Fix Emacs permissions on macOS Catalina

fix-emacs-permissions-catalina.el

;;; package --- Fix permissions for Emacs.app on macOS Catalina
;;; Author: Artem Loenko
;;; Mail-To: <artyom.loenko@mac.com>
;;; Commentary:
;;; Code:

(defconst _default-emacs-app-plist-path "/Applications/Emacs.app/Contents/Info.plist")
(defconst _temp-buffer-name "*fixing Emacs permissions*")
(defconst _temp-buffer (get-buffer-create _temp-buffer-name))
(with-current-buffer _temp-buffer (erase-buffer))

(defun add-description-if-needed (description_key description)
  "DESCRIPTION_KEY - DESCRIPTION."
  (defconst read-args (list "read" _default-emacs-app-plist-path description_key))
  (if (equal 1 (with-temp-buffer (apply 'call-process "defaults" nil (current-buffer) nil read-args)))
      (progn
	(princ (format "Missing: %s. Adding...\n" description_key) _temp-buffer)
	(defconst write-args (list "write" _default-emacs-app-plist-path description_key "-string" description))
	(apply 'call-process "defaults" nil (current-buffer) nil write-args))
    (princ (format "Existed: %s. Skipping.\n" description_key) _temp-buffer)))

(add-description-if-needed
 "NSDesktopFolderUsageDescription"
 "Emacs requires permission to access the Desktop folder.")
(add-description-if-needed
 "NSDocumentsFolderUsageDescription"
 "Emacs requires permission to access the Documents folder.")
(add-description-if-needed
 "NSDownloadsFolderUsageDescription"
 "Emacs requires permission to access the Downloads folder.")
(add-description-if-needed
 "NSRemovableVolumesUsageDescription"
 "Emacs requires permission to access files on Removable Volumes.")

(switch-to-buffer-other-window _temp-buffer)

;;; fix-emacs-permissions-catalina.el ends here

There are some additional privacy restrictions on macOS Catalina related to folder access. Now we have to ask for permission to access Documents, Downloads, Desktop and files on removable volumes (documentation).
The script provides the necessary descriptions to access the folders mentioned above because in some cases Catalina rejects to provide access without these changes (especially, when your sync Documents and Desktop with iCloud).

How to use

1. Copy the code to the scratch buffer;
2. Change the _default-emacs-app-plist-path to point to a proper place where your Emacs is installed;
3. Evaluate the buffer (with eval-buffer in Emacs-Lisp major mode);
4. Check the output for changes (in temporary buffer *fixing Emacs permissions*);
5. Restart Emacs.

How to get access to the SIP protected folders

The easiest way is to call ns-open-file-using-panel and open a file from the protected folder. macOS will ask about the permission. In some cases, you can open a file directly from Emacs.app with the permission dialogue but you have to provide a full path and completions will be unavailable.

Notes

The script will convert the Info.plist from xml representation to the binary form. To convert back use the following command:

plutil -convert xml1 /Applications/Emacs.app/Contents/Info.plist

I have emacsclient running through brew services. I've run this script but my emacsclient is still blocked from the filesystem. Is there a way to get this script to work for emacsclient?

I granted Emacs Full Disk Access under System Preferences -> Security & Privacy -> Privacy.

Clicking the app icon launches Emacs with no access to the files under my account. However, if I launch an executable from the app contents in Finder, a terminal launches which then launches the same version of Emacs but with file access. This may be because I have a already granted permission to Terminal through a popup that appeared earlier.

Running the above script does not change this situation.

GNU Emacs 26.3 (build 1, x86_64-apple-darwin18.2.0, NS appkit-1671.20 Version 10.14.3 (Build 18D109)) of 2019-09-02

it doesn't work for me

The ns-open-file-using-panel bit did the trick for me. However this seemed to be regardless of whether I had run the permission-fix script or not (tried it on multiple machines). I never saw any 'Emacs would like to access XXX' popups. This is on 10.15 release with homebrew cask Emacs.app.

I found that if I do File->Open (or ns-open-file-using-panel) and select ~/Documents/somedir/somefile, emacs can then see everything under ~/Documents/somedir/ (but still not ~/Documents). So to get emacs back to fully functional I had to be sure to open files at the root of the 3 special dirs: ~/Documents/somefile, ~/Downloads/somefile, ~/Desktop/somefile.

Does anyone know what we need to do to get this working better out of the box? I'm curious if it's Apple or Emacs' fault that we're not getting access permission popups by default.

Traversing the file system in the dialog for ns-open-file-using-panel causes my Emacs to crash. My Emacs is from https://emacsformacosx.com.

I got prompted once for access and not again. Didn't need an elisp script.

Using emacs-mac via homebrew.

I fixed my problem by granting Full Disk Access to /usr/bin/ruby as instructed here.
https://emacs.stackexchange.com/a/53037/11143

Full disk access is working for my emacs install but won't work for emacsclient. I've granted full-disk access to ruby, emacsclient, emacs, and still won't work.

I had to be sure to open files at the root of the 3 special dirs: ~/Documents/somefile, ~/Downloads/somefile, ~/Desktop/somefile.

Thanks. I needed to do this too.

I solved this by creating a Automator "Application": Utilities -> Run Shell Script -> exec /Applications/Emacs.app/Contents/MacOS/Emacs 2>&1

I solved this by creating a Automator "Application": Utilities -> Run Shell Script -> exec /Applications/Emacs.app/Contents/MacOS/Emacs 2>&1

Thanks -- that works for me for the time being.

I've tried all of the above, tried different Emacs distributions, and no matter what I do, File > Open crashes Emacs immediately, as does clicking on the File Open button on the tool bar, or "Open a File" on the splash page. This is what I get:

Application Specific Information:
*** Terminating app due to uncaught exception 'NSObjectNotAvailableException', reason: 'EmacsOpenPanel is not a supported subclass for sandboxing'
abort() called
terminating with uncaught exception of type NSException

Any thoughts?

I found that if I do File->Open (or ns-open-file-using-panel) and select ~/Documents/somedir/somefile, emacs can then see everything under ~/Documents/somedir/ (but still not ~/Documents). So to get emacs back to fully functional I had to be sure to open files at the root of the 3 special dirs: ~/Documents/somefile, ~/Downloads/somefile, ~/Desktop/somefile.

Exactly. Somehow in my case these files should also be "real" files under the ~/Documents (and etc.) folders but not symlinked.

This trick also works for mounted volumes under /Volumes folder.

I've also installed via https://emacsformacosx.com/ – thanks for this script but it didn't help me either. What finally worked for me is adding /usr/bin/ruby and /usr/bin/emacsclient and Emacs.app under System Preferences > Security & Privacy > Full Disk Access

I fixed my problem by granting Full Disk Access to /usr/bin/ruby as instructed here.
https://emacs.stackexchange.com/a/53037/11143

Oh so it using a ruby script? Thanks! It‘s work！This problem confuse me as long time！😭

I didn't know Emacs.app/Contents/MacOS/Emacs executable from emacsformacosx.com is Ruby script file😮

After spending hours on getting emacs-plus from brew to get access to Documents when run as a service, i finally managed to click the file menu and saw that "bash" needed Accessability access to open the menu. I then added /bin/bash to "Full disk access" as well, and now it is working.

Grant Full disk access and ns-open-file-using-panel opens a file in those directories having problem solve the problem for me.

I find that using ns-open-file-using-panel with full disk access only makes the problem go away for a while: maybe a few weeks. Sooner or later, I have to repeat the ns-open-file-using-panel ritual. I would really like to learn of a definitive solution.

In general, this is a problem only for Emacs for Mac OS X version because they are using a Ruby script as an entry point for the application. I recommend to use emacs-plus, it works fine and properly asks for permissions (in version 27, where the patch was merged to the upstream).

I also solved it with full disk access rights to /usr/bin/ruby.

I also solved it with full disk access rights to /usr/bin/ruby.

This worked for me. Many thanks!

I also solved it with full disk access rights to /usr/bin/ruby.

This worked for me too. Thank you very much 🎉 🎉

I solved this by creating a Automator "Application": Utilities -> Run Shell Script -> exec /Applications/Emacs.app/Contents/MacOS/Emacs 2>&1

Thanks -- that works for me for the time being.

I got a similar issue with my Emacs which I compiled from GNU original source. When I called a command via Apple script (send a line message to Reminder), it failed even it is allowed on Security/Privacy Control panel. But calling emacs from Automator, it finally worked. Thank you!

@waqarsaleem Many thanks. Your fix worked for me.

I fixed my problem by granting Full Disk Access to /usr/bin/ruby as instructed here.
https://emacs.stackexchange.com/a/53037/11143

I had previously given access to Emacs under /System/Volumes/Data/Applications/Emacs.app. My install was the brew install cask. My original error happened when trying to add a new project to Treemacs that was under my Downloads directory. It was probably also wrapped up in the fact that I first opened emacs from iTerm for that session and then Ctrl+c quit it. After that I re-installed emacs altogether and only found this solution at that point.

@jcottrell I am glad. I know how important Emacs is to our workflows and understand the frustration and helplessness we feel when Emacs does not work!

As suggested by @waqarsaleem. I granted Full Disc access via System Preferences > Security > Full Disc Access for /bin /usr/bin/ruby and it worked!

Same for me... (As suggested by @waqarsaleem, thanks).
Giving Full Disc access to /usr/bin/ruby in System Preferences > Security > Full Disc Access helped.
https://gist.github.com/dive/f64c645a9086afce8e5dd2590071dbf9?permalink_comment_id=3049341#gistcomment-3049341

Same for me... (As suggested by @waqarsaleem, thanks). Giving Full Disc access to /usr/bin/ruby in System Preferences > Security > Full Disc Access helped. https://gist.github.com/dive/f64c645a9086afce8e5dd2590071dbf9?permalink_comment_id=3049341#gistcomment-3049341

Same for me too!