[HOWTO] iSightCapture Command Line Security Workaround

ScottW

Founder
Staff member
Starting in 10.4.10, Apple put in some security restrictions that made using utilities like isightcapture unusable to anyone but the console user. This limited the ability to remotely log into a system and capture video from an iSight camera through the command line. In addition, it stopped you from being able to setup a cron to run every so often because the isightcapture application was not run by the console user, but by root or crond. This broke the ability of people running their own little scripts running on a local machine.

Common errors:

FATAL: setting data channel failed - cam busy/not connected ?
open requires the user to be logged in at the console to launch applications.

It took some trial and error, but I finally managed a way to overcome this under Leopard 10.5.1 and I assume it will work under Tiger 10.4 was well. The method involves using Applescript. While you can run the isightcapture utility remotely via SSH it requires using the GUI side Applescript, not the command line side. This means that visual feedback will happen when the application is launched. The Applescript icon will show up in the dock, the application will move to the foreground and run then quit. It happens pretty quick and short of your dock expand and contracting you'd never know it was running.

For those setting up their own scripts on their own computer or managed computers for whatever purpose, this is probably not a problem. For those wishing to take snapshots secretly on remote machines, this won't help you out unless it's your computer and the screen saver is running or monitor is off. Granted, that is what Apple was doing when it started blocking access and while running the same script via osascript renders errors. In addition, it won't work if the user it is running under is not the active logged in user session.

I am sure there is something I have missed, but this should get things going again for most people.

Open Script Editor and type in:

Code:
do shell script "/your/path/isightcapture imagename"

Modify the code to your liking and setup above. Then save the script as an application to a location and name of your choice, but for this example I will use isightscript.app.

Open up Terminal and type "crontab -e" and hit return. This probably will bring up an empty listing, but whether it is empty or you have entries already, go to the end of any listings and on a new line type:

Code:
* * * * * open /path/to/isightscript.app

The above code will execute your script every minute 24/7. If you only wish to run it every hour on the hour:

Code:
0 * * * * open /path/to/isightscript.app

Anyhow, standard crontab practice applies to entries. You can define certain time ranges, certain days of the week, etc.

To try out your code without using crontab or if you are logged in remotely via SSH, you can just type "open /path/to/isightscript.app" in terminal and you should see the script load, it will take a picture and return.

Plus, since your using Applescript, you can do all sorts of fun things like sending an email of the output to you or uploading it to a remote web server. Imagine if you are away from your machine and you wanted to take a picture, you could send a email message with certain text to your account, when Mail.app sees this incoming email, based on a defined rule, it could launch this Applescript and take a picture then send the resulting image back to you. While I have not included the code to do all that above, you get the idea. Using Automator would get you on the right track.
 
I have attached it for those who can't seem to find it anywhere.
 

Attachments

  • isightcapture1_1.dmg.zip
    20.4 KB · Views: 317
"This means that visual feedback will happen when the application is launched. The Applescript icon will show up in the dock, the application will move to the foreground and run then quit. It happens pretty quick and short of your dock expand and contracting you'd never know it was running."

You can get rid of the visual feedback by saving the applescript as an application bundle and editing the Info.plist inside of the package contents. Add the following lines with a text editor:

<key>NSUIElement</key>
<string>1</string>

This will prevent your application from popping up on the dock when it runs.
 
I have setup the app and it works when I run it in the terminal but I cannot seem to get the cron to work. I have also tried launchd without success. Any ideas?
 
This did not work for me. Let me give a few details.

I am using the scripts from MacOSXHints to take a picture on wake from sleep and post to a web page.

http://www.macosxhints.com/article.php?story=20070126214841550

This was working fine, but somewhere around the end of March this stopped working (perhaps when Apple issued an update?). The symptoms are that on wake from sleep, the light on my iSight goes on for a short while as it should, indicating it is taking a picture. But no picture is saved. When I use the Activity monitor, I see that the program iSightCapture is still running. It looks like it gets stuck after taking the picture. So, rather than not being able to access the iSight camera, it looks like something gets stuck after taking the picture.

I tried the work around from this article (I'm running Mac OS 10.4.11). I created the script application as directed, and when I double click on it, it works fine. But, when I put the path to the script application in my .wakeup file, I continue to get the same behavior - on wakeup, the camera light goes on for a short while, but the iSightCapture program never exits and no picture is saved.

By the way, one consequence of this problem is that Skype and other programs can not access the iSight program. The stuck iSightCapture program continues to hold exclusive access to the camera until I reboot the computer or kill the process. This is what originally led me to investigate the issue.
 
Thank you for the helpful information. I was adding support for sending pictures from my laptop to my server and was getting this error, only when the script ran by cron of course, which was really annoying. I had to implement the applescript solution, and unfortunately this requires a user to be logged into the computer for the script to work but I don't think there's a better solution. This was probably done very much on purpose by Apple and they may not even approve of this workaround. (so lets hope they don't find this thread or this work-around may get worked-around...)

It's been my experience that the "open" command runs under the context of whatever user is using Finder, (specifically whichever user is "frontmost" when fast user switching is in use) and that dictates what rights will be available to isightcapture, so be sure that wherever isightcapture is placing files is writable by all Finder users on your machine, even if your cron job is running as root.

I could've swore I had this working earlier under 10.5. I wonder if they neglected to get this security fix right in 10.5.0 or 10.5.1? But it certainly is affecting 10.5.2 here.

The plist hack to keep it out of the dock is another handy trick I'll have to remember. I suppose I can use that the other way too (remove it) to get things into the dock that like to run invisibly.

Background: in case anyone's wondering what it's used for here, my laptop is set to detect its IP address (WAN as well as LAN) once an hour and ssh it to my server if available. If a script is waiting on the server for it, it downloads and runs it.

I recently found isightcapture, and so added another cron job (that runs once a minute) to take a picture once a minute and scp it back to the server if a file exists, and so I can leave it a one liner command to touch that file to turn on the minutely picture capture. Or the script can do anything else necessary if my laptop is stolen.

How much you want to bet there's an undocumented way to turn on the isight without turning on the green light?
 
I'm running 10.4.11 and I haven't had any real problem running isightcapture from the console or remotely (via ssh). I have a little script that takes a pic every few seconds. I have it start when the computer boots. It does sometimes stick and give the error you mention but it appears to stem from a problem with running isightcapture while isightcapture is still running from another task.


#!/bin/bash
# Michael McGlothlin <michaelm@plumbersstock.com>

rest () {
LOAD=`uptime | cut -d ":" -f4 | cut -d " " -f2 | tr -d "."`
if [[ $LOAD -gt "300" ]] ; then
sleep 30
elif [[ $LOAD -gt "150" ]] ; then
sleep 15
elif [[ $LOAD -gt "100" ]] ; then
sleep 10
elif [[ $LOAD -gt "50" ]] ; then
sleep 5
else
sleep 3
fi
}

do_capture () {
CAPTURE="isightcapture -t jpg"
cd $HOME/captures
while /usr/bin/true ; do
D1=`date +%y%m%d/%H`
D2=`date +%y%m%d.%H%M%S`
if [ ! -d $D1 ] ; then
mkdir -p $D1
fi
FN="$D1/$D2.jpg"
$CAPTURE $FN
if [ -h 'last.jpg' ] ; then
rm last.jpg
fi
ln -s $FN last.jpg
rest
done
}

if [[ $EUID == "0" ]] ; then
su - $1 -c "$0"
else
renice 19 $$
do_capture &
fi
 
sudo defaults write com.apple.loginwindow LoginHook /path/to/script

This is what I used to start my script above.
 
Hello,
tried the AppleScript hac but it doesn't work either:

do shell script "/Users/me/webcam/isightcapture test.jpg"

$ open /Users/me/webcam/script.app
LSOpenFromURLSpec() failed with error -10828 for the file /Users/me/webcam/script.app.
any ideas ?
 
Last edited:
How did you build your application?

LaunchServices/LSInfo.h has:

Error -10828
kLSNoClassicEnvironmentErr = The Classic emulation environment was required but is not available.

Looks like you are trying to run a Classic type application on 10.5.
 
How did you build your application?

LaunchServices/LSInfo.h has:

Error -10828
kLSNoClassicEnvironmentErr = The Classic emulation environment was required but is not available.

Looks like you are trying to run a Classic type application on 10.5.

There is nothing I built. The application is just the one line script posted on the beginning.

edit: ok I think Im a noob with Apple Script. In the how to is written "Open Script Editor and type in:". I just edited a new file using vim so I guess my error is here.

Do I have to build the application ? how can I do it via command line ?

EDIT2: I've tried this way:
script.txt said:
do shell script "/Users/me/webcam/isightcapture test.jpg"
then
osascript script.txt
but it says again

script.txt:0:76: execution error: FATAL: setting data channel failed - cam busy/not connected ? (1)

EDIT3: ouff :) Finally I set up a VNC server to my MacBook Pro and created the Application using the Script Editor. It works great ;)
 
Last edited:
So wait, you edited those with VIM and not ScriptEditor of AppleScript?

/Applications/AppleScript/ -> open Script Editor

and replace the /Users/me parts with your username in place of me
 
Over SSH

1. get process ID loginwindow "sudo killall -s loginwindow" return $PID
2. "sudo launchctl bsexec $PID isightcapture -t jpg /file.jpg"

-EXAMPLE----
sudo killall -s loginwindow
kill -TERM 35
sudo launchctl bsexec 35 isightcapture -t jpg /file.jpg
-------------------------------

WORK!!!

from screencapture
SECURITY CONSIDERATIONS
To capture screen content while logged in via ssh, you must launch screencapture in the same mach boot-strap bootstrap
strap hierarchy as loginwindow:

PID=pid of loginwindow
sudo launchctl bsexec $PID screencapture [options]


http://developer.apple.com/DOCUMENTATION/DARWIN/Reference/ManPages/man1/screencapture.1.html

Sorry for my english
 
there's no need for creating gui apps or scripts, here's a workaround:
connect to remote host via ssh, then type:
ps ax | grep [l]oginwindow
output will look something like
1381 ?? Ss 0:01.36 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console

The PID is the first number in the output; now type
sudo launchctl bsexec 1381 isightcapture -t png /somepic.png

and voila :)
 
@t0rus
tried it your way but all i get is the error message:
launchctl bsexec failed: No such file or directory

im sure im missing something really stupid.
in which directory does isightcapture file has to be? does that matter?

@all
i also tried it the other way via creating an app with applescript.
also doesnt work. here i get this error message
FATAL: graphics exporter set output failed
the line i wrote is:
do shell script "/path/isightcapture imagename"

thanks for your help guys
 
@t0rus
tried it your way but all i get is the error message:
launchctl bsexec failed: No such file or directory

im sure im missing something really stupid.
in which directory does isightcapture file has to be? does that matter?

to be able to run it without full path you'd have to put it in /sbin

@all
i also tried it the other way via creating an app with applescript.
also doesnt work. here i get this error message
FATAL: graphics exporter set output failed
the line i wrote is:
do shell script "/path/isightcapture imagename"

thanks for your help guys

haven't tried it myself but perhaps you can try imagesnap?
 
Back
Top