I'm trying to make my python code read and write a file at the system root, so I disabled System Integrity Protection following these steps. But when I run the command sudo mount -uw / I get this error:
mount_apfs: volume could not be mounted: Permission denied mount: / failed with 66
What should I do now?
Modifying the root filesystem, or System Volume, on Monterey and Ventura requires some additional steps, which come with some important caveats to consider.
First, FileVault must be disabled. FileVault options can be found in System Preferences > Security & Privacy > FileVault on Monterey, or System Settings > Privacy & Security > Security > FileVault on Ventura. When FileVault is disabled the drive isn't encrypted, so anyone with physical access to the device would have full access to the contents of the disk.
System Integrity Protection (SIP) must be disabled, as in previous versions, and starting with macOS 11 (Big Sur) SSV must also be disabled. SSV, or Signed System Volume, is a logical volume containing all macOS system components, isolated from other drive contents. With SSV enabled, cryptographic hashes are used at boot time to validate the contents of the System Volume at the byte level; any modifications are rejected. Disabling SSV effectively removes the operating system's tamper prevention mechanisms and thus introduces some additional risk that should be considered. Another consideration is that re-enabling SIP or SSV will revert all changes made to the System Volume. Operating system updates will also revert changes.
If the associated risks are acceptable, disable SIP and SSV by booting into Recovery Mode (restart while holding ⌘+r). In Recovery Mode, use the menu to open Terminal and execute the following three commands:
csrutil disable # disable System Integrity Protection (SIP)
csrutil authenticated-root disable # disable Signed System Volume (SSV)
reboot # restart the computer
The system should boot into standard mode. Using Terminal, mount a writable copy of the System Volume in a convenient location. For example, create a subdirectory of $HOME called rootmount:
mkdir ~/rootmount
Identify the System Volume by searching for the string sealed in the output of mount:
mount | grep sealed
This should return one line with something like
/dev/disk1s5s1 on / (apfs, sealed, local, read-only, journaled). The listed device is the currently mounted snapshot of the System Volume. The System Volume itself is the same, except without the final s1. While device numbers may vary, in this example the command to mount the System Volume would be:
sudo mount -o nobrowse -t apfs /dev/disk1s5 ~/rootmount
A writable copy of the System Volume is now mounted at ~/rootmount. Changes to the volume can be made, for example, with:
cd ~/rootmount
## Make changes here.
Modifications will require superuser privileges, e.g. by prefixing commands with sudo. Be sure all changes are made relative to the rootmount directory. For example, to change files in /opt/python/ use the relative path opt/python/ (after cd ~/rootmount) or use ~/rootmount/opt/python from anywhere.
Note that changes will not be visible in Finder or the System Volume mounted at /.
For some additional examples unrelated to python specifically, the following would remove the Apple Music app:
sudo rm -r ~/rootmount/System/Applications/Music.app
Or, to hide QuickTime Player from the Applications menu while leaving it installed and usable to play and edit video and audio files, prefix the QuickTime Player.app directory with .:
sudo mv ~/rootmount/System/Applications/QuickTime\ Player.app \
~/rootmount/System/Applications/.QuickTime\ Player.app
## or, more succinctly
sudo mv ~/rootmount/System/Applications/{,.}QuickTime\ Player.app
After making changes, the modified copy of the System Volume must be marked as a bootable snapshot using bless. To create a snapshot of the modified volume, mark it as bootable, and set it as the new boot volume, run:
## on Intel Macs:
sudo bless --folder ~/rootmount/System/Library/CoreServices \
--bootefi --create-snapshot
## on Apple Silicon:
sudo bless --mount ~/rootmount/System/Library/CoreServices \
--bootefi --create-snapshot
Finally, reboot. The changes should be visible and should persist until SIP or SSV is re-enabled or the operating system is updated.
