> Can I just give the same permission to iTerm? Nope. We are not worthy of that power, and must r...

tpmoney • today at 1:12 AM • 1 reply • view on HN

> Can I just give the same permission to iTerm? Nope. We are not worthy of that power, and must re-affirm permissions every 30 days for all non-Apple software.

Not sure what permission you're referring to or what your curl script is trying to do but `/opt/homebrew/opt/curl/bin/curl http://www.google.com` works just fine on Tahoe from both iTerm2 and ghostty. Looking through the various permission grants, the only one they both have in common is "App Management". They share some file permission grants, but where as iTerm has full disk access, ghostty only has Downloads and removable media. In the past I've found I've needed to add terminals like iTerm to the Developer Tools permission, but ghostty isn't in there currently and curl is still working just fine. And in none of these cases have I ever needed to re-affirm the permission every 30 days.

Any chance you have "disclaim ownership of children" setting enabled in iTerm? Maybe if iTerm is not allowing child processes to use its own permissions, you're having to re-authorize curl specifically (and it's getting updated about once every 30 days?)

> And if you don't accept them, they are silently denied.

This is IMO the correct behavior. If something asks for permission and it's not explicitly granted, then the default should always be denied.

Replies

cyberax • today at 1:42 AM

> Not sure what permission you're referring to or what your curl script is trying to do but `/opt/homebrew/opt/curl/bin/curl http://www.google.com` works just fine on Tahoe from both iTerm2 and ghostty.

Mwwahahaha. Yep. Curling something neutral like google.com worked fine for me as well. That's how I was verifying that everything was OK.

Now try to do "curl https://192.168.0.1" (or whatever is your local router's IP). It will trigger this request: https://imgur.com/a/tMAApfB

The permission in question is called "Local Network", you can find it in the "Security" section in the control panel. Yeah, their names don't match.

Oh, and negative entries are NOT listed in that panel. So if you deny the request, there is NO indication of that. Anywhere. Logs will also be empty.

> This is IMO the correct behavior. If something asks for permission and it's not explicitly granted, then the default should always be denied.

The keyword is SILENTLY. The permission requests should be logged and made available in a central location, where they can be reviewed.

It's literal recursive WTF. When you start looking at it, it gets worse and worse.

➕ show 1 reply

alt Hacker News

Replies