J&P
Sverige / USA
J&P

MacDev! MacOS! Development

MacDev! MacOS! Development

 

Security – (e.g.) Operation not permitted

Yes, it’s always a tradeoff between Easy-use and Security and unfortunately – as Apple/macOS/… has become more mainstream over the decades, the more threats are becoming an issue, and Apple is fighting back – macOS (as one example) is getting a bit messy with all sorts of security measures to handle when create own applications or other forms of executable pieces of code.

As example, brave.search on why getting something like The action “Run AppleScript” encountered an error: “sh: /Users/johan/Dropbox/Office/bin/mime-tool-by-j.sh: Operation not permitted” gave a couple of slightly different answers at two different times of asking:

Answer ‘#1’ – broader

The error “Operation not permitted” when running an AppleScript that calls a shell script is typically caused by macOS security restrictions preventing the script from accessing protected locations or executing binaries without proper permissions. 

Common causes and solutions include:

  • Full Disk Access Restrictions: macOS blocks scripts from accessing personal folders like Dropbox, Desktop, Documents, or Downloads unless the calling application (e.g., TerminalAutomator, or the specific app running the script) has Full Disk Access enabled.  Go to System Settings > Privacy & Security > Full Disk Access and ensure the relevant app is checked. 

  • Execution PermissionsThe shell script itself may lack execute permissions. Run chmod +x /Users/johan/Dropbox/Office/bin/mime-tool-by-j.sh in Terminal to grant execution rights. 

  • Sandboxing or Entitlements: If the AppleScript is run via an app or Automator service, the app may be sandboxed or lack the necessary entitlements to execute external binaries, especially those in non-standard directories like Dropbox. 

  • System Integrity Protection (SIP): While SIP primarily protects system directories, it can sometimes interfere with scripts trying to access or modify protected system paths or binaries. However, for user directories like Dropbox, Full Disk Access is the more likely culprit. 

  • Quarantine Attribute: Files downloaded or moved to certain locations may have the com.apple.quarantine attribute set, which can block execution. You can remove it with xattr -d com.apple.quarantine /Users/johan/Dropbox/Office/bin/mime-tool-by-j.sh

Recommended Fix: First, grant Full Disk Access to the application running the AppleScript.  If the script is in Dropbox, ensure the app has permission to access that folder. Second, verify the script has execute permissions (chmod +x).  If the issue persists, try moving the script to a standard location like /usr/local/bin or your home directory, which may have fewer restrictions. 

Answer ‘#2’ – more focus on SIP

The error occurs because macOS security features, specifically System Integrity Protection (SIP) and Full Disk Access restrictions, are blocking the script from executing This is particularly common when scripts are located in restricted directories like Dropbox, which may be subject to stricter privacy controls or quarantine attributes. 

To resolve this, you must:

  • Grant Full Disk Access: Open System Settings > Privacy & Security > Full Disk Access and ensure the app running the script (e.g., AutomatorShortcuts, or Terminal) is enabled. 

  • Remove Quarantine Attributes: If the script was downloaded, it may have a quarantine flag. Run xattr -d com.apple.quarantine /Users/bobby/Dropbox/Office/bin/mime-tool-by-j.sh in Terminal to remove it. 

  • Check File Permissions: Ensure the script has execute permissions by running chmod +x /Users/bobby/Dropbox/Office/bin/mime-tool-by-j.sh

  • Move the Script: If possible, move the script out of Dropbox to a local directory like /usr/local/bin or your home folder, as Dropbox-synced files often trigger stricter security blocks. 

  • Verify Path Format: If using AppleScript, ensure you are passing a POSIX path (e.g., /Users/bobby/...) rather than an HFS alias path.