59

I have the following crontab on my mac OS Catalina 10.15.1 :

* * * * * /Users/username/Desktop/cronjob.sh > /Users/username/Desktop/cronjob.log 2>&1

Within the command file is:

#!/bin/bash

touch /tmp/foo

However I was left with the following line inside cronjob.log

/bin/bash: /Users/username/Desktop/cronjob.sh: Operation not permitted

Why is operation not permitted event though the permissions for cronjob.sh is set to +x?

klanomath
  • 66,391
  • 9
  • 130
  • 201
Tian
  • 865

1 Answers1

94

In your case you have to add cron as "parent" app to the user's Security & Privacy > Privacy > Full Disk Access apps/execs.

Depending where to read the script from and where to write the log file to, you have to add cron to the Full Disk Access apps. Almost all default folders in the user's home are protected (Documents/Downloads/Desktop - I haven't checked Pictures/Movies/Music but I think they are protected too and obviously the wrong folders to add shell scripts or log files) by Catalina's system policy.

If the script and the log reside in user created and thus unprotected folders (e.g. the script in ~/bin and the log file in ~/log) it works without adding cron to the Full Disk Access group.

To add the exception:

  1. click the + button
  2. hit G
  3. enter /usr/sbin
  4. double click the cron file.

You can check this kind of errors by opening Console.app and searching for the shebanged exec in the script (here bash):

error   15:19:00.369105+0100    kernel  Sandbox: bash(4556) System Policy: deny(1) file-write-data /Users/user/Desktop/test/cronjob2.log
error   15:19:00.379093+0100    kernel  Sandbox: bash(4555) System Policy: deny(1) file-read-data /Users/user/Desktop/cronjob.sh

In the examples above cron wasn't added to the Full Disk Access group.

cronjob2 was run from an unprotected folder ~/bin but tries to write the log file to the protected folder ~/Desktop/test/. So no read error but a write error.

cronjob was run from a protected folder ~/Desktop and tries to write the log file to the protected folder ~/Desktop/. So a read error.

Interestingly both log files are created - the first one (cronjob2.log) is empty though.

hraban
  • 103
klanomath
  • 66,391
  • 9
  • 130
  • 201
  • 5
    Do I add cron or crontab to Security & Privacy > Privacy > Full Disk Access apps/execs? – Tian Dec 29 '19 at 14:32
  • 7
    @Tian You have to add cron to this group – klanomath Dec 29 '19 at 14:33
  • 6
    I could not access /usr/sbin when using the GUI to add cron. Also, the issue persisted when my script and log resided in the Desktop – Tian Dec 29 '19 at 14:39
  • 11
    @Tian hit cmd-shift-. to make invisible items visible – klanomath Dec 29 '19 at 14:40
  • Thank you! This did the trick. Any idea if this will also work with launchctl jobs, or if there is another app you need to give access to? – Joshua Pinter Nov 14 '20 at 15:41
  • Thanks, this worked for me on Big Sur also – trurl Nov 16 '20 at 23:03
  • 11
    shift-command-G lets you enter any path without having to expose the hidden files and folders. Works in any finder or document picker window. – lbutlr Jan 12 '21 at 09:35
  • Is there anyway to add cron to a specified "Files & Folder access" rather than "Full disk access"? – Andree Jun 23 '21 at 17:36
  • I tried doing this, but it didn't seem to work. Then I realized that even though I was killing all the windows in iTerm, the application wasn't actually closing. When I killed the application and re-ran it, it finally worked. Thought I would point this out in case anyone else had the same issue. – Cognitiaclaeves Dec 05 '21 at 22:02
  • 2
    Oh my goodness, thank you for this. Very clear on how identify the problem and how to fix it. I'd had a Mac mini running backups at night for a dozen years, no problem, but when it finally gave up the ghost, the replacement only wanted to run the scripts manually at the terminal! – Michael H. Jul 06 '22 at 22:48
  • I was breaking my head debugging this on my new M1 Macbook then remembered the infuriating csrutil nonsese that I have to do on new computers, which gave me a hint here. – Sridhar Sarnobat Jul 26 '22 at 21:15
  • If only there was an applescript to automate this. – Sridhar Sarnobat Jul 26 '22 at 21:28
  • 1
    As of writing this, cron now lives in /usr/sbin/cron, find it with which cron, Sonoma 14.2.1 – Josh Hibschman Jan 11 '24 at 18:41