privacy_services_manager icon indicating copy to clipboard operation
privacy_services_manager copied to clipboard

Published 20 hours ago verified publisher icon univ-of-utah-marriott-library-apple

SIP on Sierra blocks changes to the accessibility database

Open hb3b opened this issue 8 years ago • 7 comments

ERROR: OperationalError: attempt to write a readonly database

hb3b avatar Jan 30 '17 07:01 hb3b

Hello hb3b:

Here is a workaround the issue...

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.locationd.plist sudo /usr/libexec/PlistBuddy -c "Set :com.apple.locationd.bundle-/System/Library/PrivateFrameworks/AssistantServices.framework:Authorized true" /var/db/locationd/clients.plist sudo launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist

uurazzle avatar Jan 30 '17 16:01 uurazzle

Hello Ben:

Here is a workaround the issue...

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.locationd.plist sudo /usr/libexec/PlistBuddy -c "Set :com.apple.locationd.bundle-/System/Library/PrivateFrameworks/AssistantServices.framework:Authorized true" /var/db/locationd/clients.plist sudo launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist

Hope this helps

On Jan 30, 2017, at 12:52 AM, Ben Hecht [email protected] wrote:

ERROR: OperationalError: attempt to write a readonly database

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

uurazzle avatar Jan 30 '17 16:01 uurazzle

I tried this and it didn't work: https://github.com/dhoer/chef-privacy_services_manager/blob/sierra/providers/default.rb#L25-L38

Error: https://travis-ci.org/dhoer/chef-privacy_services_manager/jobs/200815034#L406

Any advice on what to try to resolve this SIP issue would be welcomed.

dhoer avatar Feb 12 '17 08:02 dhoer

Currently, with macOS Sierra, you have a couple options, modify the TCC database booted from another system like during imaging, others are doing this. Or disable SIP temporarily to make changes using like using a NetInstall to disable/enable SIP and make modification to the TCC database when SIP is disabled. I would recommend sending Apple feedback to include the ability to set items like this via Configuration Profiles.

uurazzle avatar Feb 13 '17 22:02 uurazzle

FYI:

Here is one workaround the SIP restrictions, not sure this will work for your environment or system management, but...

  • Boot to Recovery HD
  • From Terminal, run the following commands: $ cd /Volumes/Macintosh\ HD/Library/Application\ Support/ $ cp -R com.apple.TCC TCC $ rm -r com.apple.TCC $ mv TCC com.apple.TCC $ reboot

Once rebooted, no restrictions will be on the TCC.db even while SIP is enabled.

You might be able to create a NetInstall script that does the above steps that could be include in a imaging process.

Hope this helps.

uurazzle avatar Feb 14 '17 23:02 uurazzle

Thank you for the help!

dhoer avatar Feb 15 '17 15:02 dhoer

Note, this workaround might go away in a future OS upgrade. I would recommend filing a radar to support this functionality using a configuration profile. It's because the folder in question is only set one time via rootless.conf and it's not part of the current core to perpetually protected paths. So if you strip the flag post OS install, then it stays stripped. A major or minor OS update in the future can repair/re-set it.

https://pbs.twimg.com/media/C4qki5zVMAAKLMf.jpg

uurazzle avatar Feb 15 '17 17:02 uurazzle