Fixing backups in MacOS Mojave/Catalina (Error: Operation not permitted)

Hello everyone,

I’ve been using restic for 2-3 years so far but lately I found out that MacOs is blocking it from accessing certain directories on my Mac. The issue is this one

I’ve been postponing solving the problem for some time because I’m not super familiar with the way Macs work (I switched recently after years and years of Linux). However now I MUST fix it because my backups are broken and a lot of important stuff is not being backed up.

Does anybody know what is an easy way to allow restic to access sensible directories? I saw some suggestions in the linked issue above but none of it is that clear to me on how to implement it on my Mac. I’m quite worried I might lose important documents.

To give some context, I followed the documentation on the main website and I have a crontab like this:

42 * * * * source /Users/gio/.restic/restic-env; /usr/local/bin/restic backup -q --exclude-file /Users/gio/.restic/exclude.txt /Users/gio; 
10 15 */5 * * source /Users/gio/.restic/restic-env; /usr/local/bin/restic forget -q --prune --keep-hourly 48 --keep-daily 30 --keep-monthly 12

I think the context of your question is a bit vague. Are you having a problem with your backups? If yes, which of the proposed solutions in the issue you referred to have you tried?

Restic will output a warning about files that it cannot read, so if you run your backup and don’t get any warnings about files/folders not being read, it should be fine.

Are you certain you need to back up the folders it’s denying access to?

The easy way is to avoid protected directories.

macOS is, roughly, putting an extra permission layer between apps/scripts and some kinds of sensitive user/system data. The goal is generally to notify you that a particular application is trying to access a type of data, and obtain affirmative consent for each app that wants access. I think it’s fair-ish to frame this as baby steps towards a more mobile-OS like permission system, where you’d get prompted if an app wanted to access your photos directory, and then again if it wanted to access your contacts. But, it also has rough edges (like cases where the user isn’t automatically prompted to give consent, and you have to go fishing).

If your goal is just backing up important user files, I’d dig into these and make sure you actually need what’s in them–and, if you do, that you know exactly which ones. (I don’t mean this to be dismissive; I don’t have a direct answer to the question myself, because my backups target directories where I store personal files and I haven’t needed to exempt restic from any of the security & privacy restrictions.)

the problem is that MacOS requires programs to get explicit permission from the user to access certain directories. And command line programs cannot ask such permissions, they must be somehow wrapped as applications.
The issue I linked is very long and still ongoing, I saw quite a few ideas being proposed but they all seem to be quite “hacky” so I was wondering if there was some official solution.

I know, the approach I’m using though is “backup the whole home directory except few subdirectories”.
Like that I was sure that if I created some new subdirectories I didn’t have to add them explicitely every time to the list “to-backup”.
I seem to understand though that there is no official solution yet, that’s bit of a pity I thought I could solve this more easily.

There’s been plenty solutions suggested in the GitHub thread. Personally I use Platypus to wrap my backup script in a .app and then give that .app full disk access - with this I haven’t had any problems, but I am not sure that I have tried it on Catalina yet.

Hello there,

I have the same issue.
Following advice I wrap my backup script with Platypus and it’s launch using a LauchDaemons plist.
The backup works well but I have error on reading protected files for users (Library, Mail & co).
The app created has full access.
The user running the script is root (I have to dig a little bit this because apparently it’s not the real “root”) and I backup all of /Users
@rawtaz : you seem to have a solution : are you running are root ? or just as a specific user ?

I’m only backing up /Users/<username>, with a bunch of exclusions. But I don’t see why the .app, given full disk access rights, shouldn’t be able to access whatever the user has access to. That probably won’t be the entire system files though, of course.

I think its related to the user issuing the command.
How are you launching your backup script ? Which user ? Which method ?
So far, I’ve been trying using launchd Daemons as root.
I’m currently testing to run it as a launchd Agent on a per user base.

Interesting fact : when I initiate the script of the .app using our MDM (mosyle) it bypass everything and no error.
I’m not an expert on the macos security but it seems that there are different privileges assigned when using root or using MDM.
Will continue investigation.