Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: RogerDavis
RogerDavis Author
User level: Level 1
34 points

Mojave rsync full disk access failure

Just upgraded to Mojave and now my cron-initiated backup scripts (running as root) which call rsync are failing on many files which I assume are protected by the new full disk access (FDA) restrictions:


rsync: opendir "/Users/uname/Library/Messages" failed: Operation not permitted (1)

...


When I run the same scripts manually from Terminal, to which I have granted FDA rights via System Preferences, all works fine, but I need cron control. Seems like my options are (i) manually exclude all offending files from the rsync dump via rsync's --exclude options (I can live with this for now although it doesn't give me a full backup), or (ii) grant FDA to rsync (or cron) directly.


Option #1 looks to be incredibly tedious as there are now many FDA-restricted files in ~uname/Library and I am sure the list will only get bigger with each macOS update, so I'd like to grant rsync FDA permission. How do I do this? It appears that SysPref will only allow FDA additions via its Finder-ish chooser dialog UI, to which the /usr/bin/rsync binary is invisible. Is there a command-line solution to granting FDA to arbitrary binaries which can't be selected via the SysPref UI? I suppose I could try to unhide both /usr and /usr/bin but that seems a bit overkill. Or maybe add a symlink to /usr/bin/rsync from Applications, but I could see that perhaps not working properly?


Also, how can you tell which files are restricted by FDA? I can see no special ACLs or access flags set on any of the restricted files, e.g., ~uname/Library/Messages. I also do not see these files listed in /System/Library/Sandbox/rootless.conf.


Finally, this is a multi-user system, so is it necessary for each user to grant FDA to rsync, however that might be accomplished? Or is it sufficient to do this from just one admin-class user? As noted above cron (and thus rsync) are actually being run as root as it needs access to files of all users, so is that a problem with respect to granting FDA?


And, double-finally, I assume that completely disabling SIP would fix this? I would really prefer not to go that route but if Apple continues to make things more and more difficult in this regard I will see that as an increasingly attractive option.


Thanks!


PS: Thanks in advance for all possible launchd vs. cron exhortations, but unless the use of launchd can fix this particular problem I am not interested in converting at the moment.

Posted on Feb 14, 2019 11:54 AM

Reply
Question marked as Best reply
User profile for user: Bieling
Bieling
User level: Level 1
4 points

Posted on Mar 11, 2019 1:46 PM

Hi,


I stumbled across the same error and found your post. I was able to provide FDA to rsync by opening the folder from within Terminal (e.g. "open /usr/bin/" or "open /usr/local/bin/") and dragging the rsync executable onto the FDA list (in Sys Pref). This made my backup script complete successfully.


I have no idea how to find out if a file is restricted or not. But your FDA-exception is probably system-wide, as the Sys Pref dialog says "Allow the apps below ... for all users on this Mac." This makes sense, as you have to authenticate as an administrator (in Sys Pref) before you can add an application.


Best

View in context

Similar questions

3 replies

There are no replies.

Mojave rsync full disk access failure

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up