ditto: “Operation not permitted” from SIP protected locations on El Capitan

Standard
Terminal

When trying to bring 10.11 support to AutoCasperNBI & AutoImagrNBI I stumbled across an odd issue.

On the flight to JNUC2015 I loaded up my 10.11 GM VM & figured it out.

Incredulous, I double checked this with James Ridsdale, Darren Wallace & David Acland. All of whom were located near me on the flight & all had their various MacBooks out running Keynote, Terminal &/or were running VM’s (spot the IT Crowd).

Below is what I found, steps to reproduce & a link to the bug on Open Radar.

The Issue

The below is the function within AutoCasperNBI that was falling:

After much head starching & pulling apart, I found that this was the line where the issue was:

 do shell script "/usr/bin/ditto " & quoted form of netBootDmgMountPath & "/System/Library/CoreServices/boot.efi " & quoted form of netBootDirectory & "/i386/booter" user name adminUserName password adminUsersPassword with administrator privileges

Huh? That’s the issue?

Yep, pretty much my response. By trying similar commands to ditto a file from a SIP protected location I found that whilst the ditto did copy the file, it would error.

Thinking this maybe due to Extended Attributes I tried some flags to disable dittoing them, then ACL’s, then for kicks both. Still same error, (click the below to open in a new window if needed):

Screenshot 2015-11-06 22.00.11

Solution

Well, the use of ditto was not needed in some places in AutoCasper & AutoImagrNBI. So I replaced them with cp, which worked fine.

I’ve opened a bug with Apple, & have posted to Open Radar: here.

Apple have responded asking for some more testing, & I’ll update this post when I have more information.

I’ve posted this in the hope to save some fellow admins some sanity.

Update

My bug has been closed as a duplicate of another issue (21716129). 🙁

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.