We had a script, triggered by a LaunchDaemon, that ran just fine under 12.6, but since updating to 12.6.2, it now spits out the dreaded "unable to execute" "Operation not permitted" error.
The script is not anything exceptional, it reads some data from NETSTAT and writes out data to the /tmp directory. Running the commands from the script independently works, but running the script itself fails every time.
Despite the fact that it shouldn't need "Full Disk Access," I have tried giving both the script and Terminal Full Disk Access, and that hasn't changed anything. Additionally, this is a script that we run perpetually on a schedule, so disabling SIP just to run the script is not an option. I have also tried simply moving the script to a different location (Desktop) and it still fails with the same error. There's a part of me that thinks there is a terminal command that will register and exception to a script to allow it to run, regardless of GateKeeper restrictions, but I cannot remember what that is, and my "GoogleFu" is failing me. Even still, I'm not sure that's the fix.
It is especially frustrating since everything worked prior to the update.
For full context, the script lives in "/Library/Scripts/CVAD\\ Scripts", has permissions 775, and is owned by Root. The script is as follows:
### NECESSARY FUNCTIONS ###
# Function to see if VNC is currently in use. This simply reports a true/false response.
# If using this script on another subnet, be sure to change the the last grep option accordingly.
function checkvncuse() {
inuse=$(netstat -vanp tcp | grep 5901 | grep ESTABLISHED | awk '{print $5}' | grep -E '129.120.207|129.120.151');
if [ -n "$inuse" ];
then
#VNC in use. return 1
return 1
else
#VNC not in use. return 0
return 0
fi
}
# Function to write out a switch file to record current state.
switchfile() {
# Collect variables for switch.
vncstate=$1
timestamp=$(date)
# Write the result to the switch file.
echo "writing output to switch file."
echo $timestamp " - " $vncstate >> /tmp/VNCSwitch.txt
}
### MAIN SCRIPT ###
# Create Switch File if it doesn't already exist. Otherwise the tail check will fail.
if [ ! -f /tmp/VNCSwitch.txt ]; then
echo "switch file not found. creating switch file."
touch /tmp/VNCSwitch.txt
switchfile "New Switchfile."
fi
# Run function "checkvncuse" and use the boolean return to determine actions.
# We are *only* looking for changes in state.
# If VNC is "not in use", then we only care if it was previously "in use";
# in which case we register that as a change and perform the approrpriate cleanup.
#
# If VNC is "in use", then we only care if it was previously "not in use";
# in which case we register that as a change, but do nothing else.
if checkvncuse "$notinuse";
then
if (tail -n 1 /tmp/VNCSwitch.txt | grep 'VNC in use.');
then
echo "vnc recently in use. running disconnect scripts and writing to switch file."
/usr/local/jamf/bin/jamf policy -event cvad.guacdisconnect
switchfile "VNC not in use."
fi
else
if (tail -n 1 /tmp/VNCSwitch.txt | grep 'VNC not in use.') || (tail -n 1 /tmp/VNCSwitch.txt | grep 'New Switchfile.');
then
connectedip=$(netstat -vanp tcp | grep 5901 | grep ESTABLISHED | awk '{print $5}')
echo "vnc in use from writing to switch file."
switchfile "VNC in use. Connected IP is $connectedip."
fi
fi