I am using headless chromium-browser to take screenshots. But the problem I am facing is that the file has only read-write permission to the user itself. No other user/group has read permission. I want to provide read permission to any other user. But still couldn't find any way to do that.
Related
I am writing a service/module in Go for a bigger system and I'm having trouble with permissions on macOS. I am hoping anyone here has any experience with this.
This module is using network interfaces in macOS (read+write), and therefore needs admin/root permissions. The module is also in the form of a process which will communicate with parent process through stdio. Since it needs root permissions, I have tried wrapping it in AppleScript: do shell script [...] with administrator privileges, but osascripts does not return the output in real time, instead it returns the stdio output when process has exited. I need the stdio output in real-time, and it is annoying to write the password every time the module is started.
So that leaves me with the question of how I can request permissions for network control in Go. Like the popup you see on some programs "wants to use your microphone", only with network permissions. Is this possible?
If not, how can I solve this issue of needing root permission for a real-time module in macOS?
I found a viable solution; launching the script with sudo -S , and asking the user for root password through my own GUI service. As long as the root password isn't stored anywhere, it should be fine security-wise.
I have a python script which I am executing through a shell script for some reason(not important here). In my script I am basically fetching some url content and sending emails to a specific people.I have added the security keychain for that using something like this
security add-generic-password -s SMTP -a USERID -w PASSWORD
When run from the command line I was prompted to give access to the
keychain item for the 'security' command. After granting
access via Keychain Access I can run the script and it no longer
prompts for the retrieval of the password and it does send me emails.
But Cron Job and Launchd doesn't give me the desired output. After googling a bit I found that cronjob doesn't have access to keychains and I need to give the password while running as a cron job if I want it to serve the purpose. I am not very sure about launchd if it has access to keychains or not. It seems to have worked for the below person for Ruby.
https://lists.macosforge.org/pipermail/launchd-dev/2008-August/000363.html
I have same problem as that guy did. When invoked from launchctl I do not get any emails. However if I hardcode the passwords in my code I do get the emails at the specified time. So I am assuming that my problem here is the keychains that launchd is not able to read. Is there a way to grant access of keychains to the launchd?
I have my com.Query.plist file in the $HOME/Library/LaunchAgents directory.
I ran into this today too.
It seems to be not well documented, but if you add the following to your plist your application will be able to see the user keychains when running as a LaunchAgent:
<key>SessionCreate</key>
<true/>
Credit to:
Missing certificates and keys in the keychain while using Jenkins/Hudson as Continuous Integration for iOS and Mac development
https://serverfault.com/questions/328785/how-do-i-launch-a-process-as-a-specific-user-at-startup-on-os-x/
Just for reference
❯ man launchd.plist
...
SessionCreate <boolean>
This key specifies that the job should be spawned into a new security audit session rather than the default session for the context is
belongs to. See auditon(2) for details.
Setting this key will prevent you from accessing the keychain if you're running a LaunchAgent. Just leave the defaults as-is, and keychain access works out of the box—for LaunchAgents.
I have a PHP script that runs a Powershell Stop-Process command through shell_exec(). PHP runs as IUSR. When I run the script, I receive an access denied error message. If I run the command in PowerShell using my Administrator account, it works as expected.
How do I grant IUSR the ability to execute Stop-Process in Powershell?
I wasn't able to find a solution to grant IUSR the specific privileges to execute Stop-Process, but I was able to get around this by changing the "Anonymous Authentication" user associated with the kill script from IUSR to Administrator.
In IIS 8.5, go to Sites->My Site->Folder Name. On the main panel, click on Authentication under IIS. Right click on Anonymous Authentication and then click on Edit.
You can set the "Anonymous Authentication" value at any level of your IIS app; from the site level to the sub-directory level. I recommend only changing the value from IUSR to Administrator on the directory that actually hosts your kill script. Changing it for the whole site might create problems for other parts of the application.
I've seen some information that suggests if you add a limited user to the Performance Monitor Users group and grant it debug privileges, it will be able to terminate processes.
You might consider something a bit less risky though, like running another web app as a user with those rights, that can only be accessed from the local machine. Then make your PHP app do a web request to the internal app to do it's killin'.
If you're trying to kill only a specific process this lets you further limit the impact because the internal app could be designed to only kill that one thing.
Other ways to achieve a similar separation is to have for example a scheduled task that looks for a file with specific content in a specific directory, when it sees it, it kills a process and deletes the file. IUSR can be given permission to create files in that directory as a way to trigger this. This method is very easy to implement but isn't synchronous.
I'm using Apache 2 to run my localhost on Mac (Mavericks), and every time I add a file or a folder in the default directory /Library/WebServer/Documents (and its subdirectories) the system asks me to authenticate:
This is a problem specially when using frameworks like Symfony or Zend Framework because they can't have writing access to folders. What can I do to solve this?
Mac/Linux grants access on different levels:
Per user
Per group
Per everybody
The folder Library/WebServer/Documents outside of the logged-in user paradigm (you) therefore write access (and other access like execute) is only granted to the administrator of the computer (or so-called root) which isn't you however on most Mac environment the password of root is your password (different users with the same password).
You will want to modify Apache2 configuration and change the directory to a folder located within your user's directory which is something like /Users/{whatever is your username} (you will probably need to create the folder).
Once, you moved the content of /Library/WebServer/Documents into the new folder, make sure the permission are set properly. Refer to the following documentation at the chapter "How to Modify Permissions with the Info Window".
The reason why your Mac is asking for permissions to write files outside of your user's directory is for security reasons. Imagine if you download a file, execute it and grant access (by giving the root password) then the file could potentially be a virus and erase or do all kind of things on your computer.
I have an app which monitors the /Volumes directory for changes and lets users access the mounted volumes which appear in the directory.
To my surprise many methods like NSWorkspace.mountedLocalVolumePaths, NSWorkspaceDidMountNotification notification and FSEventStreamCreate returned without error and I was able to monitor the directory like before but writing to any sub-directories of /Volumes is not working and adding the file URL to a pasteboard is failing with __CFPasteboardIssueSandboxExtensionForPath errors.
Is there an entitlement I need for this or is this strictly forbidden to gain write access to volumes unless the user selects them in a dialog or drags/drops?
Thanks!
There is no such entitlements, but you can ask the user to give you permissions on /Volumes and save those permissions using Security-Scoped Bookmarks.