New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TCC.db protected by SIP in Sierra #18

Open
avivais opened this Issue Sep 3, 2016 · 16 comments

Comments

Projects
None yet
9 participants
@avivais
Copy link

avivais commented Sep 3, 2016

Was this tested on Sierra latest beta?

@avivais

This comment has been minimized.

Copy link
Author

avivais commented Sep 3, 2016

Just tried - Seems as now TCC.db is protected by SIP - It is now readonly

@jacobsalmela jacobsalmela changed the title Sierra Beta TCC.db protected by SIP in Sierra Sep 12, 2016

@jacobsalmela

This comment has been minimized.

Copy link
Owner

jacobsalmela commented Sep 12, 2016

Yeah, I was seeing this, too. Not sure there will be a great way around it besides disabling SIP...

@avindra

This comment has been minimized.

Copy link

avindra commented Jan 17, 2017

Error is:

Traceback (most recent call last):
  File "./tccutil.py", line 294, in <module>
    main()
  File "./tccutil.py", line 284, in main
    enable(item)
  File "./tccutil.py", line 232, in enable
    c.execute("UPDATE access SET allowed='1' WHERE client='%s'" % (client))
sqlite3.OperationalError: attempt to write a readonly database
@keyurp1987

This comment has been minimized.

Copy link

keyurp1987 commented Oct 18, 2017

Any updates on the issue above? We have been hit with the same issue and wondering if anyone found a workaround to get pass this and set the accessibility via command line.

@jacobsalmela

This comment has been minimized.

Copy link
Owner

jacobsalmela commented Oct 20, 2017

I personally have not bothered trying to circumvent SIP and don't plan to. I like SIP despite some headaches it can cause for traditional ways of doing things.

Ideally, it would be nice if Apple were to implement this open source software as part of their OS. They already have there own tccutil--they just need to add the functionality my tool offers (plus some Apple engineering to safely work with SIP)...The whole reason I made this to begin with is because Apple's tccutil only has one command, which just resets everything; it seems like a perfect opportunity to merge the two utilities.

@Tatsh

This comment has been minimized.

Copy link

Tatsh commented Feb 11, 2018

I have my database modified since I did this before SIP existed, yet SIP protects the file. Perhaps it is possible to go into SIP-less mode, update the file, and then turn it back on?

I have not tried this yet as I have not needed to yet. The entries for bash, tmux, sh, etc all show up in Accessibility. And also there are these defaults keys which have full paths, either file or directory:

defaults write com.apple.universalaccessAuthWarning /usr/libexec -bool true
defaults write com.apple.universalaccessAuthWarning /usr/libexec/sshd-keygen-wrapper -bool true

I have not tried to add an entry this way but I am already fairly certain it will not work because otherwise this utility would not exist.

@jacobsalmela

This comment has been minimized.

Copy link
Owner

jacobsalmela commented Feb 11, 2018

Isn't a reboot necessary in order to enable/disable SIP? I've been out of the Mac world for a couple of years now so I'm not familiar with what the defaults commands you mentioned do.

@Tatsh

This comment has been minimized.

Copy link

Tatsh commented Feb 11, 2018

Yes a reboot is required. You have to get into recovery mode, disable SIP, come back, edit, go back to recovery mode, and maybe it will work. I have not tried this and yes it's annoying but at least it keeps SIP enabled.

@jacobsalmela

This comment has been minimized.

Copy link
Owner

jacobsalmela commented Feb 12, 2018

I suppose a notice could be added to the utility about SIP and this possible workaround--at the very least.

@Tatsh

This comment has been minimized.

Copy link

Tatsh commented Jul 30, 2018

This is no longer an issue on Mojave. macOS 10.14 will have a section named Automation under Security & Privacy / Privacy. This utility is no longer necessary at that point. Any app that attempts to use automation will bring up a prompt to confirm once.

@jacobsalmela

This comment has been minimized.

Copy link
Owner

jacobsalmela commented Aug 4, 2018

Interesting..I guess that's good because I don't have time to maintain it anymore. Thanks @Tatsh

@paulz

This comment has been minimized.

Copy link

paulz commented Aug 30, 2018

works for me with sudo on MacOS X High Sierra:

sudo tccutil -l
/usr/bin/osascript
com.apple.AccessibilityInspector
com.apple.Automator
com.apple.Safari
com.apple.ScriptEditor.id.disconnectHardwareKeyboard
com.apple.ScriptEditor2
com.apple.Terminal
com.apple.dt.Xcode
com.apple.dt.Xcode-Helper
com.apple.sample.UIElementInspector
com.getdropbox.dropbox
com.google.GoogleTalkPluginD
com.screenhero.screenhero
net.sourceforge.sqlitebrowser
sw_vers
ProductName:	Mac OS X
ProductVersion:	10.13.6
BuildVersion:	17G65
@ccstone

This comment has been minimized.

Copy link

ccstone commented Sep 1, 2018

sudo tccutil -l is a read command.

What happens when you use a writable command?

@ssbarnea

This comment has been minimized.

Copy link

ssbarnea commented Dec 29, 2018

Clearly it does not work on Mojave:

$ sudo tccutil -l                                                                                                                                                                           Error opening Database.

Any workarounds as I really need to bless osascript?

@Ge0rges

This comment has been minimized.

Copy link

Ge0rges commented Feb 1, 2019

sudo tccutil.py --list yields Error opening Database. on macOS Mojave 10.14.2. Is it related to SiP?

@Tatsh

This comment has been minimized.

Copy link

Tatsh commented Feb 1, 2019

Yes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment