I recently upgraded from Mohave to Big Sur, and the shell script I use as a PDF Service has stopped working. The script calls a Python script to process the PDF, and this gives the error "operation not permitted". Thinking that this has to do with the new security restrictions, I tried dragging everything that seemed relevant to Full Disk Access in the Privacy pane of the Security & Privacy settings, but that didn't help. Here is the script with some debugging lines inserted:
#!/bin/sh
export PATH=/Library/TeX/texbin:/usr/local/bin:$PATH
########################################
# Log stdout and stderr (from https://stackoverflow.com/a/20564208).
LOG_FILE=/tmp/pdfbooklog.txt
# Close STDOUT file descriptor
exec 1<&-
# Close STDERR FD
exec 2<&-
# Open STDOUT as $LOG_FILE file for read and write.
exec 1<>$LOG_FILE
# Redirect STDERR to STDOUT
exec 2>&1
########################################
# Get name of file printed and print options (unused).
# name or title of file printed, e.g., document.odt
TITLE="${1:-}"
# space separated options from the print dialog: k1=v1 k2='v2' …
PRINT_OPTIONS="$2"
# Make first (usually only) filename $1.
shift
shift
# Some programs called write files to the current directory, so make sure
# we're somewhere where that will work.
cd /tmp
########################################
# Apparently it's possible to be called with multiple filenames.
# Use a loop to make sure we handle all files listed on the command line.
for f in "$@"
do
echo "Processing '$f'"
echo "PATH: $PATH"
/usr/local/bin/python3 -c 'print("Python works")'
pdfbook2 --inner-margin=80 "$f"
open "${f%.pdf}-book.pdf"
done
When I invoke it from the print dialog, this is what is written to the log file:
Processing '/var/folders/2j/w5jh3df55p7f4n05nh_m45jr0000gn/T/printing.11142.10/test.odt.pdf'
PATH: /Library/TeX/texbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
/Users/me/Library/PDF Services/Make PDF booklet.sh: line 40: /usr/local/bin/python3: Operation not permitted
/Users/me/Library/PDF Services/Make PDF booklet.sh: /Library/TeX/texbin/pdfbook2: /usr/bin/env: bad interpreter: Operation not permitted
The file /var/folders/2j/w5jh3df55p7f4n05nh_m45jr0000gn/T/printing.11142.10/test.odt-book.pdf does not exist.
test.odt-book.pdf does not exist.
Done
pdfbook2
is included with MacTeX: it is a Python script that invokes python3
with /usr/bin/env
. python3
is in /usr/local/bin
(installed with Homebrew), and as the test line shows, I cannot even invoke it directly. What do I have to do to permit Big Sur to run this script?
Update:
- In case it wasn't clear, the script works when invoked from the Terminal. It only fails when it is invoked from the print dialog.
- Since Big Sur still has
/usr/bin/python3
, the script above can be modified to use it. When the PDF Service is invoked from the print dialog,/usr/bin/python3 -c 'print("Python works")'
will print "Python works"./usr/bin/python3 /Library/TeX/texbin/pdfbook2 --inner-margin=80 "$f"
will begin executing, butpdfbook2
will then throw aPermissionError
of "Operation not permitted" when it tries to runpdfcrop
, which is also in/Library/TeX/texbin
. - The first line of
pdfbook2
is#!/usr/bin/env python3
. The first line ofpdfcrop
is#!/usr/bin/env perl
, which should find/usr/bin/perl
, since there is no Perl in my/usr/local/bin
. - So apparently SIP is preventing PDF Services from
exec
ing anything that is not in a protected directory, and from using/usr/bin/env
as an interpreter (which could circumvent that restriction). Is there any way to give a script permission to do this? Giving the script Full Disk Access doesn't work.
Best Answer
I have discovered that Big Sur will graciously allow a script to execute in a PDF Service, if the script is put inside an Automator workflow saved as an APPLICATION. Saving as a Print plug-in, workflow, or other type will not work.
Use the 'Run Shell Script' Automator action, and place the script in there.
Whether the script can call another script with the necessary permissions, I have not tried.