TCC.db protected by SIP in Sierra

[avivais]

Was this tested on Sierra latest beta?

[avivais]

Just tried - Seems as now TCC.db is protected by SIP - It is now readonly

[jacobsalmela]

Yeah, I was seeing this, too. Not sure there will be a great way around it besides disabling SIP...

[avindra]

Error is:

Traceback (most recent call last):
  File "./tccutil.py", line 294, in <module>
    main()
  File "./tccutil.py", line 284, in main
    enable(item)
  File "./tccutil.py", line 232, in enable
    c.execute("UPDATE access SET allowed='1' WHERE client='%s'" % (client))
sqlite3.OperationalError: attempt to write a readonly database

[keyurp1987]

Any updates on the issue above? We have been hit with the same issue and wondering if anyone found a workaround to get pass this and set the accessibility via command line.

[jacobsalmela]

I personally have not bothered trying to circumvent SIP and don't plan to. I like SIP despite some headaches it can cause for traditional ways of doing things.

Ideally, it would be nice if Apple were to implement this open source software as part of their OS. They already have there own tccutil--they just need to add the functionality my tool offers (plus some Apple engineering to safely work with SIP)...The whole reason I made this to begin with is because Apple's tccutil only has one command, which just resets everything; it seems like a perfect opportunity to merge the two utilities.

[Tatsh]

I have my database modified since I did this before SIP existed, yet SIP protects the file. Perhaps it is possible to go into SIP-less mode, update the file, and then turn it back on?

I have not tried this yet as I have not needed to yet. The entries for bash, tmux, sh, etc all show up in Accessibility. And also there are these defaults keys which have full paths, either file or directory:

defaults write com.apple.universalaccessAuthWarning /usr/libexec -bool true
defaults write com.apple.universalaccessAuthWarning /usr/libexec/sshd-keygen-wrapper -bool true

I have not tried to add an entry this way but I am already fairly certain it will not work because otherwise this utility would not exist.

[jacobsalmela]

Isn't a reboot necessary in order to enable/disable SIP? I've been out of the Mac world for a couple of years now so I'm not familiar with what the defaults commands you mentioned do.

[Tatsh]

Yes a reboot is required. You have to get into recovery mode, disable SIP, come back, edit, go back to recovery mode, and maybe it will work. I have not tried this and yes it's annoying but at least it keeps SIP enabled.

[jacobsalmela]

I suppose a notice could be added to the utility about SIP and this possible workaround--at the very least.

[Tatsh]

This is no longer an issue on Mojave. macOS 10.14 will have a section named Automation under Security & Privacy / Privacy. This utility is no longer necessary at that point. Any app that attempts to use automation will bring up a prompt to confirm once.

[jacobsalmela]

Interesting..I guess that's good because I don't have time to maintain it anymore. Thanks @Tatsh

[paulz]

works for me with sudo on MacOS X High Sierra:

sudo tccutil -l
/usr/bin/osascript
com.apple.AccessibilityInspector
com.apple.Automator
com.apple.Safari
com.apple.ScriptEditor.id.disconnectHardwareKeyboard
com.apple.ScriptEditor2
com.apple.Terminal
com.apple.dt.Xcode
com.apple.dt.Xcode-Helper
com.apple.sample.UIElementInspector
com.getdropbox.dropbox
com.google.GoogleTalkPluginD
com.screenhero.screenhero
net.sourceforge.sqlitebrowser

sw_vers
ProductName:	Mac OS X
ProductVersion:	10.13.6
BuildVersion:	17G65

[ccstone]

sudo tccutil -l is a read command.

What happens when you use a writable command?

[ssbarnea]

Clearly it does not work on Mojave:

$ sudo tccutil -l                                                                                                                                                                           Error opening Database.

Any workarounds as I really need to bless osascript?

[Ge0rges]

sudo tccutil.py --list yields Error opening Database. on macOS Mojave 10.14.2. Is it related to SiP?

[Tatsh]

Yes

[jacobsalmela]

I'll add some more info in the message to let users know about SIP

[danielbayley]

@jacobsalmela Could you cut a new release (including #32)? So that the @Homebrew formula can be updated… for those with SIP disabled.

[jacobsalmela]

I've been meaning to, but I haven't made time to learn all their rules for updating a formula. When I first did it, it wasn't a super easy process.. I'll give it my best, but if anyone has a quick and dirty version of commands to run, let me know.

[jacobsalmela]

Never mind. It's quite easy with an existing formula in place:

v1.2.6 is now available via Homebrew. 😄

[danielbayley]

I've been meaning to, but I haven't made time to learn all their rules for updating a formula. When I first did it, it wasn't a super easy process.. I'll give it my best, but if anyone has a quick and dirty version of commands to run, let me know.

@jacobsalmela Ah I would have handled the PR to Homebrew… as I deal with formulae/casks quite a lot! Just needed the release… But yeah it should be much easier to update as opposed to creating new. Nice one, thanks 👍🏼

[LeoGrin]

Hi,

I'm on Mojave 10.14.6. When I try to use tccutil, I get :

sudo tccutil --list
Error opening Database.  You probably need to disable SIP for this to work.

However, I've disabled SIP:

csrutil status
System Integrity Protection status: disabled.

Thus I'm wondering if SIP is the real problem here. Thank you in advance for your help.

[jacobsalmela]

Hmmm. Thanks for the note. There might be more work to do then...

[Squactopus]

What does SIP even stand for?
Update: looked it up, and now I know what it stands for. This information does not help at all.

[paulz]

About System Integrity Protection on your Mac

https://support.apple.com/en-us/HT204899

[jacobsalmela]

Yeah, it basically prevents tools like this from hacking their way into things we know nothing about. It's a good thing 😄 .

[mike-myers-tob]

Hi,

I'm on Mojave 10.14.6. When I try to use tccutil, I get :

sudo tccutil --list
Error opening Database.  You probably need to disable SIP for this to work.

However, I've disabled SIP:

csrutil status
System Integrity Protection status: disabled.

Thus I'm wondering if SIP is the real problem here. Thank you in advance for your help.

I've noticed that you can access TCC.db even with SIP enabled, if you grant Full Disk Access to Terminal.app and then open the TCC.db with sqlite3. Note: tested with macOS 11 Big Sur.

[jacobsalmela]

That makes sense and is a good solution for this issue I think--assuming you're comfortable doing it. Thanks for the note!

[Tatsh]

Hi,
I'm on Mojave 10.14.6. When I try to use tccutil, I get :

sudo tccutil --list
Error opening Database.  You probably need to disable SIP for this to work.

However, I've disabled SIP:

csrutil status
System Integrity Protection status: disabled.

Thus I'm wondering if SIP is the real problem here. Thank you in advance for your help.

I've noticed that you can access TCC.db even with SIP enabled, if you grant Full Disk Access to Terminal.app and then open the TCC.db with sqlite3. Note: tested with macOS 11 Big Sur.

Access, but are you able to write to it?

[jacobsalmela]

I'm moving this into a Discussion.

#44