hello,
does somebody know how to circumvent that "extra file access restriction
feature" introduced in osx some time ago ?
i already tried adding rsync binary to programms with "full disk
access"
privilege ( system-prefs -> security & privacy -> privacy -> full
disk
access)? , since running as root is not sufficient - but it does not work.
i want to make sure that every file on osx is getting backup
i run rsync on linux to remotely backup osx system (via ssh).
regards
roland
rsync:
readlink_stat("/private/var/folders/_p/ky_w_lyj6ps7jcnkjkl5ss0m0000gn/0/com.apple.routined")
failed: Operation not permitted (1)
rsync:
readlink_stat("/private/var/folders/_p/ky_w_lyj6ps7jcnkjkl5ss0m0000gn/0/com.apple.Safari/SafariFamily")
failed: Operation not permitted (1)
rsync:
readlink_stat("/private/var/folders/_p/ky_w_lyj6ps7jcnkjkl5ss0m0000gn/C/com.apple.WebKit.WebContent.Sandbox")
failed: Operation not permitted (1)
rsync:
readlink_stat("/private/var/folders/_p/ky_w_lyj6ps7jcnkjkl5ss0m0000gn/C/com.apple.QuickLook.thumbnailcache")
failed: Operation not permitted (1)
rsync:
readlink_stat("/private/var/folders/_p/ky_w_lyj6ps7jcnkjkl5ss0m0000gn/C/com.apple.WebKit.Networking.Sandbox")
failed: Operation not permitted (1)
rsync: opendir
"/private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/0" failed:
Operation not permitted (1)
rsync: opendir
"/private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C" failed:
Operation not permitted (1)
# ls -l@ /private/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/
total 0
drwxr-xr-x@? 2 _locationd? _locationd?? 64? 3 Nov? 2017 0
??? com.apple.rootless??? ?-1
drwx------@ 17 _locationd? _locationd? 544 19 Jan 23:03 C
??? com.apple.rootless??? ?-1
drwx------@? 2 _locationd? _locationd?? 64? 3 Nov? 2017 T
??? com.apple.rootless??? ? 7
Roland via rsync <rsync at lists.samba.org> wrote:> does somebody know how to circumvent that "extra file access restriction > feature" introduced in osx some time ago ?It may not be possible. Based on experience with FreeBSD, from which much of OSX is derived, I suspect you may be running into issues with "file flags"; check the OSX documentation for the chflags system call. In FreeBSD, I've seen that same error message when rsync attempts an operation that would violate chflags restrictions.> i already tried adding rsync binary to programms with "full disk access" > privilege ( system-prefs -> security & privacy -> privacy -> full disk > access)?? , since running as root is not sufficient - but it does not work."full disk access" likely refers to the ability to read the disk directly, bypassing the filesystem. It's used by maintenance programs like fsck and fsdb, and by some full-disk backup programs, but it won't help rsync.> i want to make sure that every file on osx is getting backup > > i run rsync on linux to remotely backup osx system (via ssh). > > regards > roland > > rsync: > readlink_stat("/private/var/folders/_p/ky_w_lyj6ps7jcnkjkl5ss0m0000gn/0/com.apple.routined") > failed: Operation not permitted (1) > ...
Hi, I don't think it's about file flags. macOS has SIP (System Integrity Protection) which, among other things, restricts the ability of processes to access certain parts of the file system. Usually people ask about how to override this locally which can be done by disabling SIP altogether, or for file access only, adding the relevant app in: System Preferences -> Secutiy & Privacy -> Full Disk Access But It's not great. I think you can only add "apps" to the list, not arbitrary executables. I've added Terminal, iTerm.app and XQuartz.app but it doesn't work for XQuartz/X11 for some reason, so I need to rsync some parts from the file system from Terminal/iTerm instead of from an xterm under XQuartz. But the OP is asking about the remote end of the connection. If you are allowed to manipulate the security settings on the remote end, you could apply the above ideas there but you'd need to know which app needs to be added to the list so that rsync can function. It's not obvious. It's probably the app that starts sshd. It might be launchd. I can't imagine that giving that full disk access is a great idea. It might be possible to get the remote sshd to run the remote side of rsync via an intermediary app that can be added to the list of apps with full disk access, such as Automator. Maybe you could use (via rsync) ssh's -e / --rsh option to specify what's needed. See this page for ideas: How to Give Full Disk Access to a Binary in MacOS Mojave https://n8henrie.com/2018/11/how-to-give-full-disk-access-to-a-binary-in-macos-mojave/ I haven't read it, just googled "full disk access launchd" so not sure it'll help. good luck, raf Perry Hutchison via rsync wrote:> Roland via rsync <rsync at lists.samba.org> wrote: > > does somebody know how to circumvent that "extra file access restriction > > feature" introduced in osx some time ago ? > > It may not be possible. > > Based on experience with FreeBSD, from which much of OSX is derived, > I suspect you may be running into issues with "file flags"; check the > OSX documentation for the chflags system call. In FreeBSD, I've seen > that same error message when rsync attempts an operation that would > violate chflags restrictions. > > > i already tried adding rsync binary to programms with "full disk access" > > privilege ( system-prefs -> security & privacy -> privacy -> full disk > > access)?? , since running as root is not sufficient - but it does not work. > > "full disk access" likely refers to the ability to read the disk > directly, bypassing the filesystem. It's used by maintenance > programs like fsck and fsdb, and by some full-disk backup programs, > but it won't help rsync. > > > i want to make sure that every file on osx is getting backup > > > > i run rsync on linux to remotely backup osx system (via ssh). > > > > regards > > roland > > > > rsync: > > readlink_stat("/private/var/folders/_p/ky_w_lyj6ps7jcnkjkl5ss0m0000gn/0/com.apple.routined") > > failed: Operation not permitted (1) > > ... > > -- > Please use reply-all for most replies to avoid omitting the mailing list. > To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync > Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
If you are talking about SIP, then at present SSH will have full disk access (as much as it can) by default. Take a look at this LBackup page which discusses this in more detail : http://www.lbackup.org/developer/dealing_with_sip Hope that helps.
Henri Shustak via rsync wrote:> If you are talking about SIP, then at present SSH will have full disk access (as much as it can) by default. > > Take a look at this LBackup page which discusses this in more detail : http://www.lbackup.org/developer/dealing_with_sip > > Hope that helps.I think that that only applies to the sshd binary that comes with macOS. If you install a more recent version of openssh via macports or similar, it doesn't apply to that. It certainly doesn't apply to a macports-installed ssh client. In that case, you need to grant full disk access to Terminal.app or similar, and invoke the ssh client from there. It's not possible to grant full disk access to an arbitrary binary executable via System Preferences. You can only do that for "applications". I'm not sure what aplication you would need to grant full disk access to in order to give a macports-installed sshd daemon full disk access. cheers, raf