LaunchAgent has undesired root access

Question

I am having a problem getting my LaunchAgent to run as a normal (not-root) user. Everything I've read implies this should be the default behavior. The expectation is that if you put the plist in /Library/LaunchAgents then when it loads it loads for the user, as the user, at the users login.

What I am finding however is that if you run launchctl with sudo ('sudo launchctl load /Library/LaunchAgents/myagent.plist') then the process starts in the user session as root. This means 'ps u -ax' shows the process running as 'root', and also that files created by the process are owned by root:staff

I have tried googling about this and have found a ton of posts like someone wants their agent to have root access (which IMO is "wrong") and they are making all these forum posts about "how can I give it root" and everyone is replying to explain "it doesn't get root, its a user agent"... That is what I expect, however I am having the opposite problem, I don't want this agent to have root access, it shouldn't have it, yet it does have it.

If the answer is "you just simply can't run launchctl load with sudo or this happens", I have not been able to find that documented anywhere. And if that is the case then how do I do a launchctl unload/load on the Agent from a Daemon which should have root access, which is something I need to do for the product to update itself?

EDIT: Here is an example of a commonly linked post which makes it seem like this shouldn't even be an issue, makes it sound impossible for the Agent to run as root even if you wanted it to... https://superuser.com/a/36173/603140

Answer 1

launchd maintains a separate list of items for each user session ("launch agents"), and one for the system context ("launch daemons"). When you run launchctl load as root, the item is loaded into the system list (i.e. as a launch daemon instead of an agent) no matter where the file is located. What you need to do depends on exactly what you're trying to accomplish:

• If you're trying to get the item to load as a launch agent into future user sessions (i.e. for the next time you log in), just put it in /Library/LaunchAgents, set the permissions properly, then sit back and relax. When a user logs in it scans that directory and loads whatever it finds.

• If you're trying to get the item to load into an existing login session, you need to run launchctl load in that session. Exactly what that means and how you do it is complicated, and may depend on which version of OS X you're running (Apple keeps changing the launchd architecture...). At least in older versions of OS X, you'd have to find the process ID of some process running in the session you're targeting, and run something like:

  sudo launchctl bsexec $PIDInTargetSession sudo -u $TargetUsername launchctl load /Library/LaunchAgents/youritem.plist
  

  Explanation: the first sudo switches to root, then launchctl bsexec $PIDInTargetSession switches to the target sessions's mach bootstrap context (I said it was complicated), then sudo -u $TargetUsername switches UID from root to the target user, then finally launchctl load /Library/LaunchAgents/youritem.plist loads the agent in that session.

If that doesn't do it, check this message for some alternatives.