From: Greg Ercolano <erco_mlist@(email surpressed)>
Subject: [Q+A] OSX 10.11: "This script must be run as root" when run as root
   Date: Fri, 08 Jan 2016 13:36:49 -0500

> I just got a machine with El Capitan (10.11).
> It keeps telling me that the Rush installer needs to be run as root,
> even though I *am* running it as root:
>
> root# cd /usr/local/rush/etc/bin
> root# ./install.sh
> This script must be run as root

    Short answer is one line has to be changed in these two files:

        /usr/local/rush/etc/bin/install.sh
        /usr/local/rush/etc/LaunchDaemons/install.sh

    Change all instances of this line:

BEFORE: if [ ! -w /usr/bin/su ]; then
 AFTER: if [ `id -u` != 0 ]; then

    Make that change to both files, and it should work.

    This problem exists in Rush 103.07 and older.
    Will be fixed in 103.08, when it releases.

*** EDIT 05/07/2021 ***
>   If you are running MacOS 11.x, you should /also/ make the following
>   change near the bottom of /usr/local/rush/etc/bin/install.sh:
>
>       OLD: if [ "$osmaj" = "10" -a "$osmin" -ge "10" ]; then
>       NEW: if [ "$osmaj" = "10" -a "$osmin" -ge "10" -o "$osmaj" -gt "10" ]; then
>                                                      ^^^^^^^^^^^^^^^^^^^^
>                                                      ADD THIS
>
>   That will handle proper detection of 11.x and up during the
>   install. At the time rush 103.07 was written, it was not 
>   expected Apple would /ever/ bump the major revision number
>   due to the marketing of "OSX" (OS ten).

EXTENDED INFORMATION
====================
    The -w /usr/bin/su check has been in there for years and has
    worked fine.

    The problem seems to be with the bash test(1) program's -w flag,
    which should be testing for write permission. It isn't working
    properly when testing the /usr/bin/su program.

    Consider this test result on 10.11:

        # ls -la /usr/bin/su
        -rwsr-xr-x  1 root  wheel  25312 Oct 17 16:46 /usr/bin/su     <-- SHOULD BE WRITABLE TO ROOT

        # if [ -w /usr/bin/su ]; then echo "writable (GOOD)"; else echo "NOT WRITABLE (BAD)"; fi
        NOT WRITABLE (BAD)                                            <-- *FAILS* WRITE TEST

    It's not clear to me why that is.
    On older releases (e.g. 10.10 and back) it prints "GOOD".

    So either Apple broke something, or there's new perms in 10.11
    beyond normal unix permissions interfering here (ACLs? Extended attributes?)

    FWIW, I did check ACLs and extended attributes, and not seeing anything
    different between 10.10 and 10.11 on either the dirs (/usr, /usr/bin)
    or the executable (/usr/bin/su).

    If I find out more, I'll follow up.
    Anyone with input on the matter, feel free to reply to this thread.