sudo-prompt
sudo-prompt copied to clipboard
jorangreef
Operation not permitted on macOS Catalina
When attempting to do a chmod a+rw on /dev/rdisk2, I get a permission denied error (Error: Unable to change file mode on /dev/rdisk2: Operation not permitted) on macOS Catalina. If I do a sudo chmod a+rw /dev/rdisk2 from the Terminal it works fine, so I'm not sure what's going on here.
I doubt that it's SIP, as /dev is supposedly not part of the protected folders, and I can't find any special permission flags on /dev/rdisk2. That said, the Electron app I'm running sudo-prompt from is notarized and running with full disk access, so I'm wondering if sudo-prompt needs to be somehow notarized separately?
Hello @gniezen @jorangreef ,
I ran into the same issue, it looks like the with administrator privileges apple script trick no longer works for accessing /dev/rdiskX on Catalina.
One thing still works though: sudo.
You can use sudo -A if you set a SUDO_ASKPASS env var.
I ended up using this with some osascript to show a graphical password prompt.
It isn't perfect (JXA only works starting from osx 10.10, it should probably be converted to applescript), but it works.
Hopefully this can be implemented in sudo-prompt.
Here are the changes I used (you probably only care about catalina-sudo.js and sudo-askpass.osascript.js): https://github.com/balena-io/etcher/pull/2939/commits/25aeb0b8d1825fcc10b8fdf20c44055a4030b927
I should probably have done a PR in sudo-prompt for that but I was lacking time.
Thanks @gniezen, I am sorry for being slow with this.
@zvin, thanks for the ASKPASS script, that's fantastic. If you can give me some time, I will make sure this lands in sudo-prompt.
@zvin Prior to Catalina I was using a bash script launch daemon in PriviligedHelperTools to do the chmod a+rw on dev/rdiskX. Since PrivilgedHelperTools run in root mode, this worked great, as no password prompt was required.
Looking at this thread (https://forums.developer.apple.com/thread/123344) it appears that PrivilegedHelperTools are indeed broken on Catalina, and using sudo is the only way forward?
I'm having a problem with Etcher, and your thread here has surfaced over there. I don't completely follow what you chaps are on about here, so I'll ask what may be a stupid question: Does Etcher use sudo for privilege elevation to flash a thumb drive?
@seamusdemora Yes, for macOS Catalina, using the script @zvin linked to above. For earlier versions, Etcher uses sudo-prompt.
@jorangreef Any chance you have bandwidth available to land @zvin 's script in sudo-prompt?
Thanks @gniezen , I would love to but don't have the bandwidth with our lockdown at present.
Hey all, do you know if this is still an issue on latest Catalina? There were some Catalina updates that introduced issues that were later fixed, e.g. see #127.
AFAIK this is still an issue. I ended up implementing @zvin 's workaround to get things working. I'm currently on sabbatical, so the soonest I can test this on the latest version of Catalina will be at the beginning of October.
Im currently running into the same issue, but was able to use the script above and giving executable permissions to the script.
Would be really cool to get into this package.
@lukepolo 👍 Are you seeing this issue using Etcher? If that's the case, I'm sorry to see this Issue remains unresolved.
Further random & pointless comments:
I don't feel I "have a dog in this fight" any longer... Etcher's inability to resolve this issue quickly was why I quit using it. And just to be clear, IMHO this was more about Apple's malfeasance than anything else. And I'm still intrigued that sudo has been co-opted to support a GUI app :)
Nope not using etcher, needed it for an CLI tool im building.
No worries, maybe one day I'll take a deeper look at it. Just don't have the time at the moment.
I've actually taken the route of writing a driver extension for the device I'm targeting, so that it's just a regular USB device (instead of a block device) and then I'm using user-space code to talk to the device. The only holdup at the moment is that even though Apple approved the DriverKit entitlements for me to do this, they screwed up the provisioning profiles so it's still missing some entitlements, and they're not responding to follow-up requests. :man_shrugging: