2024-08-31, 08:20 PM
(This post was last modified: 2024-09-01, 03:12 AM by cashewtree. Edited 1 time in total.)
Background:
Jellyfin was running fine until the most recent MacOS software update. I am now at:
ProductName: macOS (arm64)
ProductVersion: 14.6.1 (Sonoma Archer)
BuildVersion: 23G93
I have my Mac Mini set up as a media server to mount the external volume and launch jellyfin on boot. This was working fine, but now some security enhancements are preventing the jellyfin process from reading the external volume where I have my media.
1.) The server starts up fine when launched manually from a terminal as user jellyfin.
2.) The shell script that launches it can read the external volume fine (again it is run as user jellyfin).
3.) The meat of the launch script (in Bash) does the following:
(Checks if the Volume is accessible, waiting for the mount to return)
declare -r JELLYFIN='/Applications/Jellyfin.app/Contents/MacOS/jellyfin'
declare -r WEBDIR='/Applications/Jellyfin.app/Contents/Resources/jellyfin-web'
declare -r FFMPEG='/Applications/Jellyfin.app/Contents/MacOS/ffmpeg'
declare -r DATADIR='/Users/jellyfin/.local/share/jellyfin'
declare -r CONFIGDIR='/Users/jellyfin/.local/share/jellyfin/config'
exec "$JELLYFIN" --webdir "$WEBDIR" \
--ffmpeg "$FFMPEG" \
--datadir "$DATADIR" \
--configdir "$CONFIGDIR"
4.) The salient error (after adjusting logging.json to "Debug") is:
System.UnauthorizedAccessException: Access to the path '/Volumes/EXTHDD/Movies/The Primevals (2023) [imdbid-tt9352178]/logo.png' is denied.
---> System.IO.IOException: Operation not permitted
--- End of inner exception stack trace ---
at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirError)
5.) I know the calling shell script can access this file (a preliminary ls -l shows it without a problem when launched using launchctl). I think somehow a security context is being applied to the jellyfin process itself. I have no idea how to probe further or if I can just apply some sort of access control change.
6.) The app is run on bootup using launchctl, with the following plist:
I spoke too soom, the script can "ls" the file, but cannot read it:
shasum: /Volumes/EXTHDD/Movies/The Primevals (2023) [imdbid-tt9352178]/logo.png: Operation not permitted
Jellyfin was running fine until the most recent MacOS software update. I am now at:
ProductName: macOS (arm64)
ProductVersion: 14.6.1 (Sonoma Archer)
BuildVersion: 23G93
I have my Mac Mini set up as a media server to mount the external volume and launch jellyfin on boot. This was working fine, but now some security enhancements are preventing the jellyfin process from reading the external volume where I have my media.
1.) The server starts up fine when launched manually from a terminal as user jellyfin.
2.) The shell script that launches it can read the external volume fine (again it is run as user jellyfin).
3.) The meat of the launch script (in Bash) does the following:
(Checks if the Volume is accessible, waiting for the mount to return)
declare -r JELLYFIN='/Applications/Jellyfin.app/Contents/MacOS/jellyfin'
declare -r WEBDIR='/Applications/Jellyfin.app/Contents/Resources/jellyfin-web'
declare -r FFMPEG='/Applications/Jellyfin.app/Contents/MacOS/ffmpeg'
declare -r DATADIR='/Users/jellyfin/.local/share/jellyfin'
declare -r CONFIGDIR='/Users/jellyfin/.local/share/jellyfin/config'
exec "$JELLYFIN" --webdir "$WEBDIR" \
--ffmpeg "$FFMPEG" \
--datadir "$DATADIR" \
--configdir "$CONFIGDIR"
4.) The salient error (after adjusting logging.json to "Debug") is:
System.UnauthorizedAccessException: Access to the path '/Volumes/EXTHDD/Movies/The Primevals (2023) [imdbid-tt9352178]/logo.png' is denied.
---> System.IO.IOException: Operation not permitted
--- End of inner exception stack trace ---
at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirError)
5.) I know the calling shell script can access this file (a preliminary ls -l shows it without a problem when launched using launchctl). I think somehow a security context is being applied to the jellyfin process itself. I have no idea how to probe further or if I can just apply some sort of access control change.
6.) The app is run on bootup using launchctl, with the following plist:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>vip.a8545eff.jellyfin</string>
<key>EnvironmentVariables</key>
<dict>
<key>PATH</key>
<string><![CDATA[/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/opt/homebrew/sbin]]></string>
<key>HOME</key>
<string><![CDATA[/Users/jellyfin]]></string>
</dict>
<key>UserName</key>
<string>jellyfin</string>
<key>GroupName</key>
<string>staff</string>
<key>InitGroups</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/opt/homebrew/bin/bash</string>
<string>/Users/jellyfin/bin/start-jellyfin</string>
</array>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>I spoke too soom, the script can "ls" the file, but cannot read it:
shasum: /Volumes/EXTHDD/Movies/The Primevals (2023) [imdbid-tt9352178]/logo.png: Operation not permitted