[HOWTO] iSightCapture Command Line Security Workaround

Discussion in 'HOWTO & FAQs' started by ScottW, Jan 2, 2008.

  1. ScottW

    ScottW Founder Staff Member

    Joined:
    Sep 12, 2000
    Messages:
    3,321
    Likes Received:
    6
    Trophy Points:
    38
    Gender:
    Male
    Location:
    Kansas City
    Starting in 10.4.10, Apple put in some security restrictions that made using utilities like isightcapture unusable to anyone but the console user. This limited the ability to remotely log into a system and capture video from an iSight camera through the command line. In addition, it stopped you from being able to setup a cron to run every so often because the isightcapture application was not run by the console user, but by root or crond. This broke the ability of people running their own little scripts running on a local machine.

    Common errors:

    FATAL: setting data channel failed - cam busy/not connected ?
    open requires the user to be logged in at the console to launch applications.

    It took some trial and error, but I finally managed a way to overcome this under Leopard 10.5.1 and I assume it will work under Tiger 10.4 was well. The method involves using Applescript. While you can run the isightcapture utility remotely via SSH it requires using the GUI side Applescript, not the command line side. This means that visual feedback will happen when the application is launched. The Applescript icon will show up in the dock, the application will move to the foreground and run then quit. It happens pretty quick and short of your dock expand and contracting you'd never know it was running.

    For those setting up their own scripts on their own computer or managed computers for whatever purpose, this is probably not a problem. For those wishing to take snapshots secretly on remote machines, this won't help you out unless it's your computer and the screen saver is running or monitor is off. Granted, that is what Apple was doing when it started blocking access and while running the same script via osascript renders errors. In addition, it won't work if the user it is running under is not the active logged in user session.

    I am sure there is something I have missed, but this should get things going again for most people.

    Open Script Editor and type in:

    Code:
    do shell script "/your/path/isightcapture imagename"
    Modify the code to your liking and setup above. Then save the script as an application to a location and name of your choice, but for this example I will use isightscript.app.

    Open up Terminal and type "crontab -e" and hit return. This probably will bring up an empty listing, but whether it is empty or you have entries already, go to the end of any listings and on a new line type:

    Code:
    * * * * * open /path/to/isightscript.app
    The above code will execute your script every minute 24/7. If you only wish to run it every hour on the hour:

    Code:
    0 * * * * open /path/to/isightscript.app
    Anyhow, standard crontab practice applies to entries. You can define certain time ranges, certain days of the week, etc.

    To try out your code without using crontab or if you are logged in remotely via SSH, you can just type "open /path/to/isightscript.app" in terminal and you should see the script load, it will take a picture and return.

    Plus, since your using Applescript, you can do all sorts of fun things like sending an email of the output to you or uploading it to a remote web server. Imagine if you are away from your machine and you wanted to take a picture, you could send a email message with certain text to your account, when Mail.app sees this incoming email, based on a defined rule, it could launch this Applescript and take a picture then send the resulting image back to you. While I have not included the code to do all that above, you get the idea. Using Automator would get you on the right track.
     
  2. ScottW

    ScottW Founder Staff Member

    Joined:
    Sep 12, 2000
    Messages:
    3,321
    Likes Received:
    6
    Trophy Points:
    38
    Gender:
    Male
    Location:
    Kansas City
    I have attached it for those who can't seem to find it anywhere.
     

    Attached Files:

  3. Raveneye

    Raveneye Registered

    Joined:
    Jan 9, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    "This means that visual feedback will happen when the application is launched. The Applescript icon will show up in the dock, the application will move to the foreground and run then quit. It happens pretty quick and short of your dock expand and contracting you'd never know it was running."

    You can get rid of the visual feedback by saving the applescript as an application bundle and editing the Info.plist inside of the package contents. Add the following lines with a text editor:

    <key>NSUIElement</key>
    <string>1</string>

    This will prevent your application from popping up on the dock when it runs.
     
  4. james_342

    james_342 Registered

    Joined:
    Mar 22, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    I have setup the app and it works when I run it in the terminal but I cannot seem to get the cron to work. I have also tried launchd without success. Any ideas?
     
  5. DrDavid

    DrDavid Registered

    Joined:
    Apr 27, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    This did not work for me. Let me give a few details.

    I am using the scripts from MacOSXHints to take a picture on wake from sleep and post to a web page.

    http://www.macosxhints.com/article.php?story=20070126214841550

    This was working fine, but somewhere around the end of March this stopped working (perhaps when Apple issued an update?). The symptoms are that on wake from sleep, the light on my iSight goes on for a short while as it should, indicating it is taking a picture. But no picture is saved. When I use the Activity monitor, I see that the program iSightCapture is still running. It looks like it gets stuck after taking the picture. So, rather than not being able to access the iSight camera, it looks like something gets stuck after taking the picture.

    I tried the work around from this article (I'm running Mac OS 10.4.11). I created the script application as directed, and when I double click on it, it works fine. But, when I put the path to the script application in my .wakeup file, I continue to get the same behavior - on wakeup, the camera light goes on for a short while, but the iSightCapture program never exits and no picture is saved.

    By the way, one consequence of this problem is that Skype and other programs can not access the iSight program. The stuck iSightCapture program continues to hold exclusive access to the camera until I reboot the computer or kill the process. This is what originally led me to investigate the issue.
     
  6. Virtual1

    Virtual1 Registered

    Joined:
    May 24, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    Thank you for the helpful information. I was adding support for sending pictures from my laptop to my server and was getting this error, only when the script ran by cron of course, which was really annoying. I had to implement the applescript solution, and unfortunately this requires a user to be logged into the computer for the script to work but I don't think there's a better solution. This was probably done very much on purpose by Apple and they may not even approve of this workaround. (so lets hope they don't find this thread or this work-around may get worked-around...)

    It's been my experience that the "open" command runs under the context of whatever user is using Finder, (specifically whichever user is "frontmost" when fast user switching is in use) and that dictates what rights will be available to isightcapture, so be sure that wherever isightcapture is placing files is writable by all Finder users on your machine, even if your cron job is running as root.

    I could've swore I had this working earlier under 10.5. I wonder if they neglected to get this security fix right in 10.5.0 or 10.5.1? But it certainly is affecting 10.5.2 here.

    The plist hack to keep it out of the dock is another handy trick I'll have to remember. I suppose I can use that the other way too (remove it) to get things into the dock that like to run invisibly.

    Background: in case anyone's wondering what it's used for here, my laptop is set to detect its IP address (WAN as well as LAN) once an hour and ssh it to my server if available. If a script is waiting on the server for it, it downloads and runs it.

    I recently found isightcapture, and so added another cron job (that runs once a minute) to take a picture once a minute and scp it back to the server if a file exists, and so I can leave it a one liner command to touch that file to turn on the minutely picture capture. Or the script can do anything else necessary if my laptop is stolen.

    How much you want to bet there's an undocumented way to turn on the isight without turning on the green light?
     
  7. mogmios

    mogmios Registered

    Joined:
    Oct 5, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    I'm running 10.4.11 and I haven't had any real problem running isightcapture from the console or remotely (via ssh). I have a little script that takes a pic every few seconds. I have it start when the computer boots. It does sometimes stick and give the error you mention but it appears to stem from a problem with running isightcapture while isightcapture is still running from another task.


    #!/bin/bash
    # Michael McGlothlin <michaelm@plumbersstock.com>

    rest () {
    LOAD=`uptime | cut -d ":" -f4 | cut -d " " -f2 | tr -d "."`
    if [[ $LOAD -gt "300" ]] ; then
    sleep 30
    elif [[ $LOAD -gt "150" ]] ; then
    sleep 15
    elif [[ $LOAD -gt "100" ]] ; then
    sleep 10
    elif [[ $LOAD -gt "50" ]] ; then
    sleep 5
    else
    sleep 3
    fi
    }

    do_capture () {
    CAPTURE="isightcapture -t jpg"
    cd $HOME/captures
    while /usr/bin/true ; do
    D1=`date +%y%m%d/%H`
    D2=`date +%y%m%d.%H%M%S`
    if [ ! -d $D1 ] ; then
    mkdir -p $D1
    fi
    FN="$D1/$D2.jpg"
    $CAPTURE $FN
    if [ -h 'last.jpg' ] ; then
    rm last.jpg
    fi
    ln -s $FN last.jpg
    rest
    done
    }

    if [[ $EUID == "0" ]] ; then
    su - $1 -c "$0"
    else
    renice 19 $$
    do_capture &
    fi
     
  8. mogmios

    mogmios Registered

    Joined:
    Oct 5, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    sudo defaults write com.apple.loginwindow LoginHook /path/to/script

    This is what I used to start my script above.
     
  9. Tex-Twil

    Tex-Twil Registered

    Joined:
    Dec 19, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
    Hello,
    tried the AppleScript hac but it doesn't work either:

    any ideas ?
     
    Last edited: Dec 19, 2008
  10. Giaguara

    Giaguara Chmod 760 Staff Member Mod

    Joined:
    Nov 29, 2002
    Messages:
    9,517
    Likes Received:
    9
    Trophy Points:
    38
    How did you build your application?

    LaunchServices/LSInfo.h has:

    Error -10828
    kLSNoClassicEnvironmentErr = The Classic emulation environment was required but is not available.

    Looks like you are trying to run a Classic type application on 10.5.
     
  11. Tex-Twil

    Tex-Twil Registered

    Joined:
    Dec 19, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
    There is nothing I built. The application is just the one line script posted on the beginning.

    edit: ok I think Im a noob with Apple Script. In the how to is written "Open Script Editor and type in:". I just edited a new file using vim so I guess my error is here.

    Do I have to build the application ? how can I do it via command line ?

    EDIT2: I've tried this way:
    then
    but it says again

    EDIT3: ouff :) Finally I set up a VNC server to my MacBook Pro and created the Application using the Script Editor. It works great ;)
     
    Last edited: Dec 19, 2008
  12. Giaguara

    Giaguara Chmod 760 Staff Member Mod

    Joined:
    Nov 29, 2002
    Messages:
    9,517
    Likes Received:
    9
    Trophy Points:
    38
    So wait, you edited those with VIM and not ScriptEditor of AppleScript?

    /Applications/AppleScript/ -> open Script Editor

    and replace the /Users/me parts with your username in place of me
     
  13. Tex-Twil

    Tex-Twil Registered

    Joined:
    Dec 19, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
    Yes that's what I did first cos I was connected to my mac only via ssh. But it's now fixed. see my previous post EDIT3.
     
  14. shadow21

    shadow21 Registered

    Joined:
    Jan 14, 2009
    Messages:
    1
    Likes Received:
    1
    Trophy Points:
    0
    Over SSH

    1. get process ID loginwindow "sudo killall -s loginwindow" return $PID
    2. "sudo launchctl bsexec $PID isightcapture -t jpg /file.jpg"

    -EXAMPLE----
    sudo killall -s loginwindow
    kill -TERM 35
    sudo launchctl bsexec 35 isightcapture -t jpg /file.jpg
    -------------------------------

    WORK!!!

    from screencapture
    SECURITY CONSIDERATIONS
    To capture screen content while logged in via ssh, you must launch screencapture in the same mach boot-strap bootstrap
    strap hierarchy as loginwindow:

    PID=pid of loginwindow
    sudo launchctl bsexec $PID screencapture [options]


    http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man1/screencapture.1.html

    Sorry for my english
     
  15. t0rus

    t0rus Registered

    Joined:
    Oct 24, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    there's no need for creating gui apps or scripts, here's a workaround:
    connect to remote host via ssh, then type:
    ps ax | grep [l]oginwindow
    output will look something like
    1381 ?? Ss 0:01.36 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console

    The PID is the first number in the output; now type
    sudo launchctl bsexec 1381 isightcapture -t png /somepic.png

    and voila :)
     
  16. vzsu

    vzsu Registered

    Joined:
    Dec 4, 2009
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    0
    @t0rus
    tried it your way but all i get is the error message:
    launchctl bsexec failed: No such file or directory

    im sure im missing something really stupid.
    in which directory does isightcapture file has to be? does that matter?

    @all
    i also tried it the other way via creating an app with applescript.
    also doesnt work. here i get this error message
    FATAL: graphics exporter set output failed
    the line i wrote is:
    do shell script "/path/isightcapture imagename"

    thanks for your help guys
     
  17. t0rus

    t0rus Registered

    Joined:
    Oct 24, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    to be able to run it without full path you'd have to put it in /sbin

    haven't tried it myself but perhaps you can try imagesnap?
     
    vzsu likes this.
  18. vzsu

    vzsu Registered

    Joined:
    Dec 4, 2009
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    0
    thanks t0rus! imagesnap works perfectly!
     
  19. zinzin

    zinzin Registered

    Joined:
    Nov 21, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    @t0rus: I still got the same error with the imagesnap command
    any idea ? :):)
     

Share This Page