Privacy settings and LaunchAgents / LaunchDaemons

Question

Bil_fr Author

Level 1

4 points

Privacy settings and LaunchAgents / LaunchDaemons

Hi.

I'm running into a problem since I switch to macOS Catalina, I can't launch MariaDB with launchd.

My databases dir is on an external drive.

There is my MariaDB plist :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>KeepAlive</key>
  <true/>
  <key>Label</key>
  <string>org.mariadb.mariadb</string>
  <key>ProgramArguments</key>
  <array>
    <string>/usr/local/opt/mariadb@10.1/bin/mysqld_safe</string>
    <string>--datadir=/Volumes/ExtDisk/hostExtension/database/mysql</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
</dict>
</plist>

And MariaDB crash loop with this output :

% sudo launchctl debug gui/501/org.mariadb.mariadb --stdin --stdout --stderr
Service configured for next launch.
191009 15:52:56 mysqld_safe Logging to '/Volumes/ExtDisk/hostExtension/database/mysql/Bils-MacMini.local.err'.
191009 15:52:56 mysqld_safe Starting mysqld daemon with databases from /Volumes/ExtDisk/hostExtension/database/mysql
/usr/local/opt/mariadb@10.1/bin/mysqld_safe_helper: Can't create/write to file '/Volumes/ExtDisk/hostExtension/database/mysql/Bils-MacMini.local.err' (Errcode: 1 "Operation not permitted")

I try to add grant access to full disk (from system privacy settings) on both mysqld_safe and mysqld_safe_helper but its change nothings.

If I set datadir to any directory on boot volume MariaDB start without error.

Same if I run command mysqld_safe --datadir=/Volumes/ExtDisk/hostExtension/database/mysql in Terminal/iTerm, MariaDB start without error.

I also try to set lowest restrictive permissions on /Volumes/ExtDisk/hostExtension/database/mysql and its content… but launchd is still unable to start MariaDB

Anyone have an idea to solve this problem ?

Thanks

Bil

Mac mini 2018 or later

Posted on Oct 9, 2019 7:31 AM

Reply

Answer 1

Oct 9, 2019 7:55 AM in response to Bil_fr

And MariaDB is a full 64-bit application?

From the Catalina Release Notes about Launch Daemons and Agents:

Launch daemons and launch agents introduce new user

privacy protections. Specifying privacy-sensitive files and

folders in a launchd property list might not work as expected

and prevent the service from running. Having Program or

ProgramArguments pointing to an executable in a privacy

sensitive location is currently allowed, but may be restricted in

a future release. (49702405)

To comply with the new privacy protections, resources for a

launchd service must be stored in locations that aren’t privacy

sensitive. If necessary, the app can set up resources during its

execution rather than using launchd property list keys, making

it possible to grant the app access using System Preferences >

Security & Privacy > Privacy.

The following launchd property list keys are affected: Keep

Alive, PathState, QueueDirectories, Sockets, Sock

PathName, StandardErrorPath, StandardInPath,

StandardOutPath, and WatchPaths.

Reply

Answer 2

Oct 10, 2019 1:14 AM in response to VikingOSX

Good to know the reason why my script not working after the upgrade.

I'm using 'WatchPaths' to run a bash script for classifying the files. Manually execute the script works fine but it won't work with the 'launchd'.

Do you have any suggestions?

Reply

Answer 3

Oct 10, 2019 1:22 AM in response to nucleobases

I haven't done anything with Catalina launch daemons yet, so pretty much useless in further help.

Its one thing to read the Catalina release notes, and another entirely to find Apple documentation that offers work arounds to the new security challenges that Apple has introduced in the new OS. If you have a free or fee Apple Developer membership, you may have to track down any recent documentation updates, or review the WWDC 2019 video presentations on Launchd changes. Then there are the Catalina man pages for launchctl and launchd.

Reply

Answer 4

Oct 29, 2019 1:30 PM in response to VikingOSX

I am also curious. I have a simple Launch Daemon that I want to log to /Users/<username>/Library/Logs (so I can utilize the console) but I cannot. Standard Output and Standard Error don't work, and if I try to manually write there from inside my Launch Daemon, I keep "Log file not writeable". Are you saying we need to write to a non privacy location for our logs? Essentially making the console app useless for debugging?

Reply

Answer 5

Nov 24, 2019 3:37 PM in response to VikingOSX

The release notes don't give enough details (for me) to determine what actually needs to be done to make it work. I have a launchDaemon that writes to an USB External disk. Using The Security & Privacy perf and specifying the script to have full Disk access does not work. Nor does giving launchd full disk access. The script works fine as a cron job provided chron has full disk access.

Reply

Answer 6

Nov 27, 2019 2:53 PM in response to lederermc

Update. After reading that granting permission to /bin/bash solves this... BUT is also a security risk - I decided to try obfuscation. I copied /bin/bash to a private not-in-path area with read/execute only permissions and changed the name to not be "bash". The granted permissions to this bash clone. This seems to work in Launchd. The .plist has the bash close as programAgruments #1.

Reply

Answer 7

Nov 29, 2019 5:47 AM in response to lederermc

THANKS!!! My script works now.

Reply

Privacy settings and LaunchAgents / LaunchDaemons

Similar questions