LaunchAgent cannot access macOS "protected" folders

Question

I have a shell script which does this:

#!/bin/bash

ls -la "$HOME/Pictures/Photos Library.photoslibrary"

When I run this script in the shell it works fine. If I define a LaunchAgent (under $HOME/Library/LaunchAgents) which executes this script, I get the following error message:

ls: Photos Library.photoslibrary: Operation not permitted

My real script is invoking HashBackup (hb) which results in the same kind of error on all those "protected" folders (pictures, address book, etc...). But I was able to reproduce with a simple ls.

What am I supposed to do to fix this?

This is on macOS 10.14.6.

Thanks

Answer 1

Thanks to Gordon comment, I was able to follow the steps and fix my issue. The steps that actually worked for me are these ones.

For the sake of a more complete solution, here is a small CMake based solution:

1. main.cpp

#include <iostream>

int main()
{
  std::cout << "Wrapper app which is authorized for full disk access so that the shell script can run with the same permission" << std::endl;
  return 0;
}

2. backup_argon.sh

#!/bin/bash

# this is just a test... it should invoke hb instead
ls -la "$HOME/Pictures/Photos Library.photoslibrary"

3. Info.plist.in

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CFBundleDevelopmentRegion</key>
    <string>English</string>
    <key>CFBundleExecutable</key>
    <string>${MACOSX_BUNDLE_EXECUTABLE_NAME}</string>
    <key>CFBundleIconFile</key>
    <string>${MACOSX_BUNDLE_ICON_FILE}</string>
    <key>CFBundleIdentifier</key>
    <string>${MACOSX_BUNDLE_GUI_IDENTIFIER}</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>6.0</string>
    <key>CFBundleName</key>
    <string>${MACOSX_BUNDLE_BUNDLE_NAME}</string>
    <key>CFBundlePackageType</key>
    <string>APPL</string>
    <key>CFBundleShortVersionString</key>
    <string>${MACOSX_BUNDLE_SHORT_VERSION_STRING}</string>
    <key>CFBundleSignature</key>
    <string>????</string>
    <key>CFBundleVersion</key>
    <string>${MACOSX_BUNDLE_BUNDLE_VERSION}</string>
    <key>CSResourcesFileMapped</key>
    <true/>
    <key>NSHumanReadableCopyright</key>
    <string>${MACOSX_BUNDLE_COPYRIGHT}</string>
    <key>LSUIElement</key>
    <true/>
    </dict>
</plist>

4. CMakeLists.txt

cmake_minimum_required(VERSION 3.19)

set(VERSION 1.0.0)

project(HashBackupLaunchAgent VERSION "${VERSION}")

set(CMAKE_CXX_STANDARD 17)

set(MACOSX_BUNDLE_BUNDLE_NAME "HashBackupLaunchAgent")
set(MACOSX_BUNDLE_GUI_IDENTIFIER "com.pongasoft.HashBackupLaunchAgent")
set(MACOSX_BUNDLE_SHORT_VERSION_STRING "${VERSION}")
set(MACOSX_BUNDLE_BUNDLE_VERSION "${VERSION}")
set(MACOSX_BUNDLE_COPYRIGHT "2021 pongasoft")

add_executable(HashBackupLaunchAgent MACOSX_BUNDLE main.cpp backup_argon.sh)

set_target_properties(HashBackupLaunchAgent PROPERTIES MACOSX_BUNDLE_INFO_PLIST "${CMAKE_CURRENT_LIST_DIR}/Info.plist.in")

set_source_files_properties(backup_argon.sh PROPERTIES MACOSX_PACKAGE_LOCATION MacOS)

Compiling this project will result in an application (HashBackupLaunchAgent.app) which I copied under /Applications.

I then gave Full Disk Access privilege to this app under System Preferences/Security & Privacy/ Privacy

I then have a LaunchAgent with the following definition:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>com.ypujante.hashbackup.argon.plist</string>

    <key>EnvironmentVariables</key>
      <dict>
        <key>PATH</key>
        <string>/bin:/usr/bin:/usr/local/bin</string>
      </dict>

    <key>ProgramArguments</key>
    <array>
        <string>/Applications/HashBackupLaunchAgent.app/Contents/MacOS/backup_argon.sh</string>
    </array>

    <key>StandardOutPath</key>
    <string>/Users/ypujante/Library/Logs/HashBackup/argon.log</string>
    <key>StandardErrorPath</key>
    <string>/Users/ypujante/Library/Logs/HashBackup/argon.log</string>
    <key>StartCalendarInterval</key>
    <array>
      <dict>
          <key>Hour</key>
          <integer>7</integer>
          <key>Minute</key>
          <integer>30</integer>
      </dict>
    </array>
  </dict>
</plist>

Note how the launch agent definition invokes the script inside the app not the app itself. And it works: the script inherits the full disk access privilege given to the app.