't understand why.
Best Answer
Yes, Mac has many enhancements to Unix in the area of files. Ignoring the whole resource fork thing which is not used much anymore, there are:
ugo
rwx
and so on. Normal Unix tools apply.ls -le
and changeable withchmod [ -a | +a | =a ]
.ls -lO
(Capital oh, not zero) and changeable withchflags
.ls -l@
(attribute keys only) and viewable and changeable withxattr
. (Usexattr -h
for help ifman xattr
does not give you anything.)sudo
to run asroot
. Files protected by SIP will be listed byls -lO
as having therestricted
flag and/or be listed byls -l@
as having thecom.apple.rootless
attribute.You can be denied operations on a file because of Unix permissions, ACLs, file flags, or SIP. To fully unlock a file:
If System Integrity Protection (SIP) is enabled,
sudo chflags norestricted
andsudo xattr -d com.apple.rootless
will also return an "Operation not permitted" error. To clear the flag and/or attribute you need to boot into macOS Recovery and either run the commands from Terminal (you may have to first use Disk Utility to unlock and mount your boot drive, then remember your files will be under/Volumes/Macintosh HD
or whatever your boot drive is named) or disable SIP altogether and then reboot and the commands should then work. Be aware, however, that future OS updates will likely restore therestricted
flag andcom.apple.rootless
attribute to any files you removed it from.Disabling SIP is not recommended as it removes lots of protection against malware and accidental damage, plus it is not necessary when you can simply remove the protection on a per-file basis. If you do disable SIP, re-enable it when you are done making changes.
Note that if
ls -lO
shows theschg
flag is set, you have to get into single-user mode to unset it. I'm not going to get into that here as there are bigger questions about why the file has that flag set and why you are trying to mess with it and what the consequences will be.