macOS: List apps authorized for full disk access

command-line mojave

Is there a Terminal command to view a list of all macOS that are authorized and unauthorized but have asked for Full Access?

I am looking for the list that is displayed under System Preferences → Security & Privacy → Privacy → Full Disk Access, but via command-line.


Solution 1:

The sqlite queries mentioned DO work, e.g.:

sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access'

The trick, however, is that you need full-disk access to access that SQLite database, so depending on where you're trying to do this, it's a chicken-and-egg problem. For just testing purposes, you can give your terminal full-disk access, then you'll be able to run the command.

Solution 2:

Apps that have requested and been granted Security > Privacy permissions can be read via:

sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access'

However, this does not specify which permissions were granted.

There's also:

defaults read ~/Library/Preferences/com.apple.universalaccessAuthWarning.plist

..but this will only indicate whether a given app was approved or denied.

Taccy is a small utility that will list which permissions an app will request, even if it has not been launched yet:

https://eclecticlight.co/taccy-signet-precize-alifix-utiutility-alisma/

Solution 3:

Building on @d4's answer, the sqlite DB does have the answer for which permission is granted. The service column will be kTCCServiceSystemPolicyAllFiles for Full Disk Access.

So the query:

sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
  'select client from access where auth_value and service = "kTCCServiceSystemPolicyAllFiles"'

will list out the apps and binaries that are allowed Full Disk Access, i.e.:

/usr/libexec/atrun
/usr/sbin/sshd
com.googlecode.iterm2

(Updated answer based on @Motti Shneor answers, thanks! On their answer they note that auth_value is an int and not a bool, but the WHERE filter still works.)

If you're interested, you can invert the query to ... where NOT auth_value and service = ... and it will list the apps that are unchecked in the policy dialog.

On older versions of macOS (before 11.6) the auth_value column was named allowed so you might need to adjust the query.

If you get the error Error: unable to open database "/Library/Application Support/com.apple.TCC/TCC.db": authorization denied and any other file operations on the TCC.db file all fail, your terminal app itself is missing the full disk access permission required to read the DB file. i.e. I can't run the command from vscode but it works from iTerm because that's how my permissions are set up. That's addressed in rdamazio's answer.

Related

Mac terminal found open with “man James” text. Have I been hacked?
M1 mac mini: Python reports `mach-o, but wrong architecture`
Apple TV from Apple One and Apple TV free trial on new devices conflict
Apple Mail warning: Unable to verify message signature
App Store App Name Change - how to leave old name for SEO / find-ability
What's the difference between an id and a class?
Asynchronous shell exec in PHP
How to read a large file line by line?
Using only CSS, show div on hover over another element
How do I set up a simple delegate to communicate between two view controllers?
How to parse/format dates with LocalDateTime? (Java 8)
Create a Date with a set timezone without using a string representation