Can’t run launchctl agent in Catalina. Is this a permissions problem

catalinalaunchdpermission

I have some launchctl scripts on Mojave that I am trying to now run on Catalina, but can't seem to get them to run. I made myself a very simple little plist as follows

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>local.moveit</string>

  <key>StandardOutPath</key>
      <string>/Users/pheon/Library/Logs/local-moveit-stout.log</string>
  <key>StandardErrorPath</key>
      <string>/Users/pheon/Library/Logs/local-moveit-stderr.log</string>

  <key>ProgramArguments</key>
  <array>
    <string>mv</string>
    <string>/Users/pheon/Desktop/test/fileA</string>
    <string>/Users/pheon/Desktop/test/fileB</string>
  </array>
 
  <key>StartCalendarInterval</key>
  <dict>
    <key>Minute</key>
    <integer>1</integer>
  </dict>
</dict>
</plist>

Then I loaded it with

launchctl load local.moveit.plist

Restarted my machine.

Checked it was running.

$ launchctl list | grep moveit
-   0   local.moveit

It is simply supposed to rename a file (which does exists), but it doesn't do anything, it doesn't report any errors. It seems dead.

I had read that there could be permission issues, so I gave mv, launchctr, sh and zsh "Full Disk Access" in System Preferences. I also downloaded LaunchControl.app to see if that would help. But it still doesn't work, and nothing is reporting that anything is amiss.

I have the following questions.

  1. How do I get this to work?
  2. What is it with this permissions thing? Is it safe to give those apps "Full Disk Access". Should I turn SIP off and on again? (What does that do anyway?)

ETA.

An error message finally turned up in the log.

mv: rename /Users/pheon/Desktop/test/fileA to /Users/pheon/Desktop/test/fileB: Operation not permitted

Best Answer

How do I get this to work?

Your plist file looks good except I have found it’s more reliable to have your actual commands in an executable script and call that rather than call the commands directly from the plist.

(For future readers in case comments are deleted)

The StartCalendarInterval can get confusing at times...

<key>StartCalendarInterval</key>
  <dict>
    <key>Minute</key>
    <integer>1</integer>
  </dict>

This runs the command on the first minute of every hour (i.e. 12:01, 1:01, 2:01, and so on). It’s not “every 1 minute.” For more details, see launchd plist format for running a command at a specific time on a weekday

What is it with this permissions thing? Is it safe to give those apps "Full Disk Access". Should I turn SIP off and on again? (What does that do anyway?)

Catalina has instituted a new security model in which applications or processes need to be granted rights to different resources. It has nothing to do with your rights per se, but rights of the resource. For instance, you might not want your Firefox to have rights outside it’s normal work folders. On the past, an attacker might exploit some flaw and gain access to other directories snd drop off malicious code. Now, if the app doesn’t have rights to accessed the volume, it won’t be able to access it regardless whether of your rights

SIP is merely a set of protected folders. what makes it special is that it cannot be disabled while the file system is mounted which is why you need to reboot in Recovery/Single User mode to disable it. Rogue software can’t overwrite system files even if the user is root.

Related Question