Starting with El Capitan (OS X 10.11), Apple started using System Integrity Protection (SIP) in macOS, so that certain directories would be not writable, even by root. Here’s a quick reference for a couple of commands you can use to see if a directory or file is SIP-protected, as that may change from macOS version to macOS version.
Method 1
ls -lO
(that’s a lowercase L, followed by a capital o, not the number 0), and look for restricted.
Example: ls -lO /Library/Updates/
total 2224
-rw-r--r--@ 1 root wheel restricted 181 Jul 29 10:22 PPDVersions.plist
-rw-r--r--@ 1 root wheel restricted 1130219 Jul 29 10:22 ProductMetadata.plist
-rw-r--r-- 1 root wheel restricted 260 Jul 29 10:17 index.plist
Method 2
xattr -l
(that’s a lowercase L) and then the name of the directory. Look for com.apple.rootless
Example: xattr -l /Library/Updates/
com.apple.rootless: SoftwareUpdate
Special thanks to @revolize and @Magneto on the MacAdmins Slack!
Leave a Reply