Local File System Permissions via launchd (daemon)

lutefisk · September 26, 2024, 12:50am

What is the problem you are having with rclone?

When running rClone via launchd (macOS) it doesn't have access to the local file system. I've tried both from a user account (plist in /Users//Library/LaunchAgents) and root (plist in /Library/LaunchAgents) with the same result. The same bash script run directly from Terminal works fine. I've also run a simple script that creates a folder via launchd and it ran fine. The issue seems to be the combination of rClone & launchd.

Run the command 'rclone version' and share the full output of the command.

rclone v1.68.0

os/version: darwin 13.7 (64 bit)
os/kernel: 22.6.0 (x86_64)
os/type: darwin
os/arch: amd64
go/version: go1.23.1
go/linking: dynamic
go/tags: cmount

Which cloud storage system are you using? (eg Google Drive)

Google Drive (Shared Drives)

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

Bash Script:

#! /bin/bash
# RClone Config file
RCLONE_CONFIG=/Users/bryan/.config/rclone/rclone.conf
export RCLONE_CONFIG

/usr/local/bin/rclone sync G-Projects: /Volumes/Expansion/Backup/Projects -v -P --log-file /Users/bryan/bin/LLA-Backup" $(date '+%y.%m.%d').log" --exclude=*.{bpn,lck}

LaunchAgent plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>local.test</string>
       <key>ProgramArguments</key>
        <array>
            <string>/Users/bryan/bin/lla-backup.sh</string>
        </array>
        <key>Nice</key>
        <integer>1</integer>
        <key>StartCalendarInterval</key>
        <dict>
            <key>Hour</key>
            <integer>16</integer>
            <key>Minute</key>
            <integer>55</integer>
        </dict>      
        <key>RunAtLoad</key>
        <true/>
        <key>StandardOutPath</key>
        <string>/Users/bryan/bin/output.log</string>
        <key>StandardErrorPath</key>
        <string>/Users/bryan/bin/error.log</string>
    </dict>
</plist>

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

[G-Projects]
type = drive
scope = drive.readonly
token = XXX
team_drive = XXX
root_folder_id =

A log from the command that you were trying to run with the `-vv` flag

<snip>
2024/09/25 17:02:49 ERROR : 355 Taft St/2024-03-06 18-24.pdf: Failed to copy: open /Volumes/Expansion/Backup/Projects/355 Taft St/2024-03-06 18-24.pdf.5bae4eb1.partial: operation not permitted
2024/09/25 17:02:49 ERROR : .DS_Store 2: Failed to copy: open /Volumes/Expansion/Backup/Projects/.DS_Store 2.7a832fd1.partial: operation not permitted
2024/09/25 17:02:49 ERROR : 355 Taft St/355 TAFT ST. AS-BUILT DRAWING .pdf: Failed to copy: open /Volumes/Expansion/Backup/Projects/355 Taft St/355 TAFT ST. AS-BUILT DRAWING .pdf.d374dbf7.partial: operation not permitted
2024/09/25 17:02:49 ERROR : Byrd-Mallari/Byrd-Mallari EXISTING.pdf: Failed to copy: open /Volumes/Expansion/Backup/Projects/Byrd-Mallari/Byrd-Mallari EXISTING.pdf.b61525e4.partial: operation not permitted
2024/09/25 17:02:50 ERROR : 355 Taft St/355 TAFT ST. AS-BUILT DRAWING.pdf: Failed to copy: open /Volumes/Expansion/Backup/Projects/355 Taft St/355 TAFT ST. AS-BUILT DRAWING.pdf.f0c320db.partial: operation not permitted
<snip>

kapitainsky · September 26, 2024, 3:43am

This is not rclone issue but macOS permissions problem.

You have to grant your program "Full Disk Access". Which you can't for scripts AFAIK. So either package it into self signed executable or use privileged helper tool. If you do not know how to write your own use one from LaunchControl program - free version is enough. Look at "How do I grant Full Disk Access..." question.

lutefisk · September 26, 2024, 11:50pm

Thanks, kapitainsky.
I thought it would run as the logged in user since the plist is in the UserAgents folder, but if that's not the case, the macOS permissions issue makes sense. I'll try running it as a LaunchDaemon

kapitainsky · September 27, 2024, 4:36am

I think (99.99%) it does run as logged in user (as it is in /Users//Library/LaunchAgents). But does not mean macOS grants it the same privileges as when run from terminal. macOS fun:)

Actually be careful and DO NOT run anything from user LaunchAgents as sudo (load,unload,start etc.) - it will result with proper mess.

I use fdautil from LaunchControl for years for such cases like this one. It does what it should.

lutefisk · September 27, 2024, 7:21pm

I'll keep at it. fdautil sounds like just what I need.
Unfortunately running as a LaunchDaemon seems to have also made a proper mess. Getting permission issues on the rclone config file now. Gonna give it a rest for a couple of days. Thanks for all your help, kapitainsky.

kapitainsky · September 27, 2024, 7:31pm

launchd runs in its own environment. Either replicate your required env parameters like PATH etc. or specify everything explicitly including rclone config location.

For your reference here is example of my working launchd:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	  <string>kptsky.ma-bu_master</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/fdautil</string>
        <string>exec</string>
        <string>/bin/bash</string>
        <string>/Users/kptsky/bin/kptsky.ma-bu_master.sh</string>
    </array>

	<key>StandardErrorPath</key>
	  <string>/Users/kptsky/Library/Logs/kptsky/kptsky.ma_bu_daily.log</string>
	<key>StandardOutPath</key>
      <string>/Users/kptsky/Library/Logs/kptsky/kptsky.ma_bu_daily.log</string>
	<key>StartCalendarInterval</key>
	<dict>
		<key>Hour</key>
		<integer>0</integer>
		<key>Minute</key>
		<integer>1</integer>
	</dict>

</dict>
</plist>

lutefisk · October 2, 2024, 6:49pm

Got it working! Thanks for all your help, kapitainsky.
LaunchControl and the included fdautil were the key. Well worth the $29 for a license.
For those running into this same issue and unfamiliar with fdautil, as I was, you need to authorize the script you want to run via the utility before actually running it. The manual for fdautil is in the Help section of the LaunchControl menu.

kapitainsky · October 2, 2024, 7:20pm

100% agree.

For anybody interested fdautil "trick" works also with free version of LaunchControl.

system · November 1, 2024, 7:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.