Skip to content

Instantly share code, notes, and snippets.

@cielavenir

cielavenir/readme.md

Last active March 20, 2024 20:18
Show Gist options
  • Star 7 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save cielavenir/02f322e322a2a3555dbf2b38f2fedd59 to your computer and use it in GitHub Desktop.
Save cielavenir/02f322e322a2a3555dbf2b38f2fedd59 to your computer and use it in GitHub Desktop.
Download ZIP
zoom sandbox-exec for macOS
Raw
readme.md
  1. Download Zoom.pkg from https://zoom.us/download
  2. Extract it using https://www.timdoug.com/unpkg/
  3. Now you have Zoom/zoom.us.app
  4. Launch Zoom by zoom.sh Zoom/zoom.us.app/Contents/MacOS/zoom.us

caveats:

  • Zoom will fail to start meeting for the first time. Just launch again.
  • Zoom will tell that crash happened, but you should ignore it.
Raw
zoom.sh
#!/bin/sh
# Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted.
# DISCLAIMER: THE WORKS ARE WITHOUT WARRANTY.
sandbox-exec -p "
(version 1)
(allow default)
(deny file-write*)
(allow file-write*
(subpath \"${HOME}/Library/Application Support/zoom.us\")
(subpath \"${HOME}/Library/Logs/zoom.us\")
(subpath \"${HOME}/Library/WebKit/us.zoom.xos\")
(subpath \"${HOME}/Library/Caches/us.zoom.xos\")
(subpath \"${HOME}/Library/Saved Application State/us.zoom.xos.savedState\")
(subpath \"/private/var/tmp\")
(subpath \"/private/tmp\")
(subpath \"/tmp\")
(subpath \"/private/var/folders\")
(subpath \"/var/folders\")
)
(deny file* (regex #\"/id_rsa$\"))
(deny file* (regex #\"/id_dsa$\"))
(deny file* (regex #\"/id_ecdsa$\"))
(deny file* (regex #\"/id_ed25519$\"))
(deny file* (regex #\"\\.pem$\"))
" "$@"
@msanders
Copy link

msanders commented Oct 4, 2023
edited

@darcyforster The Zoom application bundle is not persisted after running the script. It is temporarily extracted to $HOME/.local/share/zoom-sandbox (or $XDG_CACHE_HOME/zoom-sandbox) when run, but removed after exit to avoid unintentionally launching outside of sandbox-exec. It is possible to write an application wrapper that does the same thing and allows launching from Finder, but would require additional maintenance. Users of the sandbox script can (and should) remove the Zoom app from /Applications/ if previously installed. Not sure if you were troubleshooting an issue with the app failing to launch, but I've added an additional flag to help diagnose:

/path/to/bin/zoom -v

Note that if Zoom had an application available on the Mac App Store this would not be necessary, since that already requires sandboxing. I strongly recommend encouraging organizations to seek alternatives such as Webex or one of the FOSS offerings available that don't have such absymal track records for security and privacy. Other options for users aside from the script include the web client and iOS apps. Unfortunately, at the time of this writing the web client has buggy behavior with camera orientation.

To completely remove previous installations of Zoom, you can use this script or run:

brew rm --cask --zap --force zoom

Note that this will delete preferences as well.

@cielavenir
Copy link
Author

(added license lines)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment