How dangerous is it to give zsh full disk access

command linelaunchdplistterminalzsh

I have a shell script that runs a few (Duplicacy) backup commands. It works fine when I manually run the script from terminal (cd to the directory where it is and then ./backup.sh).

To make it run automatically I created a launch agent (a .plist file). When it runs now, I get only "operation not permitted" errors whenever Duplicacy attempts to open a preference file or any other file to do its backups. The permission of the script is 755, and it's owned by the same user as the the files Duplicacy tried to open.

Quite a bit of research suggests that I should open Security & Privacy in Preferences and allow zsh to have full disk access. I tried this and it solved the problem.

Is this overkill and dangerous for this issue? Is it ok for zsh to have full disk access?

Best Answer

There’s no inherent danger per se with respect to ZSH; it’s only a shell.

What is “dangerous” is what you run in the shell. Most users don’t use the shell so securing it gives a nice level of extra security so when they inadvertently download nefarious apps from the Internet, they will have the protection that the shell doesn’t have full disk access.

Is it overkill? In my opinion, no. If you run scripts like this backup script, you’re going to want access to more than just one or two directories (which you can do, by the way); you’ll want access to the whole disk.

Related Solutions

MacOS – Assistive Access when script is launched by agent

A simple fix is to save the script as a text file instead.

At the top of the script add the osascript shebang

#!/usr/bin/osascript

example:

#!/usr/bin/osascript
say "hello"
tell application "Safari" to activate
tell application "System Events"

    delay 2
    keystroke "p" using command down
    tell application process "Safari"

        tell application "System Events"
            tell process "Safari"
                click menu button "PDF" of sheet 1 of window 1
                delay 1

                click menu item "Save PDF to Web Receipts Folder" of menu of menu button "PDF" of sheet 1 of window 1
            end tell
        end tell
    end tell

end tell

The in the save dialog choose Text as the file format. The file will be saved as plain text but with the .applescript extension.

In terminal make the save script text file executable.

I used:

chmod +x /Users/UserName/Scripts/newTest1.applescript

In the command arguments of the LaunchAgent just add the path to the file.

Do not add the osascript command to the arguments. You do not need it.

The saved script text file will act like an executable shell script.

When you first load or run the LaunchAgents you will get a prompt to set the Assistive Access in System Preferences. If you already have System preferences open you will not but the Script text file will be added to the list.

You now just have to check its check box to allow it.

I would reload the LaunchAgent so it picks up straight away.

I have double checked this with the script above and all works as expected.

MacOS – Loading User LaunchAgent Successfully

OK, addressing your second question first (is my plist actually correct?), plutil (in its default invocation) "lints" (checks) plist files for correctness:

plutil ~/Library/LaunchAgents/local.brew.update.plist

Equivalent to:

plutil -lint ~/Library/LaunchAgents/local.brew.update.plist

Turning to your first question (how do I know my agent is being loaded (and how do I confirm that)?), here's a few things to help check that.

First, I'd recommend adding logging to aid debugging. I log to ~/Library/Logs, so add something like this to my plist:

<key>StandardOutPath</key>
<string>/Users/userx/Library/Logs/local.brew.update.stdout</string>
<key>StandardErrorPath</key>
<string>/Users/userx/Library/Logs/local.brew.update.stderr</string>

Try re-loading your plist and then check your logs:

less ~/Library/Logs/local.brew.update.stdout
less ~/Library/Logs/local.brew.update.stderr

A few additional observations:

My understanding of your inetdCompatibility is that the agent should start when it's loaded. However, you say that launchctl list doesn't show the agent. Does that change if you try launchctl start com.my.ssh_tunnel after loading the plist? Do the logs show anything new?

I don't entirely understand the relationship between Program and ProgramArguments - could just be me, but I find man launchd.plist's explanation of ProgramArguments hard-going. I'd be inclined to try adding /usr/bin/ssh as a first string in ProgramArguments, and removing the entry for Program. (Then re-load and check the logs. Re-start and check the logs if needed).

Finally, I'm pretty certain that @daniel-Azuelos is correct, and you need to specify your ProgramArguments like this (I've added usr/bin/ssh as mentioned above):

<key>ProgramArguments</key>
<array>
    <string>/usr/bin/ssh</string>
    <string>-F</string>
    <string>/Users/userx/.ssh/config</string>
    <string>dname</string>
    <string>/usr/sbin/imapd</string>
</array>

My reasoning for this is, the few plists I can find on my system that use (more than one) ProgramArguments use this idiom:

<key>Label</key>
<string>com.divx.uninstall.preferences</string>
<key>ProgramArguments</key>
<array>
    <string>/bin/bash</string>
    <string>-c</string>
    <string>if [[ ! -e "/Applications/DivX/DivX Preferences.app" ]] ; then open "/Library/Application Support/DivX/Uninstall DivX for Mac.app"; fi</string>
</array>

Note how bash's -c option and the corresponding command_string are in separate arguments.

Best Answer

Related Solutions

MacOS – Assistive Access when script is launched by agent

MacOS – Loading User LaunchAgent Successfully

Related Question