FileExists Returns False Under sudo

[msintle]

When you run your app as root/wheel on macOS, and create a file under that kind of ownership, fpAccess returns -1 on the file, even when it exists.

This results in the problem that FileExists returns false on files created/owned by root/wheel, even when the app is running under sudo.

I've implemented a workaround in my code using TFileStream which doesn't have this problem, but then I lose the capability to NOT follow links in my custom FileExists replacement.

The issue does NOT happen on Linux - any thoughts on how to address it?

[jwdietrich]

Can you post a simple code example, so that we can reproduce the issue?

[TRon]

Background info. Wheel group is special. What is strange is that you mention being able to circumvent by using a stream.

[jwdietrich]

The wheel group has been replaced by the admin group in macOS 10.3 and newer versions.

[Thaddy]

In newer versions the wheel group is not used at all, it does nothing, but may still exist because of upgrades. That may also be the case. Change it to the admin group. (Sorry, posts crossed).

Note I believe I have seen a tool that migrates the wheels group to admin. Never used it, though.

[msintle]

Folks are missing the point.

To clarify:

1) No circumvention occurs with TFileStream, because running your app as sudo, you are the admin; so you can actually normally access files that have been created by root and are in the wheel group.

The bug is that FileExists breaks, because fpAccess somehow "impersonates" the signed on user (instead of the elevated user), so per this "feature" (no pun intended), it is actually true that the file does not exist for the ordinary user (although I suppose even that is a bug ultimately - as the file does exist, but cannot be accessed by the ordinary user).

2) TFileStream works because the file does exist and the invoker application is running elevated, so there's absolutely no reason why it cannot be read by the elevated app.

3) This issue reproduces steadily on the latest version of macOS, so all that stuff about root/wheel being obsolete doesn't apply. When you, for example, as in my test case, run 7z to extract files inside an elevated macOS app, all created files are indeed owned by root and a member of the wheel group as such.

To restate my requests:

a) Goes without saying the bug should be fixed at some point.

b) How do I use TFileStream with the "FollowLinks" option set to false? This "option" doesn't exist with TFileStream, but it does exist with FileExists.

Thanks again to all those who have kindly chimed in with their thoughts!

Any failure to clearly explain is mine and mine alone.

[Thaddy]

Here FileExists works with the user added to the admin group. That is not the same as root.
This is a rather new M series mini.I barely touched it yet.

[msintle]

Here FileExists works with the user added to the admin group. That is not the same as root.
This is a rather new M series mini.I barely touched it yet.

Correct, to reproduce the issue, you need to be running your Lazarus app with sudo.

Enjoy your new M! I find they're better at running Windows on ARM than native Windows devices themselves.