How to fix El Capitan 10.11 Operation Not Permitted error

El Capitan Permission Error

If you have upgraded your Opeating System to 10.11 (El Capitan) recently, you might be encountering this ‘Operation not permitted’ during brew installation or during other operations involving /usr/local, /usr/lib or directly under /usr. The permission issue is because of a new security feature called System Integrity Protection (SIP), which limits what the ‘root’ account can do at the kernel-level (all kernel extensions must be signed).

System Integrity Protection, also known as “rootless” has been primarily designed to help prevent malicious softwares modifying protected files and folders in your mac. Also part of this change, the “repair disk permissions” in Disk Utility has been removed to ensure file permissions stay intact. To know more about System Integrity Protection please checkout this stackoverflow answer.

How to check if System Integrity Protection is enabled or not?

System Integrity Protection Configuration

csrutil status

or

ls -lO /System /usr

and look for the restricted flag in the response to indicate whether SIP is enforced or not.

Check OS X System Integrity Protection Status

How to disable System Integrity Protection or rootless?

Solution 1:

Reboot the Mac disabling the rootless feature and do whatever you want to.

sudo nvram boot-args=“rootless=0”; sudo reboot

Solution 2:

Disable SIP permanently and reboot the Mac. The following are the steps,

Disabling during launch using recovery system

  • Restart your Mac
  • At the startup, press Command + R until the Apple logo apperas on your screen to get into recovery mode
  • Click Utilities -> Terminal
  • In the terminal, type csrutil disable and press Enter
  • Restart your mac

Disabling from the terminal

  • Click Utilities -> Terminal
  • In the terminal, type csrutil disable; reboot and press Enter

Solution 3:

Warning: This is for the power users.

You can also enable and disable SIP protections selectively by using flags but it needs to be done only from launch using Recovery system.

Some example commands are,

1. Enable SIP and allow unsigned kernel extensions

>csrutil enable --without kext

2. Enable SIP and disable filesystem protections

csrutil enable --without fs

3. Enable SIP and disable debug

csrutil enable --without debug

4. Enable SIP and disable Dtrace

csrutil enable --without dtrace

5. Enable SIP and disable nvram

csrutil enable --without nvram

Please take a look at System Inegrity Protection Guide for more information.

Once you have disabled you can check the SIP status by running the following command,

csrutil status

PS: If you have stored any files (secret stuff) in one of the protected directories, you can find them moved to the following directiory,

/Library/SystemMigration/History/Migration-(UUID)/QuarantineRoot/ directory

Leave a Comment

Your email address will not be published. Required fields are marked *