I'm on Big Sur, and I understand there have been some changes with permissions in macOS since Catalina. I don't understand, however, how it is possible that I cannot ls ~/Desktop when ls -l ~ shows drwx------+ for permissions and me as the owner. Could someone explain this?
Edit: to be clear, I am not asking how to access this directory, but how it is possible that I cannot, given how Unix permissions work.
5 Answers 5
[This answer is about how it is possible to get a permissions error accessing a file, when the file permissions allow access.]
Recent versions of macOS have additional security layers that are independent of the normal unix-style access permissions. They (mostly) regulate access based on the identity of the program, rather than the user ID the program is running as. The new layers are System Integrity Protection (SIP), which regulates access to the core of the operating system, and Transparency, Consent and Control (TCC), which regulates access to "personal" information (as well as things like the camera and microphone).
Access can be vetoed by either these layers or the standard unix layers. That is, if SIP and TCC allow something but the standard unix permissions forbid it, it's forbidden. And if the standard unix permissions allow something, but SIP or TCC forbids it (as in your example), it's also forbidden.
These new security layers are necessary because we can't trust our software. Even if you set aside malware, experience is showing that many "legitimate" developers would love to spy on their customers for valuable personal data that we'd really rather they not have. So just because I'm running some program doesn't mean that program should have access to everything I have access to (e.g. my emails and contacts, location, camera, etc...).
Testing on a clean install of macOS Big Sur, in Terminal when I executed ls ~/Desktop I was presented with this dialog box:
I clicked: OK
I then executed ls ~/Downloads and was presented with this dialog box:
I clicked: Don't Allow
Executing ls ~Downloads in Terminal again, it returned: ls: Downloads: operation not permitted
I then went to System Preferences > Security & Privacy > Privacy > Files and Folders and had the following:
As you can see what I said OK to is checked and what I said Don't Allow is unchecked.
So, check to see that System Preferences > Security & Privacy > Privacy > Files and Folders > Terminal > Desktop is checked.
Notes:
If you do not want to be prompted each time on protected folders, then add Terminal to: System Preferences > Security & Privacy > Privacy > Full Disk Access
In doing so, Files and Folders will show Terminal as having Full Disk Access instead of what's shown in the screenshot above.
If your uncheck Terminal in Full Disk Access, then whatever applications previously were under Files and Folders > Terminal will reappear with the same settings as last set.
-
1I always add Terminal.app to "Full Disk Access" as shown in the same screenshot. Otherwise you have to do this for multiple folders.TJ Luoma– TJ Luoma2021年08月11日 23:54:47 +00:00Commented Aug 11, 2021 at 23:54
-
@TJ Luoma, I had told the OP in a now deleted comment to do just that and have not edited it into my answer yet but to your comment that is probably why I did as mentioned to the comment to Gilby.user3439894– user34398942021年08月11日 23:57:40 +00:00Commented Aug 11, 2021 at 23:57
-
Have upvoted. I am sure that this s what is stopping @Danny.Gilby– Gilby2021年08月12日 04:37:40 +00:00Commented Aug 12, 2021 at 4:37
-
1Thanks for your response. I am aware of the solution of adding Terminal (and sshd-keychain-wrapper for ssh access) to Full Disk Access, but my question is actually more theoretical than practical. I am curious how it is possible on a Unix operating system that permission to access a directory should be denied to that directory's owner with that directory has rwx permissions.dannycbus– dannycbus2021年08月12日 17:42:32 +00:00Commented Aug 12, 2021 at 17:42
-
1@Danny Because xnu’s access control policy is implemented below the BSD layerpion– pion2021年08月12日 18:37:21 +00:00Commented Aug 12, 2021 at 18:37
Allowing Full Disk Access to Terminal and iTerm is the key answer here:
- Open System Preferences > Security & Privacy > Privacy > Full Disk Access
- Select the checkbox next to Terminal and iTerm
I got ls: Downloads: operation not permitted even though iTerm has "Full Disk Access" at
System Settings>Privacy & Security>Files and Folders>iTerm.
Quitting iTerm and opening a new instance did the trick for me.
-
I think Apple normally prompts you to restart an app after you give it full disk access.mmmmmm– mmmmmm2023年12月21日 21:10:18 +00:00Commented Dec 21, 2023 at 21:10
This is a sure shot that worked for me!
https://osxdaily.com/2018/10/09/fix-operation-not-permitted-terminal-error-macos/
-
1As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.2023年07月18日 20:55:59 +00:00Commented Jul 18, 2023 at 20:55
-
1Link only answers tend to get deleted. Could you post an edit to your answer with the relevant details here and utilize the link to source your info? As a rule of thumb, the answer should stand on its own. Oh, and Welcome to AD!Allan– Allan2023年07月18日 22:11:00 +00:00Commented Jul 18, 2023 at 22:11
-
Not only is it unclear, it does not answer the actual question.dannycbus– dannycbus2023年07月22日 20:51:08 +00:00Commented Jul 22, 2023 at 20:51
-
FYI: I'm going to flag this answer for deletion. (For context, I've been a triage moderator for a long time, but haven't used the deletion processes much, but I think this is a pretty clear example...) My basic reasoning is that the article is correct, but not unique, and the screen snapshots are very different than current (Ventura/Sonoma era
System Settings.app).benc– benc2023年11月08日 18:19:08 +00:00Commented Nov 8, 2023 at 18:19
ls -le ~? That will show the ACL. But @user3439894 comment may be what you need.ls -land (as you know)ls -lewould check that the permissions are as default.