Permissions within shell scripts

Hi!


I have a launchd agent that requires Screen Recording permissions in Catalina.

Below is the simple example:

#!/bin/bash
/usr/sbin/screencapture $FILE


If the script is run from a terminal, permissions are required for Terminal.app

But if the script is launched from launchd, the User prompt doesn't appear.


I found some workarounds to get it:

1.

#!/bin/sh
/usr/sbin/screencapture $FILE

2.

#!/bin/bash
exec /usr/sbin/screencapture $FILE

Now in Catalina, Sh is just a wrapper (man sh), which "re-execing" scripts in one of the supported shells.

In the first case, permissions are requested for Sh.

In the second case, "exec" causes User prompt for Bash.


If the script runs another script that launches screen capture, then "exec" helps only if it used in the first script, and the second script uses a different shell:

#!/bin/bash
exec secondScript.sh

...

#!/bin/zsh
/usr/sbin/screencapture $FILE

Other options for changing the shebang or "exec" position do not cause User prompt.


I also have a launchd agent in Mojave that requires Accessibility permissions. It contains a startup sequence of scripts and the target app. Permissions are required for the first script (by name, not for shell), and TCC.db contains csreq of this script, which means that only this script has permissions.

In Catalina, the permissions required by this script are saved in TCC.db as permissions for shell, which means that ANY shell script can now use them.


My questions are:

  • Why only Catalina's /bin/sh or "exec" in the first script causes User prompt?
  • Is there a proper way to get permissions without a workaround?
  • Is there a way to get permissions only for my script (as in Mojave), not for shell?
  • @d.rocheta Have you been able to find a solution to this? I'm also facing the issue that the permissions are required for 'sh' and not the binary I call from within this script.

  • @_mackel Replaced the script with a binary that does same job.

Add a Comment

Accepted Reply

Have you been able to find a solution to this?

Shell scripts and TCC don’t mix very well. If you need to grant a launchd agent TCC privileges, I recommend that you use native code.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies

Have you been able to find a solution to this?

Shell scripts and TCC don’t mix very well. If you need to grant a launchd agent TCC privileges, I recommend that you use native code.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"