Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: Mojave rsync full disk access failure

Just upgraded to Mojave and now my cron-initiated backup scripts (running as root) which call rsync are failing on many files which I assume are protected by the new full disk access (FDA) restrictions:


rsync: opendir "/Users/uname/Library/Messages" failed: Operation not permitted (1)

...


When I run the same scripts manually from Terminal, to which I have granted FDA rights via System Preferences, all works fine, but I need cron control. Seems like my options are (i) manually exclude all offending files from the rsync dump via rsync's --exclude options (I can live with this for now although it doesn't give me a full backup), or (ii) grant FDA to rsync (or cron) directly.


Option #1 looks to be incredibly tedious as there are now many FDA-restricted files in ~uname/Library and I am sure the list will only get bigger with each macOS update, so I'd like to grant rsync FDA permission. How do I do this? It appears that SysPref will only allow FDA additions via its Finder-ish chooser dialog UI, to which the /usr/bin/rsync binary is invisible. Is there a command-line solution to granting FDA to arbitrary binaries which can't be selected via the SysPref UI? I suppose I could try to unhide both /usr and /usr/bin but that seems a bit overkill. Or maybe add a symlink to /usr/bin/rsync from Applications, but I could see that perhaps not working properly?


Also, how can you tell which files are restricted by FDA? I can see no special ACLs or access flags set on any of the restricted files, e.g., ~uname/Library/Messages. I also do not see these files listed in /System/Library/Sandbox/rootless.conf.


Finally, this is a multi-user system, so is it necessary for each user to grant FDA to rsync, however that might be accomplished? Or is it sufficient to do this from just one admin-class user? As noted above cron (and thus rsync) are actually being run as root as it needs access to files of all users, so is that a problem with respect to granting FDA?


And, double-finally, I assume that completely disabling SIP would fix this? I would really prefer not to go that route but if Apple continues to make things more and more difficult in this regard I will see that as an increasingly attractive option.


Thanks!


PS: Thanks in advance for all possible launchd vs. cron exhortations, but unless the use of launchd can fix this particular problem I am not interested in converting at the moment.

Posted on Feb 14, 2019 11:54 AM

Reply

Mar 11, 2019 1:46 PM in response to RogerDavis In response to RogerDavis

Hi,


I stumbled across the same error and found your post. I was able to provide FDA to rsync by opening the folder from within Terminal (e.g. "open /usr/bin/" or "open /usr/local/bin/") and dragging the rsync executable onto the FDA list (in Sys Pref). This made my backup script complete successfully.


I have no idea how to find out if a file is restricted or not. But your FDA-exception is probably system-wide, as the Sys Pref dialog says "Allow the apps below ... for all users on this Mac." This makes sense, as you have to authenticate as an administrator (in Sys Pref) before you can add an application.


Best

Mar 11, 2019 1:46 PM

Reply Helpful (2)

Mar 11, 2019 2:18 PM in response to Bieling In response to Bieling

Thanks a lot for that tip, Bieling!


I have been using a tediously constructed manual --exclude list in my rsync script until now. I have used your hints to successfully add rsync to my FDA list in System Preferences, and have removed the manual exclusions from my script -- we'll see what happens when it runs tonight.

Mar 11, 2019 2:18 PM

Reply Helpful

Mar 13, 2019 3:37 PM in response to Bieling In response to Bieling

Hi Bieling,


Unfortunately this has not worked for me. My backup script calling rsync and run via cron still has disk access problems. despite the successful addition of the rsync executable in /usr/bin to the SysPrefs FDA list. Back to the manual exclusion list, I guess.

Mar 13, 2019 3:37 PM

Reply Helpful
User profile for user: RogerDavis

Question: Mojave rsync full disk access failure