Our thinking


Unable to add, modify, or delete items from the System Keychain on macOS – UNIX[Operation not permitted]

I was setting up a new user on a laptop recently and every time I rebooted the machine, I had to re-enter the wifi password. Aside from being really irritating, there was clearly something wrong.

The Mac was running macOS High Sierra, or possibly Mojave – and Keychain Access had long since removed Keychain First Aid. I tried a few other things, and then in desperation, I tried to delete the System.keychain from /Library/Keychains.

Even as root, I was unable to delete, rename, or do anything at all with the System keychain. I couldn’t use Keychain Access to create, modify or delete items in the Keychain and I couldn’t rename or delete the System.keychain file.

As it turns out, somehow the System.keychain file ended up with the restricted flag on it. This file flag was introduced with SIP and while one way of removing it would be to disable SIP altogether, there is an easier way – although it still involves booting into Recovery mode. While there are other aspects of SIP that you can’t even modify when booted into Recovery mode, the restricted flag only protects files and folders on the currently booted partition.

Reboot the Mac, and before you see the Apple logo appear, hold down ⌘+R to enter Recovery mode.

Once you’re in the Recovery system, go to Utilities > Terminal

Then type in (assuming your hard disk is called Macintosh HD)

cd /Volumes/Macintosh\ HD/Library/Keychains/
ls -aOl

(that’s ell, ess, space, hyphen, ay, capital Oh, lower-case ell)

On my, currently functioning, system I see the following

[[email protected] /Library/Keychains]$ ls -aOl
 total 1296
 drwxr-xr-x   9 root  wheel  -         288 15 Aug 15:40 .
 drwxr-xr-x+ 65 root  wheel  sunlnk   2080 12 Jun 17:02 ..
 [email protected]  1 root  wheel  -           0 21 Nov  2018 .fl043D1EDD
 -r--r--r--   1 root  wheel  -           0  4 Nov  2018 .fl947E1BDB
 drwxr-xr-x   3 root  wheel  -          96 19 Aug 11:42 SupplementalsAssets
 -rw-r--r--   1 root  wheel  -      483432 15 Aug 15:40 System.keychain
 [email protected]  1 root  wheel  -       38728 27 Jun 10:49 apsd.keychain
 drwxr-xr-x   6 root  wheel  -         192 19 Aug 13:55 crls
 -rw-r--r--   1 root  wheel  -       81920 10 Apr 16:39 pinningrules.sqlite3

That’s pretty much how it should look. On the broken system I was working with, the System.keychain file was showing up as restricted, like so:

 -rw-r--r--   1 root  wheel  restricted 483432 15 Aug 15:40 System.keychain

From there it was simple to change the flags to remove the restricted flag:

chflags norestricted System.keychain

After this, run a quick ls again to check the flag has been removed (you’ll see a hyphen in the column for flags) and then reboot.

You haven’t had to disable SIP, so you don’t need to remember to re-enable it. After you’ve rebooted, you can then use the System keychain as normal, including saving your wifi credentials to it.

Leave a Reply