Trying to create a script for creating a program firewall exception for use by old legacy apps.
Two main issues appear to be "The file path you specified does not exist " error for the program (appears unable to access the program’s internal package) and lack of a popup request for password to allow permission for the change. Initial attempts resulted in the error of “sudo: no tty present and no askpass program specified” number 1 so I began trying other techniques, including dropping the sudo command. Any help would be appreciated.
I’ve included some notes within the script including the log error.
-- Concept: an approach to add program exception to firewall. Helpful for unsigned apps during or just after install process.
-- I had hoped this script would prompt password from user. Sudo approach errors one way or another. Without Sudo, I don't think anything realistically happens. Log at bottom.
-- Compare this to this other approach for unsigned apps:
-- do shell script "spctl --add /Applications/Program.app" -- this one does create a password prompt. But purpose is a little different (Gatekeeper exception.)
set apploc to POSIX path of (path to applications folder as text) & "Program.app:Contents:MacOS:Program"
set apexe to quoted form of apploc
set firewall to "/usr/libexec/ApplicationFirewall/socketfilterfw"
#temporarily shut firewall off:
do shell script firewall & " --setglobalstate off"
-- a previous attempt >
-- do shell script "sudo -S " & firewall & " --setglobalstate off"
-- above no password prompt or input. error "Password:" number 1
-- Another sudo approach not listed here resulted in --> error "sudo: no tty present and no askpass program specified" number 1
#put program as an exception: (not supposed to use sudo on this line)
do shell script firewall & " --add " & apexe
-- also tried >
-- do shell script firewall & " --add /Applications/Program.app:Contents:MacOS:Program" but result is --> "The file path you specified does not exist " (same error)
#re-enable firewall:
do shell script firewall & " --setglobalstate on"
-- Log:
-- tell current application
-- path to At Ease applications folder as text
-- --> "OSX:Applications:"
-- do shell script "/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off"
-- --> "Firewall is disabled. (State = 0)"
-- do shell script "/usr/libexec/ApplicationFirewall/socketfilterfw --add '/Applications/Program.app:Contents:MacOS:Program'"
-- --> "The file path you specified does not exist "
-- do shell script "/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on"
-- --> "Firewall already enabled "
-- end tell
Not really sure why I ended up with two sets of quotes
Maybe I was thinking that I would put the whole thing in double quotes just as part of the post. Probably should have thought more clearly.
In general, use a single pair of single quote or apostrophe (') for file references, variables and strings that may have spaces that are intended for the shell. Prefer this over using double quotes, as those have more exceptions and also mean something special in applescript — at least that is Apple’s recommendation (and presumably why they provided them explicitly for the quoted form). In this specific case, it probably isn’t an issue but it’s still a good practice.
EDIT: Nevermind. I hard-coded the locations & removed incorrect information I found on web suggesting to add the app package exe to the firewall.
Disregard my original post below.
I’m not sure MacScripter is the correct place to ask this, but was expecting once the script was run the app would show in the FireWall exceptions in Security & Privacy > FIrewall > Firewall Options. I tried logging out & in but still no listing. The script log itself appears to work:
→ "Application at path (…) added to firewall "
But no showing in Firewall exceptions. Or does macos keep a separate listing elsewhere?
I’ve verified the Gatekeeper exception command is working.
Is there something missing in my approach?
Tested in Macos 10.8.5 via VM & El Capitan. I know the linux style firewall went through changes after it was first added in 10.7 but would have imagined the command would be the same (unless the firewall had a different name.)
Might it be something to do with my use of quotes?
set firewall to "/usr/libexec/ApplicationFirewall/socketfilterfw"
set appexe to "/Applications/Program.app/Contents/MacOS/Program"
#temporarily shut firewall off:
do shell script firewall & " --setglobalstate off" with administrator privileges
#put program as an exception: (not supposed to have sudo on this line)
do shell script firewall & " --add " & appexe
-- response should be --> "Application at path (...) added to firewall "
#re-enable firewall:
do shell script firewall & " --setglobalstate on" with administrator privileges
#add Gatekeeper exception
do shell script "spctl --add --label 'Program' /Applications/Program.app" with administrator privileges
You should not turn off the firewall. Remove setting the firewall OFF/ON code lines.
-- To allow incoming connections to executable of app
set firewall to "/usr/libexec/ApplicationFirewall/socketfilterfw"
set anApp to choose application
set anAppName to name of anApp
set appexe to POSIX path of (path to anApp) & "Contents/MacOS/" & anAppName
do shell script firewall & " --add " & quoted form of appexe with administrator privileges
-- To allow incoming connections to app
set firewall to "/usr/libexec/ApplicationFirewall/socketfilterfw"
set appPosixPath to POSIX path of (path to (choose application))
do shell script firewall & " --add " & quoted form of appPosixPath with administrator privileges
Thanks, that works.
All examples I saw across the web suggested you first need to disable the firewall. I had anticipated it was similar to trying to edit a settings/props file belonging to an app that’s still running. Also the firewall would only be disabled for a fraction of a second. I guess that points to a question why do they all say to first disable the firewall.
