Why am I getting a "dubious ownership of file" error when Launch Agent runs my .plist file?
If a plist is owned by root and writable by a user other than root, that's a security issue.
You can change the owner to root with sudo chown root <filename>
, and change the permissions with sudo chmod 644 <filename>
(4 for read access, 2 for write access, 1 for execute access, added up. The first number is for the owner, the second for the group, the third for everyone.)
From the launchctl(1) manpage’s description of the load
subcommand:
Note that per-user configuration files (LaunchAgents) must be owned by the user loading them. All system-wide daemons (LaunchDaemons) must be owned by root. Configuration files must not be group- or world-writable. These restrictions are in place for security reasons, as allowing writability to a launchd configuration file allows one to specify which executable will be launched.
launchctl has several “Dubious …” messages. The launchd code for 10.6.7 (for example) has three such messages in its launchctl.c
(see the function path_goodness_check
).
-
Dubious permissions on file (skipping): <pathname>
-
Dubious ownership on file (skipping): <pathname>
-
Dubious path. Not a regular file or directory (skipping): <pathname>
To avoid these messages a pathname must be (#3) a regular file or directory1 (or a symlink to one) that is (#1) owned by root or the invoking user and (#2) not “group” or “other” writable (i.e. chmod go-w
).
1 No named pipes, block/character special device nodes, local domain sockets, etc.
Your file is probably owned by the admin user since you say that you do not get the message when logging in as that user (the pathname is owned by the invoking user in that case).
To make the pathname work for other users, it should be owned by root.
To arrange this, do:
sudo chown root /Library/LaunchAgent/foo.plist
Thanks for the answer (changing owner to root) -- that's all I needed.
To make this a bit more than a 'me too' post... I got here via a convoluted path: I was getting "This API can only be used by a process running within an Aqua session" errors for a launchdaemon. Searching for an answer to that led me to Apple's technote on daemons and agents which explained how to resolve the 'Aqua session' error, but that left me with 'dubious ownership' issues. That's how I got here, where my final issue was resolved.
Maybe adding all of that to this discussion will cause some search engine to link this page to one of the precursory issues, thereby saving some future adventurer some time.