ServiceStation icon indicating copy to clipboard operation
ServiceStation copied to clipboard

Published 20 hours ago verified publisher icon knurling

Sandbox permission errors in non-admin user account

Open nbeadman opened this issue 4 years ago • 8 comments

Every time I try to use a contextual menu item I get the following:

Screen Shot 2020-04-15 at 10 43 50 am

This happens no matter what I put it to the "Finder Locations" section of System Setup. I have tried the top-level of my ssd and my home folder, neither work.

I am running as an non-admin user on 10.15.4 (19E287). Let me know if want more details.

nbeadman avatar Apr 15 '20 17:04 nbeadman

The Finder Locations setup should fix this issue. That's their purpose - to grant a Sandbox bookmark to the locations you will eventually right-click.

Are you sure that Tasks is a child directory of a Finder Location you've added?

Otherwise, this is probably an issue with the non-admin user you mentioned. Thanks for opening! I will investigate.

pkamb avatar Apr 15 '20 17:04 pkamb

As a fellow dev (saw the announcement on AppKit Abusers), I understand the sandbox limitations. I initially added my sdd and then also added my home folder. "Tasks" is a file on my desktop so is definitely in the path.

I just tested using my local admin account and that works with the same setup so it is something to do with non-privileged users.

nbeadman avatar Apr 15 '20 18:04 nbeadman

i've been running a bunch of tests in 10.14 and 10.15. i think this is a problem with needing Full Disk Access.

i'm running a standard user account and ran into this problem. i pushed a broad MDM profile allowing Full Disk Access, Accessibility, Finder Apple Events, and System Events; and it started working. I removed the profile and restarted the services and when I attempted to open a folder on my Desktop in Terminal I got a request to access my Desktop folder.

i'd be curious to know if other standard-users adding Service Station to System Preferences -> Security & Privacy -> Privacy -> Full Disk Access resolves the problem.

bryanheinz avatar Apr 16 '20 16:04 bryanheinz

Adding Service Station to Full Disk Access does indeed fix the problem for me. Once that is done, there is no need to have anything in Finder Locations.

nbeadman avatar Apr 16 '20 17:04 nbeadman

Thanks for figuring this out. There are a couple factors that might be at play here.

Catalina requires additional "Files and Folders" permissions for access to files on the Desktop, Documents, etc.

The first time Service Station tries to open a file there, the app/system should prompt for that permission. This prompt does occur on an admin account. After the prompt, checkboxes for the app should be added to the "Files and Folders" pane in System Prefs Security. These can be used instead of "Full Disk Access" for more fine-grained control.

It's possible that the non-admin account is simply not able to prompt, and thus cannot access files on the Desktop. In that case, I'd expect the Finder Locations / Sandbox bookmarks approach to work for any files that aren't in one of those protected locations.

Once that is done, there is no need to have anything in Finder Locations.

Full Disk Access is actually a separate system from Sandbox bookmarks. FDA grants access to private mail databases, etc., that even a Sandbox bookmark can't access. It also grants access to all of the "Files and Folders" locations like Documents, Desktop, etc.

But the app still needs a Sandbox bookmark to access the files. Your app likely has a cached Sandbox bookmark that might stop working at some point in the future.

I'll do some more research about "Files and Folders" locations for non-admin accounts.

references:

  • https://apple.stackexchange.com/questions/371796/what-is-the-difference-between-full-disk-access-and-files-folders-access-in-ca
  • https://apple.stackexchange.com/questions/374332/does-full-disk-access-include-access-to-files-and-folders-privacy-settings/

pkamb avatar Apr 16 '20 18:04 pkamb

Adding Full Disk Access worked for me as well. I normally run as non-admin user. This tip for non-admin users should be added to the FAQ (unless I missed it somehow). Thanks

88cubes avatar May 18 '20 16:05 88cubes

Adding Full Disk Access worked for me as well. I normally run as non-admin user. This tip for non-admin users should be added to the FAQ (unless I missed it somehow). Thanks

One day later and after a couple of restarts, it is back to not working: Service Station Attendant does not have permission to open "some folder". Disappointing.

88cubes avatar May 19 '20 15:05 88cubes

It's working again. Yesterday I needed to add Full Disk Access to Service Station app. Adding locations to Service Station Finder Locations didn't help for subfolders. Today I apparently need both Full Disk Access and locations in Service Station Finder Locations. The good news is that subfolders work without having to specifically include each and every one of them. This needs to be figured out and documented better.

88cubes avatar May 19 '20 16:05 88cubes