270

I am trying to move something to /usr/bin on OS X El Capitan. I have disabled rootless using the following commands: sudo nvram boot-args="rootless=0"; sudo reboot, but I keep getting the same error:我正试图在 OS X El Capitan 上把一些东西移到 /usr/bin。我使用以下命令禁用了无根:sudo nvram boot-args="rootless=0"; sudo reboot,但我一直遇到同样的错误:

MacBook-Air:~ Mark$ sudo cp class-dump /usr/bin
Password:
cp: /usr/bin/class-dump: Operation not permitted
MacBook-Air:~ Mark$ sudo mv class-dump /usr/bin
mv: rename class-dump to /usr/bin/class-dump: Operation not permitted
  • 18
    Why are you trying to put class-dump in /usr/bin? Local additions belong in /usr/local/bin, and rootless allows you to put things there...为什么要把 class-dump 放在 /usr/bin?本地添加的内容属于 /usr/local/bin,而无根允许你把东西放在那里... Sep 19, 2015 at 5:01
  • 2
    Just make an alias in ~/.bash_profile and don't frack with /usr/bin只需在 ~/.bash_profile 中建立别名,而不要使用 /usr/bin Mar 2, 2016 at 1:35
  • 6
    class-dump is directly used for programming (reverse engineering tool - directly for programming), so the reason of closing doesn't sound valid. Besides, 28 stars, almost 40 question upvotes and 90 answer upvotes means the question is useful.class-dump 直接用于编程(逆向工程工具--直接用于编程),因此关闭的理由听起来不成立。此外,28 颗星、近 40 个问题和 90 个答案的向上投票说明该问题是有用的。
    – Nat
     Apr 22, 2016 at 10:01
  • reverse engineering because it is used for getting a list of classes?逆向工程,因为它是用来获取类列表的? Aug 26, 2016 at 15:15
  • Related: apple.stackexchange.com/questions/339862/…  Apr 24, 2019 at 6:09相关内容: apple.stackexchange.com/questions/339862/...

5 Answers  5 答案 5 

382

Nvm. For anyone else having this problem you need to reboot your mac and press ⌘+R when booting up. Then go into Utilities > Terminal and type the following commands:不知道。如果还有人遇到这个问题,你需要重启 Mac,并在启动时按⌘+R。然后进入实用工具 > 终端,键入以下命令:

csrutil disable
reboot 

This is a result of System Integrity Protection. More info here.这是系统完整性保护的结果。更多信息请点击此处。

EDIT 编辑 

If you know what you are doing and are used to running Linux, you should use the above solution as many of the SIP restrictions are a complete pain in the ass.如果你知道自己在做什么,并且习惯于运行 Linux,你就应该使用上述解决方案,因为 SIP 的许多限制完全是个麻烦。

However, if you are a tinkerer/noob/"poweruser" and don't know what you are doing, this can be very dangerous and you are better off using the answer below.不过,如果你是一个工匠/菜鸟/"强力用户",不知道自己在做什么,这样做可能会非常危险,你最好使用下面的答案。

  • 3
    @Chris, You'll need to reboot with CMD+R again, open the terminal and run csrutil enable; reboot. The command does not work in the normal mode unfortunately.  Jan 27, 2016 at 20:47
  • 8
    @AlexanderKachkaev Yep, that's what I did. I just wanted to point out that everbody should enable it again after performing the changes! Otherwise the system integrity protection is permanently disabled which can lead to serious problems. 
    – Chris
     Jan 28, 2016 at 13:02
  • 9
    It will only lead to serious problems if you remove/modify something you shouldn't be removing/modifying. In other words, if you know what you're doing, it is perfectly safe to leave it disabled.只有在删除/修改了不该删除/修改的内容时,才会导致严重问题。换句话说,如果你知道自己在做什么,禁用它是绝对安全的。
    – Clintm
     Jan 28, 2016 at 14:57
  • 4
    @Chris it doesn't make sense to handcuff yourself to your office chair to avoid being hit by a car... in other words... if you know to look both ways before you cross the street... it's perfectly safe not to handcuff yourself to a chair 
    – Clintm
     Jun 21, 2016 at 17:56
  • 3
    csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS.  Oct 1, 2018 at 17:05
321

Correct solution is to copy or install to /usr/local/bin not /usr/bin.This is due to System Integrity Protection (SIP). SIP makes /usr/bin read-only but leaves /usr/local as read-write.正确的解决办法是复制或安装到 /usr/local/bin 而不是 /usr/bin。SIP 将 /usr/bin 设置为只读,而将 /usr/local 设置为读写。

SIP should not be disabled as stated in the answer above because it adds another layer of protection against malware gaining root access. Here is a complete explanation of what SIP does and why it is useful.SIP 不应像上述答案中所说的那样被禁用,因为它为防止恶意软件获取 root 访问权限提供了另一层保护。以下是关于 SIP 的作用及其有用性的完整解释。

As suggested in this answer one should not disable SIP (rootless mode) "It is not recommended to disable rootless mode! The best practice is to install custom stuff to "/usr/local" only."正如此答案中建议的那样,不应禁用SIP(无根模式)“不建议禁用无根模式!最佳做法是仅将自定义内容安装到“/usr/local”。

  • 1
    This didn't quite do the trick for me - I had some luck aliasing (for instance, in my case) java to /usr/local/bin/java in my bashrc aliases, after I made the appropriate link in that folder as this answer suggests.  Feb 15, 2017 at 21:59 这对我来说并没有完全成功 - 在我建立了适当的链接之后,我在 bashrc 别名中幸运地使用了别名(例如,在我的例子中) java 到 /usr/local/bin/java正如这个答案所暗示的那样,在该文件夹中。
  • So, does this leave no way to rm anything in /usr/bin/? I understand SIP has its purpose, but want to remove one specific executable.  Feb 16, 2018 at 1:11那么,这是否让 rm /usr/bin/ 中的任何内容都无法实现?我了解 SIP 有其目的,但想要删除一个特定的可执行文件。
  • 1
    I do have /usr/local/bin in my path and openssl 1.0.2n is correctly symlinked to /usr/local/bin/openssl but every time I do which openssl it still shows the /usr/bin/openssl which is the older OpenSSL 0.9.8zh 14 Jan 2016 version. How do I get my system to prefer the /usr/local/bin/openssl one over the other one?  Mar 8, 2018 at 4:45 我的路径中确实有 /usr/local/bin 并且 openssl 1.0.2n 已正确符号链接到 /usr/local/bin/openssl 但每次我执行 which openssl 时它仍然显示 这是旧的 OpenSSL 0.9.8zh 14 Jan 2016 版本。如何让我的系统优先选择 /usr/local/bin/openssl 而不是另一个?
15

If you want to take control of如果你想控制/usr/bin//usr/bin/

You will need to reboot your system:您需要重新启动系统:

Right after the boot sound, Hold down Command-R to boot into the Recovery System听到启动声音后,按住 Command-R 启动进入恢复系统

Click the Utilities menu and select Terminal单击实用程序菜单并选择终端

Type csrutil disable and press return输入 csrutildisable 并按回车键

Click the  menu and select Restart单击  菜单并选择重新启动

Once you have committed your changes, make sure to re-enable SIP! It does a lot to protect your system. (Same steps as above except type: csrutil enable)提交更改后,请确保重新启用 SIP!它对保护您的系统有很大作用。 (与上面的步骤相同,除了输入:csrutil enable)

2

Most probable reason is the system integrity protection (SIP) - csrutil is the command line utility. You need to disable it to view the directory.最可能的原因是系统完整性保护 (SIP) - csrutil 是命令行实用程序。您需要禁用它才能查看目录。

  • To view your status you need to:要查看您的状态,您需要:

csrutil status

  • To disable it (which is usually a bad idea):要禁用它(这通常是一个坏主意):

csrutil disable

(then you will probably need to reboot).(然后您可能需要重新启动)。

To enable it (which should be turned back on when you are done):要启用它(完成后应重新打开):

csrutil enable

0

You just need to allow Terminal app to perform such modifications.您只需要允许终端应用程序执行此类修改。

I've tried the following and it worked like a charm : Pull down the  Apple menu and choose ‘System Preferences’我尝试了以下方法,效果非常好:下拉  Apple 菜单并选择“系统偏好设置”

Choose “Security & Privacy” control panel选择“安全和隐私”控制面板

Now select the “Privacy” tab, then from the left-side menu select “Full Disk Access”现在选择“隐私”选项卡,然后从左侧菜单中选择“完整磁盘访问”

Click the lock icon in the lower left corner of the preference panel and authenticate with an admin level login单击首选项面板左下角的锁定图标并使用管理员级别登录进行身份验证

Now click the [+] plus button to add Terminal application with full disk access,(App to fetch from Application folder).现在单击 [+] 加号按钮添加具有完全磁盘访问权限的终端应用程序(从应用程序文件夹中获取的应用程序)。

  • 2
    This doesn't work for /usr/bin, just tried it myself. 
    – dragonx
     Jul 7, 2022 at 15:47 这对 /usr/bin 不起作用,我自己尝试过。
  • /usr/local/bin works for me /usr/local/bin 对我有用   Dec 9, 2022 at 3:29
  • When answering a question, you should consider the actual directory, not the fact that you are getting the same error with a different directory. While 'Full Disk Access' does work for some directories, e.g. ".Trash", for others (like /usr/bin, the actual directory) you need to disable System Integrity Protection. So please, before you answer, read along the fine print.  Mar 9 at 0:51回答问题时,您应该考虑实际的目录,而不是您在不同的目录中遇到相同错误的事实。虽然“全磁盘访问”确实适用于某些目录,例如“.Trash”,对于其他目录(例如/usr/bin,实际目录),您需要禁用系统完整性保护。因此,请在回答之前先阅读细则。

Not the answer you're looking for? Browse other questions tagged  or ask your own question.


来自  https://stackoverflow.com/questions/32659348/operation-not-permitted-when-on-root-el-capitan-rootless-disabled