Permission issues with emacs-plus running as a service

[tom111]

Hi,

I have trouble giving the emacs server the permissions to access files in the ~/Desktop and ~/Documents folders etc.

So the emacs binary (currently) is under /usr/local/Cellar/emacs-plus@27/27.1/Emacs.app/Contents/MacOS/Emacs. I can run this with exec or straight and then emacs starts and everything is as expected: On the first attempt to open ~/Desktop there is a popup asking for permission and when the permission is granted it works.

Now the service runs /usr/local/Cellar/emacs-plus@27/27.1/Emacs.app/Contents/MacOS/Emacs --fg-daemon and it does not work. That Emacs cannot access the Desktop or Documents or other restricted files and there is no popup and I see no way to grant that permission.

Curiously, if I stop the service and run the same command line /usr/local/Cellar/emacs-plus@27/27.1/Emacs.app/Contents/MacOS/Emacs --fg-daemon from a terminal, it works and Emacs can access the files.

So what does the brew service / launchctl do differently so that it cannot access the files?

[codingquark]

I have the same problem when emacs-plus@27 is started with brew services start. Emacs started from other places (CLI, Emacs.app etc) is able to access ~/Documents.

I should clarify that emacsclient is not able to access ~/Documents etc, but is able to access directories such as ~/workspace or ~/.config etc.

[d12frosted]

I have to confes. I never used Emacs in daemon mode, so I might be missing some crutial points to reproduce. Also, I am using emacs-plus@28, so not sure if it's relevant.

1. Open terminal.
2. Run brew services start emacs-plus@28.
3. Run emacsclient temp.org (just to start emacsclient)
4. C-x C-f ~/Documents <ret>
5. As result, I have opened Documents folder in dired. Everything is accessible.

I just checked my privacy settings (System Preferences > Security & Privacy > Privacy) and see no Emacs mentioned in any of the areas (e.g. Full Disk Access, Files and Folders).

What macOs version are you running on?

[tom111]

I followed your steps exactly to try out Emacs-28 and it does not work here. I get Listing directory failed but ‘access-file’ worked. This is clearly MacOS "System integrity protection" or "Gatekeeper" or whatever it is called these days. I'm very surprised that it works for you. Do you have it disabled globally?

• I'm on the (latest) MacOS 11.1 "Big Sur".
• Googling around on the Interwebs one can find reports of daemons not being able to ask for permissions, or sometimes they are. It seems to be a mess. Try to google "launchctl daemon permissions disk access". I get this, this, and this.

[d12frosted]

@tom111 Ah, might be. I have disabled SIP completely (well, to the maximum extend):

$ λ csrutil status
System Integrity Protection status: unknown (Custom Configuration).

Configuration:
	Apple Internal: disabled
	Kext Signing: enabled
	Filesystem Protections: disabled
	Debugging Restrictions: disabled
	DTrace Restrictions: enabled
	NVRAM Protections: enabled
	BaseSystem Verification: enabled

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

Doing this because I use yabai as WM.

Will check your links.

[tom111]

For reference: My best workaround is to create a shell script somehwere that just runs /Applications/Emacs.app/Contents/MacOS/Emacs --fg-daemon & and insert this script as a login item. Then it just works.

[boztek]

I've played with this a bit (emacs-plus@27 on 10.15 Catalina) and noticed that for my iCloud Drive folders (Documents and Downloads):

1. running non emacsclient can access
2. running emacsclient connecting to the emacs-plus service started by brew can not access
3. running emacsclient connecting to emacs daemon started manually with emacsclient -a "" -cn can access

This is after granting Full Disk Access to Emacs.app and all the bins (emacs, emacsclient as well as the Emacs in /usr/local/Cellar/emacs-plus@27/27.1/Emacs.app/Contents/MacOS.

So the only issue I have is with the brew service version of the daemon - can't seem to grant full disk access to that but daemons started manually I'm able to get working by granting access to emacsclient etc.

[tom111]

So the only issue I have is with the brew service version of the daemon - can't seem to grant full disk access to that but daemons started manually I'm able to get working by granting access to emacsclient etc.

Yes, exactly. I tried to describe this in my original post. It seems to be the case that deamons started with launchctl don't adhere to policies made in the "Privacy" settings.

[all9n]

I might have another workaround which changes the plist file used to launch the service like this:

-    <string>/opt/homebrew/opt/emacs-plus@28/bin/emacs</string>
+    <string>/opt/homebrew/Cellar/emacs-plus@28/28.0.50/Emacs.app/Contents/MacOS/Emacs</string>

Then I loaded this with launchctl manually, mostly because I want to have a separate copy that won't get overridden when updating, but also because I know next to nothing about how brew services works.

After this I get those "Emacs.app would like to access files in your * folder" popup windows when opening them for the first time. Didn't have to give anything else full disk access.

[tom111]

I also have a completely new workaround:

1. Don't start emacs as a service with launchctl at all, but do it adhoc with a script that checks if emacs is already running. If so it runs emacsclient, if not, it starts the server. oh-my-zsh already has such a script within their emacs-plugin.
2. Enjoy freshly brewed coffee.