MacOS – Launch agent invoking python script returns permission error

command linelaunchdmacosplistpython

I'm trying to use the following .plist to invoke a python script.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>KeepAlive</key>
        <true/>
        <key>Label</key>
        <string>com.apple.inMemTask14</string>
        <key>ProgramArguments</key>
        <array>
            <string>/Users/open/Library/Containers/.heheOSX/MacOSHighSierra.py</string>
        </array>
        <key>StartInterval</key>
        <integer>300</integer>  
    </dict>
</plist>

For some reason when I execute:

launchctl load -w /Users/open/Library/LaunchAgents/com.apple.inMemTask14.plist

I get the following errors in my system.log:

Mar 27 11:39:19 openZ-MacBook-Pro com.apple.xpc.launchd[1] (com.apple.inMemTask14): This service is defined to be constantly running and is inherently inefficient.
Mar 27 11:39:19 openZ-MacBook-Pro com.apple.xpc.launchd[1] (com.apple.inMemTask14[1335]): Could not find and/or execute program specified by service: 13: Permission denied: /Users/open/Library/Containers/.heheOSX/MacOSHighSierra.py
Mar 27 11:39:19 openZ-MacBook-Pro com.apple.xpc.launchd[1] (com.apple.inMemTask14[1335]): Service setup event to handle failure and will not launch until it fires.

I have given execute permission to the python script. Is there something wrong with my .plist? How can I fix the errors displayed in the logs?

Best Answer

You have one error and a minor one in your plist and probably one inconsistency in your file system:

Keeping a job alive no matter what and starting the same job every 5 minutes is like being forced to stay in the bathroom and going to the bathroom every five minutes because of ... an ablutomania.

So remove the part:

    <key>KeepAlive</key>
    <true/>

Add the python bin in the program arguments:

replace:

<key>ProgramArguments</key>
<array>
    <string>/Users/open/Library/Containers/.heheOSX/MacOSHighSierra.py</string>
</array>

with:

<key>ProgramArguments</key>
<array>
    <string>/usr/bin/python</string>
    <string>/Users/open/Library/Containers/.heheOSX/MacOSHighSierra.py</string>
</array>

If you prefer another python bin (e.g. some brew/python), use this one instead.

Finally make sure that the logged in user (i.e. the one launching the agent) has at least read access to /Users/open/Library/Containers/.heheOSX/MacOSHighSierra.py!

Regarding the last problem:

I use the following alias in my .bash_profile to get all permissions/ACLs of a path:

alias lspath='(IFS=/; set -f -- $PWD; for arg; do path="${path%/}/$arg"; paths+=("$path"); done; ls -dlaOe@ "${paths[@]}")'

Entering lspath after cd'ing to a folder will reveal all permissions/ACLs:

$ cd /Users/user1/Library/Containers/.heheOSX
$ lspath
drwxr-xr-x  39 root   wheel  - 1394 27 Mär 17:44 /
drwxr-xr-x   7 root   admin  -  238  5 Aug  2014 /Users
drwxr-xr-x+ 60 user1  staff  - 2040 26 Mär 23:58 /Users/user1
 0: group:everyone deny delete
drwx------+ 72 user1  staff  - 2448 16 Mär 00:40 /Users/user1/Library
 0: group:everyone deny delete
drwx------  57 user1  staff  - 1938 27 Mär 20:26 /Users/user1/Library/Containers
drwxr-xr-x   2 user1  staff  -   68 27 Mär 20:26 /Users/user1/Library/Containers/.heheOSX

In this example no other user except user1 (and root) will be able to launch/load a *.py in /Users/user1/Library/Containers/.heheOSX because other users can't traverse neither /Users/user1/Library nor /Users/user1/Library/Containers because of their restrictive drwx------ permissions.

Related Question