Root is no longer all powerful
7 May 2016
Basically, root is no longer all powerful – there are some things even root account cannot do! Official name is “System Integrity Protection” I’m writing all this down so next time I run into the problem and start googling, I’ll find my own notes.
I was trying to rename / remove the previous version of php
sudo mv /usr/bin/php /usr/bin/php55
This failed with the error “Operation not permitted”
When I try ls -lO /usr/bin/php I get:
-rwxr-xr-x 1 root wheel restricted,compressed 10577504 3 Dec 06:35 /usr/bin/php
restricted is a new flag for El Capitan. Basically Apple has added a whole new layer of security in OS X. They have taken away some privileges from root. If a file has a restricted flag, only restricted processes which are signed by Apple will be able to modify them. However, you can disable this security system by booting in recovery mode and disabling it in a Terminal by running the command:
csrutil disable
And for all the exciting details: https://apple.stackexchange.com/questions/193368/what-is-the-rootless-feature-in-el-capitan-really