tccutil on BigSur

[ccievoiceoks]

Hi ,

Just a simple question , I have tried your tips about the use of tccutils with SIP disabled but it seems to not work correctly

Have you succeeded to make it work ?

Many thanks

Olivier

[kdeldycke]

Hi @ccievoiceoks !

Oh, you mean this section: https://github.com/kdeldycke/dotfiles/blob/770a61f733cf88ad12e8586cb7af40370ec71d0d/macos-config.sh#L34-L94

No I did not. I can confirm disabling SIP doesn't seem to be enough. I can't remember were I read that "AMFI" need to be disabled too.

Even tccutil's author did not tried it on Big Sur yet: https://github.com/jacobsalmela/tccutil/issues/40

[kdeldycke]

But maybe Terminal.app with Full Disk Access is enough now. At least according: https://github.com/jacobsalmela/tccutil/issues/18#issuecomment-731426677

Which should work as I do exactly that in my pre-installation steps:

Maybe it was qualified as a bug by Apple and fixed in subsequent Big Sur releases...

[ccievoiceoks]

Thanks for the reply , no it is not working even the rights are given to the Terminal since the beginning . Meanwhile I have found a solution but I need to dig a little more . You can directly edit the TCC.db by running a request like this : sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access(service,client,client_type,auth_value,auth_reason,indirect_object_identifier,auth_version,indirect_objec_identifier_type,flags) VALUES('kTCCServiceSystemPolicyAllFiles','com.runningwithcrayons.Alfred',0,2,4,0,1,0,0);"

Here it is an example to add Alfred4 to have a full access to the Disk I will try to elaborate a little more how it goes and I will let you know

See as ref for Catalina --> OS Query Olivier

[kdeldycke]

Thanks @ccievoiceoks for your detailed investigation!

I still have a hard time understanding why your sudo sqlite3 call is working. The tccutil is a simple Python script that is connecting to the TCC database: https://github.com/jacobsalmela/tccutil/blob/417b7dd3539b096ff4d3db4cb78199cddb7a211b/tccutil.py#L108-L118

So it should have the same effect... 🤔

[ccievoiceoks]

ok I think that I understand why it is not working in the python script and well with the sudo command . In the Python script , the connection is expecting a dedicated hash for the DB and the OS version in order to establish a connection with the DB .

Apparently on Big Sur , the hash for the table on my laptop is 3d1c2a0e97

Just curious if you can check yours with the following portion of the code

import sqlite3
import hashlib
from platform import mac_ver
from distutils.version import StrictVersion as version

# Current OS X version
osx_version = version(mac_ver()[0])
print(osx_version)

# Database Path
tcc_db = '/Library/Application Support/com.apple.TCC/TCC.db'

conn = sqlite3.connect(tcc_db)
c = conn.cursor()

# Do a sanity check that TCC access table has expected structure
c.execute("SELECT sql FROM sqlite_master WHERE name='access' and type='table'")
accessTableDigest = ""
for row in c.fetchall():
    accessTableDigest = hashlib.sha1(row[0].encode('utf-8')).hexdigest()[0:10]
    print (accessTableDigest)
    break
if not (accessTableDigest == "8e93d38f7c" or (osx_version >= version('11.0') and accessTableDigest in ["3d1c2a0e97"])):
    print("\nTCC Database structure is unknow")
else:
    print("\nTCC Database recognized")

After that point, it is a matter to see the SQL request as it seems that it is not the same expression as before
I will try to look a little more to the expression

[kdeldycke]

Great debugging here @ccievoiceoks !

Here the result of your script:

❯ python ./tcc.py
10.16
3d1c2a0e97

TCC Database structure is unknow

As you can see, same hash here!

I guess the next step now is to send a PR to the https://github.com/jacobsalmela/tccutil project?

[kdeldycke]

Oh, and notice how my macOS version is reported as 10.16 as it is an Intel-based MacBook.

[ccievoiceoks]

Great debugging here @ccievoiceoks !

Here the result of your script:

❯ python ./tcc.py
10.16
3d1c2a0e97

TCC Database structure is unknow

As you can see, same hash here!

I guess the next step now is to send a PR to the https://github.com/jacobsalmela/tccutil project?

Yes , I will now open a PR to incorporate these findings

[ccievoiceoks]

When I was trying to edit my changes , I saw that someone did this also 10 hours ago ...

[kdeldycke]

Ahah yes! Just found out https://github.com/jacobsalmela/tccutil/pull/41 ! This doesn't discount your fantastic work @ccievoiceoks ! 😃👍

[mkfl3x]

I know that feel :) Anyway, great job, @ccievoiceoks! :+1:

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.