Why can I not modify files in /etc with a launchd process running as root?

[m4rkw]

Hello

Every time there's a macOS update my security settings for ssh and sudo revert to the default. I have to then:

1. Re-enable pam_tid.so in /etc/pam.d/sudo
2. Re-enable pam_ssh_agent_auth.so in /etc/pam.d/sudo
3. Re-disable password auth in sshd_config /etc/ssh/sshd_config

I can freely modify these files as root but if I create a run-on-startup launchd script that executes a bash script it executes but gets permission denied trying to modify the files. I've so far tried waiting 30s but it's always denied, tried adding launchd to the full disk access list but nothing works.

Is there a way around this or is it just flat out denied? Very annoying.

 

[kryten2]

Same error when you run the bash script from Terminal with elevated privileges? Where's the plist file stored? Make sure the basics work before adding complexity via launchd.

 

[m4rkw]

It works when run from the terminal. Seems launchd runs in some kind of jail

 

[kryten2]

Info : How do I run a launchd command as root

 

[m4rkw]

Info : How do I run a launchd command as root

Thanks I know how to configure launchd, just don't know how/if it's possible to disable the jail that it runs in to allow modifying files in /etc. Suspect not.

 

[bogdanw]

If you haven’t already, try with SIP disabled.
"Disabling and Enabling System Integrity Protection" https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection

 

[m4rkw]

Not really willing to disable SIP for this, I have a workaround for now which is to just run it from .bash_profile