sshd-keygen-wrapper permissions problem

Question

Created 2w

Replies 12

Boosts 1

Views 1.8k

Participants 7

On macOS 26.1 (25B78) I can't give Full Disk Access to sshd-keygen-wrapper. Now my Jenkins jobs do not work because they do not have the permission to execute the necessary scripts. Until macOS 26.1 everything worked fine. I restarted the machine several times and tried to give access from Settings -> Privacy & Security -> Full Disk Access but it just does not work. I tried logging with ssh on the machine and executing a script but again nothing happened.

Answered by DTS Engineer in 864767022

This is eminently bugworthy. I’d appreciate one of you [1] filing a bug about it, and then posting the bug number here, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, at least one of you. Multiple bugs are fine (-:

Boost

Answer 1

Etresoft OP

2w

Looks like Full Disk Access is broken in 26.1. It only works with full-fledged apps, not command line tools. The error log seems to suggest that it wants a bundleID, which is something that typically only apps have.

It is possible to shove a bundleID into a command-line tool. And sshd-keygen-wrapper has that. But I guess that hack isn't checked. Someone discovered this on another forum and I tried it with my own tool. I couldn't get it to work either.

1

Answer 2

Afogh OP

2w

Accepted Answer

Same as my post: https://developer.apple.com/forums/thread/806156

I found a workaround. Drag the binary (e.g sshd-keygen-wrapper) from Finder to the full disk access list in System Settings window. The permission will be given, but it won't show in the list

2

Answer 3

DTS Engineer OP

Apple

2w

Recommended

This is eminently bugworthy. I’d appreciate one of you [1] filing a bug about it, and then posting the bug number here, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, at least one of you. Multiple bugs are fine (-:

1

Answer 4

DTS Engineer OP

Apple

2w

FB20662270

Thanks for that.

ps It’s better to reply as a reply, rather than in the comments; see Quinn’s Top Ten DevForums Tips for this and other titbits.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 5

Afogh OP

2w

Good to know.

This is a really critical bug. CLI apps can have full disk access or other permissions, but you cannot see it in the list

1

Answer 6

Afogh OP

2w

Bug is still present in macOS 26.2 beta

0

Answer 7

DTS Engineer OP

Apple

2w

CLI apps can have full disk access or other permissions, but you cannot see it in the list

I agree that that’s not good, and I’ve brought it to the attention of the folks looking into this.

Bug is still present in macOS 26.2 beta

Yep. Our bugs system should notify you once we started seeding a beta release with the fix (that’s one of the nice benefits of you filing your own bugs).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 8

Afogh OP

1w

We have also noticed that if the full disk access is configured using a MDM profile the entry is not added to the TCC.db, but the binary will still have the permission. Something is really broken regarding TCC on 26.1.

0

Answer 9

DTS Engineer OP

Apple

1w

We have also noticed that if the full disk access is configured using a MDM profile

I’m not sure what’s going on here, but I suspect it’s unrelated to the issue being looked at via FB20662270. I recommend that you file a separate bug about this MDM issue.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 10

DTS Engineer OP

Apple

1w

Looks like Full Disk Access is broken in 26.1. It only works with full-fledged apps, not command-line tools.

This isn't actually about macOS 26. Full Disk Access has only ever been "fully" supported for bundled executables. The current UI does accept "bare" executables, but it's never actually worked very well.

It is possible to shove a bundleID into a command-line tool. And sshd-keygen-wrapper has that.

It's a build setting in Xcode. Look for "Create Info.plist Section in Binary".

However...

I tried it with my own tool

Above I used the term "bundled executable" instead of "application" and that was intentional. The problem with the term "application" is that it implies that you need a lot more than you actually "do". If you have secondary tools/components that you want to grant FDA, then the right answer is to embed that tool inside an app bundle. I don't mean "make your command-line tool act like an app", I mean "take your command-line tool and stick it inside an app bundle, then use it exactly the way you were using it before".

Many developers believe/assume that there is some problem or downside with bundling executables but that's simply not true. The setting interface should certainly be showing every object that's been granted FDA, but for any component you're shipping the better solution is to bundle your components.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

1

Answer 11

DTS Engineer OP

Apple

1w

Look for "Create Info.plist Section in Binary".

Fun fact! You can dump the Info.plist embedded within an executable using launchctl:

% launchctl plist /usr/libexec/sshd-keygen-wrapper
{
    …
    "CFBundleIdentifier" = "com.apple.sshd-keygen-wrapper";
    …
};

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 12

shara7 OP

4d

The full disk access feature is working. Take a look at TCC.DB. TCC.DB is located in "/Library/Application Support/com.apple.TCC/TCC.db".

This issue is a bug where CLI applications are not displayed in "Security and Privacy."

0