Posted on 01-29-2023 09:12 AM
We had a script, triggered by a LaunchDaemon, that ran just fine under 12.6, but since updating to 12.6.2, it now spits out the dreaded "unable to execute" "Operation not permitted" error.
The script is not anything exceptional, it reads some data from NETSTAT and writes out data to the /tmp directory. Running the commands from the script independently works, but running the script itself fails every time.
Despite the fact that it shouldn't need "Full Disk Access," I have tried giving both the script and Terminal Full Disk Access, and that hasn't changed anything. Additionally, this is a script that we run perpetually on a schedule, so disabling SIP just to run the script is not an option. I have also tried simply moving the script to a different location (Desktop) and it still fails with the same error. There's a part of me that thinks there is a terminal command that will register and exception to a script to allow it to run, regardless of GateKeeper restrictions, but I cannot remember what that is, and my "GoogleFu" is failing me. Even still, I'm not sure that's the fix.
It is especially frustrating since everything worked prior to the update.
For full context, the script lives in "/Library/Scripts/CVAD\ Scripts", has permissions 775, and is owned by Root. The script is as follows:
### NECESSARY FUNCTIONS ###
# Function to see if VNC is currently in use. This simply reports a true/false response.
# If using this script on another subnet, be sure to change the the last grep option accordingly.
function checkvncuse() {
inuse=$(netstat -vanp tcp | grep 5901 | grep ESTABLISHED | awk '{print $5}' | grep -E '129.120.207|129.120.151');
if [ -n "$inuse" ];
then
#VNC in use. return 1
return 1
else
#VNC not in use. return 0
return 0
fi
}
# Function to write out a switch file to record current state.
switchfile() {
# Collect variables for switch.
vncstate=$1
timestamp=$(date)
# Write the result to the switch file.
echo "writing output to switch file."
echo $timestamp " - " $vncstate >> /tmp/VNCSwitch.txt
}
### MAIN SCRIPT ###
# Create Switch File if it doesn't already exist. Otherwise the tail check will fail.
if [ ! -f /tmp/VNCSwitch.txt ]; then
echo "switch file not found. creating switch file."
touch /tmp/VNCSwitch.txt
switchfile "New Switchfile."
fi
# Run function "checkvncuse" and use the boolean return to determine actions.
# We are *only* looking for changes in state.
# If VNC is "not in use", then we only care if it was previously "in use";
# in which case we register that as a change and perform the approrpriate cleanup.
#
# If VNC is "in use", then we only care if it was previously "not in use";
# in which case we register that as a change, but do nothing else.
if checkvncuse "$notinuse";
then
if (tail -n 1 /tmp/VNCSwitch.txt | grep 'VNC in use.');
then
echo "vnc recently in use. running disconnect scripts and writing to switch file."
/usr/local/jamf/bin/jamf policy -event cvad.guacdisconnect
switchfile "VNC not in use."
fi
else
if (tail -n 1 /tmp/VNCSwitch.txt | grep 'VNC not in use.') || (tail -n 1 /tmp/VNCSwitch.txt | grep 'New Switchfile.');
then
connectedip=$(netstat -vanp tcp | grep 5901 | grep ESTABLISHED | awk '{print $5}')
echo "vnc in use from writing to switch file."
switchfile "VNC in use. Connected IP is $connectedip."
fi
fi
Posted on 01-30-2023 06:25 AM
What happens if you manually run the script from Terminal (bypassing the LaunchDaemon)?
Posted on 01-30-2023 06:30 AM
That was how I discovered that the script was failing. I had noticed that the intended actions were not taking place, so I ran the script manually to see where the problem was and that's when I noticed the errors.
01-30-2023 06:26 AM - edited 01-30-2023 06:27 AM
...
Posted on 01-30-2023 08:31 AM
I would break it down line by line using echo. Check out to see where it is exactly failing.
You can also use bash -x myscrtip.sh to see the output as it runs.
I would then test again on 12.6 and then 12.6.3 as well to see if it will run.
Not much more help here.
Good luck!
Posted on 02-06-2023 06:00 AM
So... your advice helped, but not in the way I expected.
I had performed a chmod +x on the script when I was testing it locally, so I wasn't using the bash command in the local terminal test.
However, when I tried your test using bash -x it worked just fine. So I tested it again using just bash and it still worked. Turns out I had a typo in the header of the script.
My first line was #!/bin/bash rather than #! /bin/bash. I was missing a single space in the script. That appears to have been the problem.
My bad.
Posted on 02-07-2023 09:24 AM
That is the point to see the script output, look at it and check it out.
That is good news. It is difficult to see that sometimes.
Posted on 02-06-2023 08:39 AM
It looks like there is some other permission error.
When I try to load the LaunchDaemon, I get a 122: Path had bad ownership/permissions error.
The script is owned by root:wheel. I have tried setting the permissions to 600, 640, 700, 755, and 777 just to try to get it to work. I also read about removing world write from the path, and I have attempted that as well, but nothing has corrected the error.
So now the script works, but the LaunchDaemon cannot actually launch it.
Posted on 02-06-2023 08:41 AM
Turns out I was trying to modify the permissions of the script, but it was the Daemon that I needed to modify.
Posted on 02-07-2023 09:24 AM
Hey, Fantastic work!!