+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: Troubleshooting (https://forum.jellyfin.org/f-troubleshooting)
+--- Thread: SOLVED: MacOS demands you assign access to programs explicitly (see below) (/t-solved-macos-demands-you-assign-access-to-programs-explicitly-see-below)
MacOS demands you assign access to programs explicitly (see below) - cashewtree - 2024-08-31
Background:
Jellyfin was running fine until the most recent MacOS software update. I am now at:
ProductName: macOS (arm64)
ProductVersion: 14.6.1 (Sonoma Archer)
BuildVersion: 23G93
I have my Mac Mini set up as a media server to mount the external volume and launch jellyfin on boot. This was working fine, but now some security enhancements are preventing the jellyfin process from reading the external volume where I have my media.
1.) The server starts up fine when launched manually from a terminal as user jellyfin.
2.) The shell script that launches it can read the external volume fine (again it is run as user jellyfin).
3.) The meat of the launch script (in Bash) does the following:
(Checks if the Volume is accessible, waiting for the mount to return)
declare -r JELLYFIN='/Applications/Jellyfin.app/Contents/MacOS/jellyfin'
declare -r WEBDIR='/Applications/Jellyfin.app/Contents/Resources/jellyfin-web'
declare -r FFMPEG='/Applications/Jellyfin.app/Contents/MacOS/ffmpeg'
declare -r DATADIR='/Users/jellyfin/.local/share/jellyfin'
declare -r CONFIGDIR='/Users/jellyfin/.local/share/jellyfin/config'
exec "$JELLYFIN" --webdir "$WEBDIR" \
--ffmpeg "$FFMPEG" \
--datadir "$DATADIR" \
--configdir "$CONFIGDIR"
4.) The salient error (after adjusting logging.json to "Debug") is:
System.UnauthorizedAccessException: Access to the path '/Volumes/EXTHDD/Movies/The Primevals (2023) [imdbid-tt9352178]/logo.png' is denied.
---> System.IO.IOException: Operation not permitted
--- End of inner exception stack trace ---
at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirError)
5.) I know the calling shell script can access this file (a preliminary ls -l shows it without a problem when launched using launchctl). I think somehow a security context is being applied to the jellyfin process itself. I have no idea how to probe further or if I can just apply some sort of access control change.
6.) The app is run on bootup using launchctl, with the following plist:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>vip.a8545eff.jellyfin</string>
<key>EnvironmentVariables</key>
<dict>
<key>PATH</key>
<string><![CDATA[/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/opt/homebrew/sbin]]></string>
<key>HOME</key>
<string><![CDATA[/Users/jellyfin]]></string>
</dict>
<key>UserName</key>
<string>jellyfin</string>
<key>GroupName</key>
<string>staff</string>
<key>InitGroups</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/opt/homebrew/bin/bash</string>
<string>/Users/jellyfin/bin/start-jellyfin</string>
</array>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>I spoke too soom, the script can "ls" the file, but cannot read it:
shasum: /Volumes/EXTHDD/Movies/The Primevals (2023) [imdbid-tt9352178]/logo.png: Operation not permitted
RE: MacOS upgrade broke my MacOS Media Sever - cashewtree - 2024-08-31
Here is the ls output:
jellyfin@ghidorah bin % cat /tmp/lstest_output.txt
-rw-r--r--@ 1 jellyfin staff 1440397 Aug 3 05:25 /Volumes/EXTHDD/Movies/The Primevals (2023) [imdbid-tt9352178]/logo.png
More details:
jellyfin@ghidorah bin % ls -l@ '/Volumes/EXTHDD/Movies/The Primevals (2023) [imdbid-tt9352178]/logo.png'
-rw-r--r--@ 1 jellyfin staff 1440397 Aug 3 05:25 /Volumes/EXTHDD/Movies/The Primevals (2023) [imdbid-tt9352178]/logo.png
com.apple.provenance 11
I am guessing this "com.apple.provenance" is a big hint.
RE: MacOS upgrade broke my MacOS Media Sever - cashewtree - 2024-08-31
I removed the com.apple.provenance and still no luck.
ghidorah:Downloads $ ls -l /tmp/lstest_output.txt
-rw-r--r-- 1 jellyfin wheel 229 Aug 31 16:54 /tmp/lstest_output.txt
ghidorah:Downloads $ cat /tmp/lstest_output.txt
-rw-r--r-- 1 jellyfin staff 1440397 Aug 3 05:25 /Volumes/EXTHDD/Movies/The Primevals (2023) [imdbid-tt9352178]/logo.png
shasum: /Volumes/EXTHDD/Movies/The Primevals (2023) [imdbid-tt9352178]/logo.png: Operation not permitted
RE: MacOS upgrade broke my MacOS Media Sever - gnattu - 2024-09-01
You need to authorize jellyfin external disk access for every software update.
If you are logged in to the desktop as a valid user there will be a prompt asking for permission and you just click allow.
It seems like your setup is just too advanced as you will not see that prompt if you access your server exclusively with ssh
RE: MacOS upgrade broke my MacOS Media Sever - cashewtree - 2024-09-01
Solved!
System Settings -> Privacy and Security -> Full Disk Access, then add the shell being used to launch the jellyfin process. It may be a good idea to only use stock MacOS shells rather than what was installed by Homebrew. This might be necessary for any custom installed ffmpeg binaries as well.
RE: MacOS upgrade broke my MacOS Media Sever - gnattu - 2024-09-01
Alternatively you can login as a desktop user and go to Security & Privacy → Privacy → Full Disk Access and then give jellyfin (and its friends like dotnet and ffmpeg if you install it manually) full disk access. This HAVE to be performed in the settings window because any command allowing that is considered as a security bug.
RE: MacOS demands you assign access to programs explicitly (see below) - cashewtree - 2024-09-01
This ruined my entire Saturday.