How to recover from a renamed /etc directory in Mac OS Monterey (causing inability to log in)

Question

I unintentionally renamed the /etc directory on a Mac running macOS Monterey, with disastrous consequences: the password for sudo in Terminal is no longer recognised (because the /etc/sudoers file can no longer be found), which means I can no longer run any commands that require a password. Worse, I can no longer even log into the Mac.

To resolve the problem I began with the accepted answer described by David Rouse in response to a similar question - Renamed /etc folder. I can't login anymore - asked in 2019.

The first part of that solution (booting the Mac using Single User Mode with the existing password and running mount -uw) works perfectly.

However, even from Single User Mode I am unable to rename the /etc directory. For instance, attempting to run cd or mv in relation to /etc results in a No such file or directory message, and the symlink /private folder appears to be empty - see image below.

So how can I change the folder name back to /etc so that the Mac becomes operational again?

The issue is I think that the boot disk is now two parts merged together and you see only the read only part - See https://bombich.com/kb/ccc6/working-apfs-volume-groups for some idea — mmmmmm, Nov 18 '21 at 14:28
Boot into recovery, reinstall the OS only. Your files should not be impacted. — nohillside, Nov 18 '21 at 16:08
@TechnoCat Why do you use the Single User Mode? If you use the Recovery mode and unlock if necessary the " - Data" volume (case Filevault active) you can access and modify all the system structures. — , Nov 18 '21 at 16:16
@mmmmmm Thanks for the helpful link to the Bombich article at https://bombich.com/kb/ccc6/working-apfs-volume-groups. If I read that correctly it means that bypassing normal MacOS security - e.g. modifying system files and folders after logging in via Single User Mode (the solution proposed two years ago in the link I included in my question) - has not been a viable option since Catalina in 2019. That's useful to know. It means I chased a non-viable solution, wondering why it didn't work. Now I know why! :) — TechnoCat, Nov 18 '21 at 16:28
TechnoCat: Did you at least try to mount the Data volume? Booting to single user mode only mounts the sealed, readonly volume. The volume containing the /private folder has to be explicitly mounted. — David Anderson, Nov 18 '21 at 16:49
@Jean_JD I used the Single User Mode because it had been presented as a great solution to an identical problem only two years ago (so I assumed it was still viable). Also, we all have gaps in our technical knowledge; I didn't realise that I could reinstall the OS on a Mac without loss of data - so I'm hugely grateful to several people on this thread who've mentioned reinstalling just the OS as another viable means of recovering from this near-disaster. Thank you! — TechnoCat, Nov 18 '21 at 16:52
@TechnoCat. From the Recovery Mode, you can acces Terminal in root mode where all Volumes can be mounted and/or unlocked. You can try to repair the Filesystem (rename etc..) without reinstall the system. The terminal is accessible in Top menu under Utility choice. — , Nov 18 '21 at 16:59
@DavidAnderson - I haven't yet tried to mount the Data volume (because it will take some reading / time to understand exactly how to do that ... I can't afford to take further risks with my colleague's Mac, so everything is done super-carefully), and now I am locked into another project for the next 10-12 hours. — TechnoCat, Nov 18 '21 at 17:00
Thank you David, Hillside, Jean, mmmmmm & others for the super-helpful solutions & comments. Will test & implement the recommendations as soon as I can return to this task later today. Hugely appreciative!! — TechnoCat, Nov 18 '21 at 17:12
This is awesome. @TechnoCat please put all your new learnings in the answer section. Sometimes people try to edit the question so it’s a blog post instead of leaving the question about where you were to start and out all the learning and progress in answers. — bmike, Nov 18 '21 at 17:54

David Anderson · Accepted Answer · 2021-11-19T05:39:10.583

I have Monterey installed in a VMware Fusion Player virtual machine.

I followed your instructions and was able to rename /private/etc to /private/xetc.

When I boot Monterey in single user mode, I see the following output. The image shows instructions in the form of three three commands, which can be used to mount the data partition on an SEP-enabled device.

Note: For a beter view of the image, click on the image or open the image in a new window.

Below is the output from the mount command. Only the sealed, read-only volume is mounted on /. This is why the /private folder is empty.

So, I followed the instructions shown in the first image and entered the following commands.

Note: These commands produced messages, which I chose to ignore.

/sbin/mount -P 1
/usr/libexec/init_data_protection
/sbin/mount -P 2

Below is the output from the mount command. Now, the Data volume is mount on /System/Volumes/Data.

Since this Data volume was tagged with the data role metadata flag when created and is in the same APFS Volume Group as the initially mounted volume, both volumes share the root (/) mount point. In other words, this Data volume is mounted twice.

Next, I made the repair by entering the following command.

mv /private/xetc /private/etc

Note: I could have also made the same repair by entering the longer version given below.

mv /System/Volumes/Data/private/xetc /System/Volumes/Data/private/etc

Finally, I entered the command below to boot to Monterey.

exit

Interestingly enough, the man page of mount doesn't know about -P. — nohillside, Nov 18 '21 at 16:56
@nohillside: I have to confess, I do not know what the commands actually do. Entering the commands was a pure guess on my part. I did update my answer to show the output from the mount command before and after entering the three commands. — David Anderson, Nov 18 '21 at 18:12

How to recover from a renamed /etc directory in Mac OS Monterey (causing inability to log in)

1 Answers1

Linked