[launchd-dev] launchd & launchctl Aqua session type on OSX Tiger

James Mead james at floehopper.org
Mon Oct 12 07:41:06 PDT 2009

Grant Erickson wrote:
> On 10/9/09 7:00 AM, launchd-dev-request at lists.macosforge.org wrote:
>> I have a script which I can successfully schedule using on OSX Leopard
>> as follows :-
>> launchctl load -w -S Aqua com.floehopper.script
>> Apparently I need the Aqua session type because the script accesses the
>> keychain using the SecKeychainFindGenericPassword function. If I don't
>> set the session type to Aqua, I get a errSecInteractionNotAllowed
>> "Interaction with the Security Server is not allowed" error (-25308).
>> However, I also want to schedule the script on OSX Tiger, but the
>> session type -S option is not available for launchctl.
>> I've tried calling the SecKeychainSetUserInteractionAllowed function
>> with the state parameter set to false, but then I end up with a
>> errSecAuthFailed "Authorization/Authentication failed" error (-25293).
>> Does anyone have any ideas how I might get this working on OSX Tiger?
> James:
> I'd recommend you read:
>     http://developer.apple.com/mac/library/technotes/tn2005/tn2083.html
> LaunchAgents are, unfortunately, DOA (dead on arrival) in Tiger.

Hi Grant,

Thanks for your reply. I've read the Apple technical note, but I'm a 
little confused. I want to use my Launch Agent as a scheduled task, not 
as something that happens at login. Also I only want to support systems 
where a single user is logging in via the GUI and not via ssh. The 
warning below seems to imply that I should not have any problems. Or am 
I missing something?

> WARNING: Prior to Mac OS X 10.5, launchd agents were not particularly 
> useful because there was no way for the agent to specify the type of 
> login session that the agent required (r. 4255854) . Thus, you 
> couldn't use a launchd agent as the equivalent of a global login item 
> because it might be launched in the context of non-GUI login session. 
> Mac OS X 10.5 has addressed this limitation, as described below. 
> However, if you have to support older systems, you should investigate 
> some of the alternative technologies described in Deprecated Daemonomicon.

Also even in Leopard, I found I needed to set the session type to Aqua, 
whereas the technical note implies that the session type should default 
to Aqua.

> To run your agent in a particular session type, use the session type 
> strings from Table 1 as the value of the LimitLoadToSessionType 
> property in your agent's property list file. If you want to run in 
> more than one session type, you can set LimitLoadToSessionType to an 
> array, where each element is a session type string. If you don't 
> specify the LimitLoadToSessionType property, launchd assumes a value 
> of Aqua.

I have to admit I don't really understand why I need to set the session 
type to Aqua to access the keychain programmatically in the first place!

Regards, James.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/launchd-dev/attachments/20091012/1ec33591/attachment.html>

More information about the launchd-dev mailing list