All known prior macOS versions were working with this sort of script context:
osascript -e "/path/to/my/app.command" with administrator privileges
Now it just silently fails...after asking for admin password.
The command file is what was originally used to launch the app, and the app has a button to re-launch with privileges...and the prior non privileged app closes.
If I remove the "with administrator privileges", it re-launches. if that is there, it does not.
If I try using:
/usr/bin/security execute-with-privileges /path/to/my/app.command
It also fails...never even shows password prompt.
I tried also "sudo open /Applications/myApp.app" but that of course doesn't actually launch with privileges.
From a shell i can sudo launch my app, and that is fine, but I can't expect an average user to be able to do sudo in a shell.
As I said, this had been a nice method that has worked for probably the past 6 to 8 years...but now fails. Anyone have any tricks or ways to get around it?
At one time....and I have no idea why, I saw the OSX security popup indicating "java" is not a trusted app and my settings only allow app store apps. But that only happened once...and it was strange. I clicked OK, it disappeared. I thought maybe java had been quarantined, so I did the command to clear that flag:
xattr -rd com.apple.quarantine /path/to/the/binary/java
But that made no difference. I'm sure this is new security features in Catalina making things difficult...but I can't figure out why or how to work through them. Its a java app that is launched via the app.command file which finds java on the machine and then launches it...defaulting to finding a local copy in its own subfolder.
Checkout out the sandbox settings of your project. the App Sandbox should be set as false in the entitlements file.
The sandboxing feature prevents your app from elevating the privilege in your app.
reference: https://developer.apple.com/app-sandboxing/
Related
I cannot get Apache Tomcat to start. I followed the instructions for installing Tomcat on the Mac found at https://www.dev2qa.com/how-to-install-tomcat-in-macos/.
After I type the command to start Tomcat, the response from the command line is that Tomcat has started.
However, when I go to the browser, the default page is not showing up. I further checked to see if the port was being used by using the command
lsof -nP -i4TCP:8080 | grep LISTEN
which showed that no program is using the port. I also read the 'RUNNING.txt' that instructed me on setting the environmental variables, which I did. Any suggestions on why Tomcat is not starting up.
I'm using jdk 1.8.0_202 and Apache Tomcat 9.0.14 that is running of Mac OS High Sierra.
BatChmod
After downloading a fresh version of Tomcat, I use the BatChmod app to alter the file permissions. Tomcat will not launch properly without altering the permissions.
I do not know the command-line equivalent, but here is a screenshot of the settings I have used for years successfully.
Plea for help
If anyone can write the equivalent as a shell script for macOS, please post!
Even better, explain how to wrap such a script as an AppleScript for drag-and-drop execution in Finder.
The problem turned out to be a permissions problem. When I installed Tomcat, I put the folder in the '/Library/Tomcat' directory. Even though the Tomcat files were changed to be executable, the user and group ownership remained the same. To get Tomcat to run, I moved the directory to 'Users/MyUserName/Tomcat'. Once I did that, the default Tomcat page ran.
As an introduction, let's just say I'm a real noob using linux. I try to do the things right, don't hit me if it's ugly.
So, the problematic. I'm trying to run some jars as webservices on an ubuntu server. I created a specific user (nuxservice) with no pwd. I edited sudoers to enable a few users (myself & root) to sudo using this account with no password.
I then took a lot of inspiration from : http://www.jcgonzalez.com/linux-java-service-wrapper-example
Most is working, only one real problem, my java process seems to not have the right to create its logging files.
I run my services with a classic
sudo service myservice start/stop/restart
The command line that are launching my services are :
nohup sudo -u nuxservice java -jar myjar.jar myargs
When I do a ps -ef, the services are launches with my nuxservice user.
When I do ls -ld, nuxservice is the owner and have the rights.
If I launch the command in a terminal myself, it works. When launching as a service, my logs files are not created.
Any clues mates ?
So...
It was kinda silly.
My user rights were fine. Problem is, I did not set the working folder in my script so Java was all lost considering the creation of the folder/files for logging.
All I had to do was adding a little
cd $PATH_TO_JAR
And it was all set !
I have a Jenkins config that executes Java tests for OS X app using Maven. And when I'm trying to run some AppleScript that requires assistive access for it, different errors appear. So I've tried to execute AppleScript in two ways:
Using ScriptEngine:
ScriptEngineManager mgr = new ScriptEngineManager();
ScriptEngine engine = mgr.getEngineByName("AppleScriptEngine");
engine.eval(script);
In this case script execution fails with error: An error of type -10810 has occurred.
Calling osascript. In this case error looks like: System Events got an error: osascript is not allowed assistive access. (-1719)
In accessibility list I have following things: SystemUIServer, Script Editor, osascript, java, mvn, bash, Terminal. When running script in Script Editor or in osascript from Terminal, script passed without any errors.
Any suggestions what else should I check?
I think you answer your own question. You can allow assistive access for Script Editor (among other things). It works fine in Script Editor.
You can try and add other applications to have assistive access. This might be an option if Script Editor does not give you want you want.
I find that I sometimes need to add the parent of the process that calls osascript, in addition to osascript itself, regardless of what the error message says. Sometimes I have to add the grandparent process too.
In particular, /bin/bash does not call any assistive API, but OSX wants it listed even though osascript is also listed, and I've had to add TeamCity's agent.jar too.
So try adding your .jar file, and look to see whether ScriptEngine uses an intermediate code executor that you'll also need to enable.
Beware that you'll probably have to remove and add your entries if you change the binary (I think OSX maintains some sort of checksum in the final binary entry in its database entry).
Another workaround is to write the AppleScript using Script Editor, save it as a standalone app from there, and give that app assistive access. Then you can run the app as needed from another environment like a Java app or Automator workflow.
See also: https://apple.stackexchange.com/a/346306/264883
I've resolved something like this problem before by inserting osascript into the TCC.db using tccutil.py
After installing I linked tccutil.py into the path.
sudo ln -s /source/tccutil/tccutil.py /usr/bin/tccutil.py
ls -l /usr/bin/tccutil.py
lrwxr-xr-x 1 root wheel 26 30 Dec 14:57 /usr/bin/tccutil.py -> /source/tccutil/tccutil.py
Then to allow osascript access to control your computer use the following compand
sudo tccutil.py --insert /usr/bin/osascript
I even added the script when the problem happened again later on.
sudo tccutil.py --insert $(pwd)/transcribe-audio-to-text.js
That failed so I rebooted which worked :-)
transcribe-audio-to-text.js currently uses System Events to make TextEdit be able to save a text file. It's part of virtual assistant which is very alpha at 20160105 but the source is interesting. virtual-assistant
I would like to monitor a local Java application using JVisualVM. When I'm starting it, the popup 'Local java application cannot be monitored' or 'Local Applications Cannot Be Detected' is shown. I have read here that it is a permissions problem. Every time when I grant full access to folder %TMP%hsperfdata_MY_USER_ID to me (logged user) and everyone (windows user), the permissions are reset when I start JVisualVM.
I know that another solution is to delete hsperfdata_MY_USER_ID, but why does the permissions trick not work? Is the permissions folder reset a Windows feature?
System : Windows 7
Tested on cmd started as administrator. I use the same accounts and I do not pass any JVM parameters such as com.sun.management.jmxremote.port=XXXX.
For people stumbling here who have a FAT-type file system:
Make a directory (e.g. e:\temp) on an NTFS disk.
Start both java and jvisualvm with an environment variable TMP=E:\temp.
There are three options to set the environment variable for java:
In your IDE, go to the project options or launch options and find the 'Environment' entry, then enter TMP=E:\temp
Open a cmd prompt, and execute set TMP=E:\temp before launching youur java application from the same prompt.
Put the two lines you'd enter at the cmd prompt in a .bat file. Optinally add pause at the end of the bat file to prevent the console window from disappearing in case of a runtime exception or vm crash.
Similarly, for JVisualVM, use one of the last two options.
I had the 'Local Applications Cannot Be Monitored' problem, got it solved like this:
Exit all java processes
Delete existing folder %TMP%\hsperfdata_username
Start jvisualvm, which created the folder with a different casing: %TMP%\hsperfdata_USERNAME
My problem and solution have nothing to do with permissions, so may not work for the original problem in the question.
Also see https://visualvm.github.io/troubleshooting.html#jpswin
This answer is a bit trivial but might still save time.
Check your java application is not lauched with the "-XX:-UsePerfData" option.
My username: A4000000
I had to delete C:\Users\A4000000\AppData\Local\Temp\hsperfdata_a4000000
AppData is a hidden folder.
Then once starting VisualVM again, it created the following:
C:\Users\A4000000\AppData\Local\Temp\hsperfdata_A4000000
Notice the case difference.
Then start:
C:\visualvm_213\bin> visualvm.exe --jdkhome "C:\Program Files\Java\jdk1.8.0_202" --userdir "C:\Temp\visualvm_userdir"
I am using Java code to install an EXE program on Win8, by executing this command "java -jar installapp.jar" in CML. The command line window is NOT opened by "Run as administrator", but the current user is a member of administrator group.
However, in the same CML window, if I install the EXE directly, it works. It just fails when the installation is executed by Java.
So anyone can give me a tip?
Thanks a lot,
Michael
To correctly install an application which includes writing to system-protected areas can't be done without elevating through UAC. That means the CML window must be Run as administrator.
Java executables are marked with manifest which requests asInvoker privileges. So the process would start with administrator tokens dropped if the parent process wasn't elevated. It's the whole point of UAC: even if you are member of Administrators group, you don't get the full, unlimited privileges until you elevate.
What do you mean by "install the exe directly"?