kdeldycke/dotfiles

tccutil on BigSur

ccievoiceoks opened this issue · 12 comments

ccievoiceoks commented

Hi ,

Just a simple question , I have tried your tips about the use of tccutils with SIP disabled but it seems to not work correctly

Have you succeeded to make it work ?

Many thanks

Olivier

kdeldycke commented

Hi @ccievoiceoks !

Oh, you mean this section:

dotfiles/macos-config.sh

Lines 34 to 94 in 770a61f

###############################################################################
# Permissions and Access #
###############################################################################
# XXX tccutil commands below only works if SIP is disabled.
# CLI to open the automation preference panel:
# ❯ open "x-apple.systempreferences:com.apple.preference.security?Privacy_Automation"
# Raw list of permission names:
# ❯ strings /System/Library/PrivateFrameworks/TCC.framework/Versions/Current/Resources/tccd | grep "^kTCCService[A-Z a-z]" | sort | uniq
# Ask for the administrator password upfront
sudo -v
# List existing entries for debug.
sudo tccutil --list
# Add Terminal as a developer tool. Any app referenced in the hidden Developer
# Tools category will be able to bypass GateKeeper.
# Source: an Apple Xcode engineer at:
# https://news.ycombinator.com/item?id=23278629
# https://news.ycombinator.com/item?id=23273867
sudo spctl developer-mode enable-terminal
sudo tccutil --service "kTCCServiceDeveloperTool" --insert "com.apple.Terminal"
sudo tccutil --service "kTCCServiceDeveloperTool" --enable "com.apple.Terminal"
# Since 10.15, BSD-userland processes now also deal with sandboxing, since the
# BSD syscall ABI is now reimplemented in terms of macOS security capabilities.
# Source: https://news.ycombinator.com/item?id=23274213
#
# Also, some plist preferences files are not readable either by the user or root
# unless the Terminal.app gets Full Disk Access permission.
#
# ❯ cat /Users/kde/Library/Preferences/com.apple.AddressBook.plist
# cat: /Users/kde/Library/Preferences/com.apple.AddressBook.plist: Operation not permitted
#
# ❯ sudo cat /Users/kde/Library/Preferences/com.apple.AddressBook.plist
# Password:
# cat: /Users/kde/Library/Preferences/com.apple.AddressBook.plist: Operation not permitted
# Grant Full Disk Access permission
for app (
"com.apple.Terminal"
"/Applications/BlockBlock.app"
"/Applications/KnockKnock.app"
); do
sudo tccutil --service "kTCCServiceSystemPolicyAllFiles" --insert "${app}"
sudo tccutil --service "kTCCServiceSystemPolicyAllFiles" --enable "${app}"
done
# Grant Accessibility permission
for app (
"/Applications/Amethyst.app"
"/Library/Application Support/Logitech.localized/Logitech Options.localized/Logi Options Daemon.app"
"/Applications/Logi Options.app"
"/Applications/MonitorControl.app"
"/Applications/SwiftBar.app"
); do
sudo tccutil --insert "${app}"
sudo tccutil --enable "${app}"
done

No I did not. I can confirm disabling SIP doesn't seem to be enough. I can't remember were I read that "AMFI" need to be disabled too.

Even tccutil's author did not tried it on Big Sur yet: jacobsalmela/tccutil#40

kdeldycke commented

But maybe Terminal.app with Full Disk Access is enough now. At least according: jacobsalmela/tccutil#18 (comment)

Which should work as I do exactly that in my pre-installation steps:

Maybe it was qualified as a bug by Apple and fixed in subsequent Big Sur releases...

ccievoiceoks commented

Thanks for the reply , no it is not working even the rights are given to the Terminal since the beginning .
Meanwhile I have found a solution but I need to dig a little more .
You can directly edit the TCC.db by running a request like this :
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access(service,client,client_type,auth_value,auth_reason,indirect_object_identifier,auth_version,indirect_objec_identifier_type,flags) VALUES('kTCCServiceSystemPolicyAllFiles','com.runningwithcrayons.Alfred',0,2,4,0,1,0,0);"

Here it is an example to add Alfred4 to have a full access to the Disk
I will try to elaborate a little more how it goes and I will let you know

See as ref for Catalina --> OS Query
Olivier

kdeldycke commented

Thanks @ccievoiceoks for your detailed investigation!

I still have a hard time understanding why your sudo sqlite3 call is working. The tccutil is a simple Python script that is connecting to the TCC database:
https://github.com/jacobsalmela/tccutil/blob/417b7dd3539b096ff4d3db4cb78199cddb7a211b/tccutil.py#L108-L118

So it should have the same effect... 🤔

ccievoiceoks commented

ok I think that I understand why it is not working in the python script and well with the sudo command .
In the Python script , the connection is expecting a dedicated hash for the DB and the OS version in order to establish a connection with the DB .

Apparently on Big Sur , the hash for the table on my laptop is 3d1c2a0e97

Just curious if you can check yours with the following portion of the code

import sqlite3
import hashlib
from platform import mac_ver
from distutils.version import StrictVersion as version

# Current OS X version
osx_version = version(mac_ver()[0])
print(osx_version)

# Database Path
tcc_db = '/Library/Application Support/com.apple.TCC/TCC.db'

conn = sqlite3.connect(tcc_db)
c = conn.cursor()

# Do a sanity check that TCC access table has expected structure
c.execute("SELECT sql FROM sqlite_master WHERE name='access' and type='table'")
accessTableDigest = ""
for row in c.fetchall():
    accessTableDigest = hashlib.sha1(row[0].encode('utf-8')).hexdigest()[0:10]
    print (accessTableDigest)
    break
if not (accessTableDigest == "8e93d38f7c" or (osx_version >= version('11.0') and accessTableDigest in ["3d1c2a0e97"])):
    print("\nTCC Database structure is unknow")
else:
    print("\nTCC Database recognized")

After that point, it is a matter to see the SQL request as it seems that it is not the same expression as before
I will try to look a little more to the expression

kdeldycke commented

Great debugging here @ccievoiceoks !

Here the result of your script:

❯ python ./tcc.py
10.16
3d1c2a0e97

TCC Database structure is unknow

As you can see, same hash here!

I guess the next step now is to send a PR to the https://github.com/jacobsalmela/tccutil project?

kdeldycke commented

Oh, and notice how my macOS version is reported as 10.16 as it is an Intel-based MacBook.

ccievoiceoks commented

Great debugging here @ccievoiceoks !

Here the result of your script:

❯ python ./tcc.py
10.16
3d1c2a0e97

TCC Database structure is unknow

As you can see, same hash here!

I guess the next step now is to send a PR to the https://github.com/jacobsalmela/tccutil project?

Yes , I will now open a PR to incorporate these findings

ccievoiceoks commented

When I was trying to edit my changes , I saw that someone did this also 10 hours ago ...

kdeldycke commented

Ahah yes! Just found out jacobsalmela/tccutil#41 ! This doesn't discount your fantastic work @ccievoiceoks ! 😃👍

mkfl3x commented

I know that feel :)
Anyway, great job, @ccievoiceoks! 👍

  • ❤️3
github-actions commented

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.