20

I upgraded to El Capitan yesterday and everything was good until recently when I noticed I can't write anything (with sudo ofc) on /usr/bin as I tried to install phpbrew.

What could be causing this and how to troubleshoot it?

Tom
  • 303
  • 1
  • 2
  • 6
  • OS X El Capitan is rootless. The feature can be disabled from the recovery partition. – fd0 Jun 26 '15 at 10:13

3 Answers3

24

Since OSX 10.11, Apple reinforced the security system. Called System Integrity Protection, Apple locks down:

/System
/sbin
/usr (with the exception of /usr/local subdirectory)

To disable this security feature you have to reboot your computer and hold CMD+R at start to boot into OS X Recovery Mode.

Then OS X Utilities > Terminal

Type the command csrutil disable; reboot

Your computer will restart. You will see a confirmation message about the desactivation.

To verified the status of CRS type csrutil status

ckujau
  • 630
  • 5
  • 14
Ragnar
  • 386
  • 3
  • 7
  • 1
    I disabled and it still doesn't allow me to do anything: ```/Users/Rob$ csrutil status System Integrity Protection status: disabled. /Users/Rob$ touch /usr/bin/yes touch: /usr/bin/yes: Permission denied``` – Roberto Sep 07 '17 at 06:18
  • Try with `sudo`. – Ragnar Feb 16 '18 at 09:53
  • In most cases, it's better to install local customizations into /usr/local (e.g. /usr/local/bin rather than /bin or /usr/bin). That's what it's for, and this has been the case for a long time. If possible, I'd recommend following this best practice rather than disabling SIP. If you really do need to make changes in a restricted location, it's best to disable SIP, make the change, and then immediately re-enable SIP with `csrutil enable` (in Recovery mode). – Gordon Davisson Feb 05 '19 at 22:48
7

As mentioned by Ragnar, the /usr directory is locked down by the system, with the exception of /usr/local. Then, if your scenario allows, I'd recommend adding the symbolic link to /usr/local/bin. If you don't have a strict requirement on using /usr/bin, that's one way to work around the "Operation not permitted" error.

Gustavo Straube
  • 185
  • 1
  • 7
2

One can verify if a particular file or directory is restricted by OSX's System Integrity Protection (SIP)/Rootless by listing the file flags using the -O option to ls (e.g. to see which directories in / are restricted):

ls -Ol /

The directories or files that are controlled by SIP show as 'restricted'.

There's full details in the answers to this question about SIP/rootless.

Community
  • 1
Pierz
  • 1,869
  • 21
  • 15