xattrs Permission Issues with Extended Attributes
25 Oct '19

Tech, Insights & Process

xattrs Permission Issues with Extended Attributes

macOS adds ACLs, flags, and SIP on top of classic permissions. Here’s how to diagnose and unlock a file safely.

macOS adds extra layers on top of classic Unix permissions. If a file is “locked,” it’s usually because of one of the mechanisms below:

  • Standard Unix permissions - classic ugo rwx and the like. Typical Unix tools work here.
  • ACL (Access Control Lists) - visible with ls -le and editable with chmod [ -a | +a | =a ].
  • File flags - visible via ls -lO (capital "O", not zero) and modifiable with chflags.
  • Extended attributes - visible with ls -l@ (shows only attribute keys) and viewed/modified with xattr. (Use xattr -h if man xattr returns nothing.)
  • Starting with macOS 10.11 "El Capitan", System Integrity Protection (SIP) additionally protects some files from changes by normal processes - even with sudo. SIP-protected files can be recognized because ls -lO shows the restricted flag and ls -l@ shows the com.apple.rootless attribute.

You may not be able to operate on a file because of Unix permissions, ACLs, file flags, or SIP. To fully unlock a file:

sudo chmod -N file  # Remove ACLs from file
sudo chmod ugo+rw file    # Give everyone read-write permission to file
sudo chflags nouchg file  # Clear the user immutable flag from file
sudo chflags norestricted file  # Remove the SIP protection from file
sudo xattr -d com.apple.rootless file # Remove SIP protection from file

If System Integrity Protection (SIP) is enabled, the commands sudo chflags norestricted and sudo xattr -d com.apple.rootless will return the "Operation not permitted" error. To remove the flag or attribute, boot into macOS Recovery and do one of the following:

  • Open Terminal (you may need to use Disk Utility first to unlock and mount the startup disk - your files will then be in /Volumes/Macintosh HD or under another disk name).
  • Or disable SIP completely and then restart the system. The commands above will then work.

Keep in mind that future macOS updates may restore the restricted flag and the com.apple.rootless attribute on files from which they were removed.

Disabling SIP is not recommended because it removes many protections against malware and accidental system damage. It is also not necessary, because you can remove protection for a single file. If you do disable SIP, turn it back on after you finish your changes.

Note: if ls -lO shows the schg flag set, you must boot into single-user mode to remove it. The author does not expand on this topic, because the question arises why the file has this flag and what the consequences of removing it might be.

More information

Continue Reading

See all articles