How Do We Get Access to Recovery Files on macOS

UNIX macOS
1

Here is the situation.

I have an external USB backup drive (Passport) which I have used for macOS time machine backups on a few machines.

Now, that old machine (where I made the backups) is toast; and I need to copy some files over from the backup disk created by time machine.

When I mount the disk, I see this (as the administrator), where you can see that this disk directory has no access except in recovery mode.

Screen Shot 2022-04-29 at 6.16.49 PM

I confirmed this by booting into recovery mode and yes, I can access and copy the files I want; but this is a pain.

FYI, on the machine where the filesystem volume is mounted:

$ csrutil status
System Integrity Protection status: disabled.

I tried changing the permission in the dialog box above, but the system prevents it.

So, I tried manually:

 root# pwd
/Volumes/WD_4TB/Backups.backupdb/CYBER-SA/Latest/Mojave - Data/Users/Tim

 root# ls -ld Documents
drwx------@ 26 recovery  staff  2210 Nov 28 13:09 Documents

root# whoami
root

root# chown root Documents
chown: Documents: Operation not permitted

So, I think I "get it"...... because the disk only permits the user "recovery" to access the directory, I thought, well....

su recovery

$whoami
recovery

$chown Tim Documents
chown: Documents: Operation not permitted

I did a lot of google'n but nothing was helping for this situation.

Anyone know how to get past this issue WITHOUT booting into recovery mode?

I just want access to the files :). I'm not asking for much and I am the admin and root guy but the system (macOS) does not see to like me, LOL. I have this same problem with Catalina Big Sur and now Monterey. If I book in recovery mode, I can have my way with her, whatever I desire :slight_smile: Otherwise, no happy and no joy.

Thanks.

2

Did you check the "Extended Attributes" that the "@" in ls output seems to indicate exist?

1 Like
3

Will give it a try. Thanks @RudiC

4

That was promising, but it did not work either:

 root# pwd
/Volumes/WD_4TB/Backups.backupdb/CYBER-SA/Latest/Mojave - Data/Users/Tim
root# xattr Documents
com.apple.macl
com.apple.metadata:_kTimeMachineNewestSnapshot
com.apple.metadata:_kTimeMachineOldestSnapshot
com.apple.timemachine.private.directorycompletiondate


root# xattr -d com.apple.timemachine.private.directorycompletiondate Documents
xattr: [Errno 1] Operation not permitted: 'Documents'

root# xattr -c Documents
xattr: [Errno 1] Operation not permitted: 'Documents'

root# whoami
root

root# ls -ld Documents
drwx------@ 26 recovery  staff  2210 Nov 28 13:09 Documents

root# su recovery

bash-3.2$ xattr -c Documents
xattr: [Errno 13] Permission denied: 'Documents'

bash-3.2$ csrutil status
System Integrity Protection status: disabled.

No joy in Mudville .....

5

What is

? An "access control list"?

6

yes, excellent observation, but according to the literature, this ACL is enabled and disabled via csrutil and it's is disabled:

root# csrutil status
System Integrity Protection status: disabled.

I found this interesting, but since System Integrity Protection is disabled, the point seems moot.

7

Something is hidden which I cannot find from searching the net. I have full permissions as "me" and SIP is disabled but "something else" has mysteriously blocked access, LOL

Screen Shot 2022-04-30 at 9.28.50 AM
Screen Shot 2022-04-30 at 9.28.50 AM270×780 80.3 KB

Apple makes security and privacy a top priority, but seems that when we turn off SIP and work as root, we should be able to modify these "recovery" files without booting into recovery mode, but I cannot do it (yet).

It's puzzling ...

OBTW, for those wondering, this problem persists (1) directly on the mac where the USD drive is mounted, or (2) doing screen-sharing (accessing on the same LAN segment) which I am currently doing. I have been working on this both ways with the same results for quite some time.

A month or so ago, I needed a document from this drive and the only way I could get it was to boot in recovery mode and copy the file and then reboot normally and access it.

8

See also:

root# ls -eld Documents
drwx------@ 26 recovery  staff  2210 Nov 28 13:09 Documents
 0: group:everyone deny add_file,delete,add_subdirectory,delete_child,writeattr,writeextattr,chown
 1: group:everyone deny delete

OK. I "solved" this problem by simply copying the entire Documents folder from the backup disk to the desktop (copy to a location completely off the recovery disk):

Screen Shot 2022-04-30 at 11.17.09 AM
Screen Shot 2022-04-30 at 11.17.09 AM1212×590 276 KB

Then after this copying operation:

Screen Shot 2022-04-30 at 11.22.18 AM
Screen Shot 2022-04-30 at 11.22.18 AM264×693 48.4 KB

and TADA.... we can also change the permission to also write to those copies:

Screen Shot 2022-04-30 at 11.24.07 AM
Screen Shot 2022-04-30 at 11.24.07 AM272×697 52.5 KB

This is awesome.

So, if anyone using a mac has a time machine backup disk (from a different computer) and wants to access some "private" data, you can copy the data to a location off the backup drive (like the desktop in my example), and then you can have your ways with all those files :slight_smile:

3 Likes
9

Note:

If anyone has a better way to solve this issue, I'm happy to try and report back.

FWIW, I tried a lot of other methods which I did not document in this topic, and the "copy from the recovery disk to a non-recovery disk" method was the only method which worked so far.