![]() You can even search on disks that are not indexed by Spotlight, including network server (NAS) volumes.įind Any File can find files that Spotlight doesn't, e.g. Uninstall software that leaves files in hidden places where Spotlight doesn't look?įind Any File (FAF) is the perfect tool for these tasks.Find all the largest files on your disk?.See what files got changed in the past 5 minutes?.Recover a file whose name you partially remember?.By file name, date, size, and even plain text content (including RTF, Word and Excel files, but not PDF files nor Mails – see note below). The latter can be done without disabling SIP or anything though - just a simple 'sudo rm' is sufficient.Unhappy with Spotlight because it does not find files that you know to be there? Use FAF to find every file on your disks, including those usually hidden. Often it can be solved with 'tccutil reset ', but I've had a few occasions where I had to get a user to directly remove /Library/Application Support// to force a reset of all of TCC. The TCC database seems to get confused / corrupted pretty frequently. So, like Thomas says above, TCC inheritance must be broken when helper apps are launched in other ways (perhaps via launchd - which is actually how we're _supposed to do it, right?)Īnd regarding your comment about TCC failing randomly, Michael, I'm seeing that pretty regularly in my tech support stream. My experience with launching helper executables (bundled within my apps) via NSTask is that TCC permissions are inherited, and that seems to continue in 11.4. There doesn't seem to have been any consistent API design or consideration of user interaction flows when putting together the privacy controls. Some require that you develop UI to walk the user through Security & Privacy, while others like Screen Recording put up their own prompt, regardless of whether you want them to or not. Some capabilities (Automation) have APIs to check whether you have permission, while others (Full Disk Access, Screen Recording) don't provide an API call and you have to try an operation to see if it fails, then prompt the user if it appears they haven't yet authorized your app. TCC is definitely inconsistent and inscrutable. Sometimes, it cannot.Īs soon as an app requires mutliple permissions, multiple alerts come up, which, not a great experience. Sometimes, the app can ask ahead of time if the permission needs to be authorized. Some facilities grant permissions to contained helper tools, while others require authorising both the parent and the helper.Īlso, some permissions mandate that apps provide a reason in the ist. (I thought this was already the case anyway?) * and another: the parent bundle's code signature gets invalidated if the bundle resources change. * on top of that, there is another mechanism: the child binary should always have the same signing certificate as the parent binary. (One reason, I guess: because that wouldn't be backwards-compatible.) Why not make an equivalent key for "allow these executables to inherit TCC settings". * there already exists a mechanism by which the parent bundle blesses child binaries: an SMPrivilegedExecutables key in the ist. Right, you shouldn't be able to place an arbitrary binary in a bundle and inherit its permissions. > This change to TCC in macOS 11.4 was made to fix CVE-2021-30713 And how, even when you figure it out, it seems to randomly fail on certain Macs until macOS is reinstalled and/or you disable SIP and delete the database.īug launchd Mac macOS 11.0 Big Sur Programming Transparency Consent and Control (TCC) It remains frustrating how it’s mostly not documented how TCC is suppposed to work. The Helper Tool doe not inherit from the main app, either the Full Disk Access but also the authorisations like Automation for Finder. (This may have been fixed in later versions.) Copying the design I saw in another app (Arq Backup) which had a working background agent, I spent several months replacing my command line tool with a Service Management Login Item which runs constantly.īefore updating to 11.4, if user granted Full Disk Access to the main app, the Helper Tool got Full Disk Access too, as stated here by eskimo.īut now, it’s not working anymore. Testing in early betas of 10.15, I could not find any way for a command-line tool to get Full Disk Access. I think something has changed with Full Disk Accessīefore Full Disk Access became a thing in macOS 10.15, my apps’ background agent was a command-line tool, shipped within my apps’ bundle, and launched intermittently by launchd tasks. I have been going through hell trying to maintain Full Disk Access for my apps’ background agents. MacOS 11.4 Breaks Full Disk Access for Helper Tools
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |