To revoke an app’s access to your Google account, click on the app to select it, then click Remove Access. I’m glad I didn’t see any surprise apps accessing my Google account. Tap on any app to access permissions, and some extra items, such as access to notifications and permission to use cellular data as well as Wi-Fi. Tap on an option or toggle switch to grant.
Bottom Line: Here are a few strategies for giving full disk access to ascript on MacOS Mojave
Update 20190226How To Give An App Access To Microphone Mac
As noted in the restic issue linked below, this process is no longer workingfor new binaries. For some reason, the binaries that I created at the time ofpublishing this post continue to work without permissions errors, even now,but I can’t get this process to work with any new ones. Very odd. If you haveany insights or suggestions, I’d love to hear them in the comments below.
The Problem
MacOS Mojave has new privacy protection features in place that preventapplications from reading a number of files unless explicitly given access bythe user. This seems like a good feature and probably should be left enabled bydefault, but it presents a challenge for backup software; I noticedrestic having some permissions errors a fewweeks ago and have been sorting through how to give it access to theseprotected files.
These permissions are found in
System Preferences -> Security & Privacy ->Full Disk Access .
I’ve made some progress as outlined in this GitHubissue, and thought I’d writeabout it more at length here.
Hdhomerun mac os app. Of note, I’ve also found the following command to reset the relevantpermissions helpful in digging through this:
tccutil resetSystemPolicyAllFiles Sources: 1, 2
Update 20181121: I think I’ve found a much better route for anybody thatcan write a simple script in a compiled language like Go – see the updatesection below.
How to Access these Files
If you do the following, you can get access to the protected files:
There are a few ways to accomplish #1 –Platypus (
brew install platypus )provides an easy CLI that does the job in a single command:
Unfortunately, running the embedded script directly for some reason won’t work(does not seem to inherit the FDA access):
Other options (that don’t require 3rd party software) include using thebuilt-in
Automator.app or Script Editor.app to do essentially the samething, as long as you click the option to save as an Application (not ascript). As AppleScript:
Same deal, move to
/Applications/ and add to FDA, run by either doubleclicking or by open /Applications/Test.app .
Note that there are some really screwy bugs with the system, which is what Iblame for how long it’s taking me to make any progress. For example, with thefollowing AppleScript saved as an Application:
If I save this to
/Applications/Test.app and add to FDA, it works. If I thenduplicate a copy to ~/Desktop/Test.app , it works the first time, then stopsworking (permissions error), regardless of which Test.app I open. Then I haveto reset the permissions, then re-add to make the /Applications one startworking again – it often fails the first time I try to run it, then worksafter that. [EDIT: I wonder if this may actually be due to a “last modified”timestamp changing, instead of having to be in the /Applications folder – Icurrently have an application on my Desktop that seems to be working fine.]
https://cleverdocu474.weebly.com/blog/uninstall-apple-apps-mac-os. Also, running from the built-in “Run” button in Script Editor ( ▶ ) neverworks (permissions errors), has to be run by double clicking the icon or
open/path/to/Test.app from the command line.
Finally, if the application changes at all, you have to remove and thenrestore FDA access to get it working again. This includes just the timestampchanging due to saving the application, even if none of the code haschanged. I think this may be one of the confounding factors in my testing; ifI leave
Script Editor.app running while I experiment, it may be auto-savingin the background which may be giving me intermittent errors that are tough todebug.
How To Give Access To An App On Macbook ProOngoing Issues in Automating the Process
The big problem I’m stuck with at this point is giving read permissions forsystem files that I would like to be backed up (i.e. files that I need to be
root to read, for example /etc/master.passwd ).
![]()
How to delete the email app on mac. Using the AppleScript example from above (basically
ls ~/Library/Mail , whichis a protected directory), I can put a script into e.g./Library/LaunchDaemons/com.n8henrie.test.plist that contains the following(among other boilerplate code), and make that file owned by root . If I thensudo launchctl load and then sudo launchctl start it, I get the dialog boxshowing that the FDA permissions worked properly, but at the top of the dialog,I see that whoami is still getting run as my user (not root ).
This means that running my restic backup script in this way seems like it willwork from the FDA perspective, but won’t be able to access any files that aree.g.
0600 root:wheel .
Some workarounds include changing the applescript to include
do shell script.. How do i uninstall apps on macos mojave. with administrator privileges , which will cause it to prompt me for mypassword and then run as root… but that won’t work from an automationstandpoint.
How To Give Access To An App On Mac Os
The only other workaround I’ve discovered is to
sudo visudo and add givemyself the ability to run as sudo with NOPASSWD: , then change the AppleScriptto e.g. sudo -n /bin/ls /etc/master.passwd .
Oddly, if I make a root-owned launchd plist in
/Library/LaunchDaemons/ thatdirectly runs the command whoami and outputs the result to a text file on thedesktop, it outputs root (even without the UserName key).
Frustratingly, if I change that plist to run
open /path/to/Test.app , whereTest.app is an AppleScript that outputs whoami to a text file, I get myregular username irrespective of whether the UserName key is set to root ornot.
This means that I can’t set my launchd script to run my
Restic.app and havesufficient privileges to read root-only files, even if the launchd script is in/Library/LaunchAgents , root owned, and set to run as UserName : root .
![]()
The only workaround I’ve figured out so far is to:
This seems really sloppy, and I’d love to hear suggestions from other readers.
Update 20181121
After some preliminary testing, it seems like a much cleaner solution to all ofthe above (including running with root privileges) is to just make a binary (ina compiled language) that runs your script, then add that binary to Full DiskAccess.
Note that this doesn’t work for something like a shell script; you can’t addthe script to Full Disk Access (even if you
chmod +x ). You can only add thee.g. bash binary that runs the script, but that means that any processspawned by bash can access all your files. That seems like a huge securityvulnerability.
Anyway, here is some example code in Go that runs a bash script named
restic-backup.sh in the directory containing the resulting go binary.
You can add this binary to Full Disk Access and the spawned processes(including the shell script it calls) should inherit Full Disk Access. Don’tforget that if you make any changes to the Go binary, you need to remove itfrom FDA and then add it back.
Also note that this seems to work great for scripts requiring root access;instead of all the hacky mess above, just have your root-owned
/Library/LaunchDaemons plist call this binary. In this case, I’d highlyrecommend that you secure both the binary and the shell script it calls, sinceotherwise an attacker could easily overwrite either one with somethingmalicious and it would get called with root privileges. An example of a fewsimple steps may be to sudo chown root both of these files, sudo chmod 0700 the Go binary, and sudo chmod 0640 the shell script (keeping yourself in thegroup so you can still add it to VCS if desired).
I’ve had a few promising leads on this problem that haven’t panned out, so I’llupdate in a few days if this stops working, but it seems to be doing the trickfor now.
Further ReadingComments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |