Operation not permitted
This error occurs when the kernel blocks an action because it requires superuser privileges or conflicts with active security policies.
Usually happens because:
- ☑ File has the immutable attribute flag enabled (+i)
- ☑ Process lacks system capability (e.g. binding low ports)
- ☑ Docker container profile seccomp sandbox blocks system call
🔍 Quick Checklist:
What is Operation not permitted?
The 'Operation not permitted' error is a standard POSIX system error associated with the error code EPERM. Unlike 'Permission denied' (EACCES), which typically relates to file access bits, EPERM indicates that the operation itself is restricted by security policies, lack of system capabilities, file immutable attributes, or Docker security profiles (seccomp). Even the root user can receive EPERM if trying to modify immutable files or perform raw hardware modifications blocked by the kernel.
Common Causes
- Lack of kernel capabilities: Attempting to bind low ports (<1024) or manipulate network interfaces without CAP_NET_ADMIN privileges.
- Immutable file attributes: Attempting to edit or delete files marked with the +i (immutable) attribute.
- Docker sandbox constraints: Standard container runtimes restrict system calls (like mounting filesystems or changing clocks) using default seccomp profiles.
| Cause | Frequency |
|---|---|
| Missing raw kernel capability privileges | ⭐⭐⭐⭐⭐ |
| Active immutable file attributes (chattr +i) | ⭐⭐⭐⭐ |
| Docker container seccomp sandbox restriction | ⭐⭐⭐ |
Common Mistakes
- Assuming running as root solves all permission errors (EPERM can block root operations if files have immutable attributes or container policies restrict them).
- Running insecure containers with `--privileged` unnecessarily, which compromises host security instead of granting narrow `--cap-add` capabilities.
How to Fix
Linux Operations & Verification
Inspect and unlock immutable files blocked by Linux file attributes.
# 1. Inspect file attributes
$ lsattr /var/log/system.log
----i--------e-- /var/log/system.log
# Note: 'i' attribute indicates immutable block active
# 2. Unlock the file
$ sudo chattr -i /var/log/system.log
# 3. Modify or delete the file
$ sudo rm /var/log/system.logPlatform Specific Fixes
Check currently active process capability maps.
# Read capability bits of active shell process
capsh --printBest Practices
- Manage file attributes explicitly inside backup automated scripts.
- Adopt narrow Docker capability maps instead of wide superuser overrides.
Frequently Asked Questions (FAQ)
Q: How does EPERM differ from EACCES?
EACCES (Permission denied) means the user lacks basic rwx file bits permissions. EPERM (Operation not permitted) means the operation itself is restricted by kernel-level security rules, regardless of file permissions.
Q: Why does root get 'Operation not permitted'?
Root can get EPERM if a file has the 'immutable' flag enabled. Run 'lsattr <file>' to check. If you see 'i', run 'sudo chattr -i <file>' to unlock it.
Q: How do I bind port 80/443 without root?
Grant the binary the network binding capability: 'sudo setcap 'cap_net_bind_service=+ep' /path/to/binary'.
Q: Why do mounting commands fail in containers?
Docker containers drop mounting capabilities by default to prevent hosts escape vulnerabilities. Run the container using the '--privileged' flag or specify '--cap-add=SYS_ADMIN'.