0 Replies
      Latest reply on Dec 18, 2019 7:05 AM by d.rocheta
      d.rocheta Level 1 Level 1 (0 points)

        Hi!

         

        I have a launchd agent that requires Screen Recording permissions in Catalina.

        Below is the simple example:

        #!/bin/bash
        /usr/sbin/screencapture $FILE

         

        If the script is run from a terminal, permissions are required for Terminal.app

        But if the script is launched from launchd, the User prompt doesn't appear.

         

        I found some workarounds to get it:

        1.

        #!/bin/sh
        /usr/sbin/screencapture $FILE

        2.

        #!/bin/bash
        exec /usr/sbin/screencapture $FILE

        Now in Catalina, Sh is just a wrapper (man sh), which "re-execing" scripts in one of the supported shells.

        In the first case, permissions are requested for Sh.

        In the second case, "exec" causes User prompt for Bash.

         

        If the script runs another script that launches screen capture, then "exec" helps only if it used in the first script, and the second script uses a different shell:

        #!/bin/bash
        exec secondScript.sh
        
        ...
        
        #!/bin/zsh
        /usr/sbin/screencapture $FILE

        Other options for changing the shebang or "exec" position do not cause User prompt.

         

        I also have a launchd agent in Mojave that requires Accessibility permissions. It contains a startup sequence of scripts and the target app. Permissions are required for the first script (by name, not for shell), and TCC.db contains csreq of this script, which means that only this script has permissions.

        In Catalina, the permissions required by this script are saved in TCC.db as permissions for shell, which means that ANY shell script can now use them.

         

        My questions are:

        • Why only Catalina's /bin/sh or "exec" in the first script causes User prompt?
        • Is there a proper way to get permissions without a workaround?
        • Is there a way to get permissions only for my script (as in Mojave), not for shell?