Apple - How to run a LaunchAgent that runs a script which causes failures because of System Integrity Protection

I solved this as follows as follows:

Allow Bash to have Full Disk Access

  1. Open Preferences
  2. Go to Security & Preferences
  3. Select Full Disk Access in the list on the left
  4. Click the lock to make changes
  5. Click the + button on the list on the right
  6. Navigate to the root of your HD
  7. Press CMD+Shift+. to show all the hidden items
  8. Select /bin/bash
  9. Quit Preferences
  10. Restart the mac (I am not sure if this is really necessary)

Run your script correctly

The mistake I made was that the launch agent ran the script like this:

<key>ProgramArguments</key>
<array>
    <string>/Users/channing/bin/backup.sh</string>
</array>

Do this instead

<key>ProgramArguments</key>
<array>
    <string>/bin/bash</string>
    <string>/Users/channing/bin/backup.sh</string>
</array>

Restart your agent:

launchctl unload ~/Library/LaunchAgents/backup.plist
launchctl load ~/Library/LaunchAgents/backup.plist

Rejoice.


I've spent a few weeks trying to sort this out. I agree that the currently accepted answer is not really a solution -- it's not much better than just disabling SIP altogether.

My solution is a totally hacky workaround, but doesn't require whitelisting bash entirely. Update: Slightly less hacky workaround below.

Update 20190226: As detailed in the Restic issue linked below, this seems to have stopped working. The original binaries I created with this method continue to work without errors for some strange reason, but I can't give access to new binaries directly using this method.

Overview

  1. Package a standard MacOS application that runs a script (a bash script in my case, which in turn sets up an environment and runs a separate binary that requires FDA)
  2. Add that application to FDA
  3. Run the application by opening the .app (either by double clicking via GUI, or open /path/to/MyApp.app but not by directly using the executable stored in e.g. MyApp.app/Contents/Resources/)

For Step 1, you can easily package your script as an app by using tools built into MacOS such as Automator.app or Script Editor, or Platypus also works.

Example contents of such an app might be a simple AppleScript (in Script Editor) such as:

on run
    do shell script "/usr/local/bin/bash /path/to/myscript.sh"
end run

From Script Editor, use the dropdown in the save menu to save as an application, then CLOSE SCRIPT EDITOR.

Add this app to Full Disk Access through System Preferences -> Security & Privacy.

NB: If you didn't save and close Script Editor prior to adding to FDA as instructed, it seems that some kind of invisible process (automated background saves?) will change something (some kind of timestamp or hash?) that is required for Full Disk Access, which can some intermittent errors that were a major headache to figure out. So if you didn't do this, remove your app from FDA, save and close Script Editor, then add back to FDA.

For your LaunchAgent, use something like:

<string>/usr/bin/open</string>
<string>/path/to/MyApp.app</string>

Root access

If your backup script needs root access (e.g. to back up root-owned 0600 files), you're in for another set of hacky workarounds, since /usr/bin/open won't seem to run anything as root (even if you specify the UserName key in in a root-owned /Library/LaunchDaemons/ plist. (I'd be happy to open this as a separate question if appropriate, since I think the below workaround leaves much to be desired.)

One option for this is to add with administrator privileges in your AppleScript, but this requires manually typing in your password, defeating the purpose of automated backup. My current workaround is to:

  1. sudo visudo and give my unprivileged user the ability to run my backup script as sudo with NOPASSWD: (I also specify the hash of the script to hopefully improve security, e.g. myuser ALL=(ALL) NOPASSWD: sha256:hashgoeshere /path/to/myscript.sh)
  2. sudo chown root myscript.sh
  3. sudo chmod 0740 myscript.sh (4 so it can still be added to VCS)
  4. Change the AppleScript to do shell script "sudo -n /path/to/myscript.sh" and resave as MyApp.app
  5. Add MyApp.app to FDA
  6. Change my launchd script to open /path/to/MyApp.app
  7. Reload launchd script with launchctl and test to make sure it seems to be working

Further reading / details:

  • https://github.com/restic/restic/issues/2051
  • https://n8henrie.com/2018/11/how-to-give-full-disk-access-to-a-binary-in-macos-mojave/

UPDATE:

After some preliminary testing, it looks like a slightly less hacky workaround is to compile a binary (using a compiled language) that calls your bash script. Add that binary to FDA and it seems to work. Add to the root-owned /Library/LaunchDaemons plist, and you have a way to call it from root without all the craziness above.

Example script in Go:

// Runrestic provides a binary to run my restic backup script in MacOS Mojave with Full Disk Access
package main

import (
    "log"
    "os"
    "os/exec"
    "path/filepath"
)

func main() {
    ex, err := os.Executable()
    if err != nil {
        log.Fatal(err)
    }
    dir := filepath.Dir(ex)
    script := filepath.Join(dir, "restic-backup.sh")
    cmd := exec.Command("/usr/local/bin/bash", script)
    if err := cmd.Run(); err != nil {
        log.Fatal(err)
    }
}

For security, I sudo chown root and sudo chmod 0700 the resulting binary before adding to Full Disk Access (although admittedly an attacker could just change the bash script that this calls if it were left unprotected).


The currently accepted answer is a bit hard to follow with all of its updates. Here's a short summary of what currently does and doesn't work, plus a new tip.

Adding scripts or binaries to the "Full Disk Access" list no longer works. The only thing that works is adding an actual macOS app. As Channing mentions, Automator.app, Script Editor, or Platypus can be used to create one.

Tip: the whitelist applies to any script or binary inside the app's directory. So, you don't have to launch the app directly. In fact, the app itself is completely irrelevant -- it simply acts as a container for whitelisting. You can copy your script to an arbitrary app, whitelist that app, then run your script. The only caveat is that you have to remove and re-add the app to the whitelist every time you change your script or binary within it.

Tags:

Sip

Launchd