TimeMachine problem after upgrade to Mojave

Use the Privacy tab

in the Security and Privacy preference pane to add Terminal to the

list of applications which can access Application Data.

Did you do this? Mojave introduced more restrictive rules for applications, so you need to add your terminal app to the "Full Disk Access" section of the Security and Privacy preferences.

Based on my tests applying this setting *only* makes sense if you're the sole user of the box. If you have multiple users on a macbook, even the non-admin accounts will now be granted that same level of privilege.

This "solution" actually makes security on a shared system weaker.

Don't know why I didn't think of this right away, but the simplest solution that doesn't require weakening system security is to just open a terminal and ssh to the localhost. Since you've used the network to jump out of the Terminal's SIP context you can now execute those commands as needed.

That said, Apple: it's idiotic to think that security can be built on trusting applications, it needs to be an intersection of trust of an application *and* the user. Unless SIP takes this into account it's a pointless "feature" that's only effective/practical for very trivial apps or single user systems.

You built OS X on UNIX, don't be so quick to jettison what's baked into the foundation.

Your right, i diddnt think of that after being prompted to do so by Onyx.

I was pulling whats left of my hair out trying to figure out why, and spent hours trying to change the permissions on the volume.

Probably should have posted here ages ago :-/

Very true, but as far as Terminal application, this app permission seems to be applied on top of file permission, meaning even after Terminal is granted "Full Disk Access", the user/group/others permission still applies (so AND not OR) which is what you meant by "intersection", no?

My personal gripe with this "feature" is that it's not clearly defined what "Full Disk Access" means ("data like ..." is not precise language) and what applications *should* be reasonably given the access. One example is that Time Machine obviously has full disk access by default as it's designed to back up and restore the whole multi-user system. However, in the Timer Machine System Preferences, the exclusion items picker can no longer go into some of the "privacy" directories such as "~/Library/Application Support/MobileSync/Backup", which I personally exclude due to the huge sizes of today's iDevices. I had to add "System Preferences" explicitly to "Full Disk Access" to be able to do that now, which strikes me as convoluted and incongruent. I suppose one can argue that TM's full disk access is more "hidden" than a picker window which could potentially be hacked to gain access to private data, but this line is fairly weak and arbitrary. At the very least, granting full access should be an option on the picker window itself (like show hidden files) to make it more obvious. In my opinion, Time Machine System Preferences should simply be subject to an admin password authentication and then grant access to the full file system including hidden files and even other user's directory (to avoid the hassle of login into multiple user accounts to add TM exclusions).

Ive actually noticed something else that doesn't actually make sense after you add Terminal into 'Full Disk Access'

It doesn't actually work all the time...

If i immediately try to access the volume just after a TM backup starts, i still get access denied. I have to wait a few minutes into the 'Preparing backup' phase. Note, that the 'Time Machine Backups' Volume is there, its as soon as i try to get into Backups.backupdb i get denied, possibly its locking it from any access until file transfer takes place.

For anyone else in the future, here is the correct place.

Just to second brettprof's comments and I just verified that their suggestion works as described.