|
|
Sandbox |
Sandboxing is a protective technology introduced with Mac OS X 10.7 Lion. It limits the actions that applications can perform to reduce risks to application users. Only files explicitly opened by the user are accessible by applications. The sandbox is not available on OS X 10.6 Snow Leopard, so applications there run with full access including to all files available to the user.
SciTE is built with a fixed set of entitlements and, on OS X 10.7 or later, is unable to perform unsafe actions not specified in the entitlements, including access to files except where they are opened though the system file open dialog.
Software development tools, such as compilers and revision control systems often work with associations between files. For example, a C program may reference a header through a #include statement. In the sandbox environment, that header file may not be readable unless it has been opened by the user and so compilation will fail.
To enable tools to access files that have not been opened, SciTE provides an Allow Access command in the File Menu which displays the following dialog:
Access to files and directories may be granted by pressing the Add Path… button to show a system dialog and then selecting the desired files or directories. Since the dialog is a trusted component, it is allowed to navigate the system and set permissions for SciTE.
Access to paths is remembered between runs of SciTE. To remove access to a path for future runs, use the Remove button.
There are different ways to use this feature: when files and directories are shared with other uses it may be easiest to set paths to existing files. Another possibility is to gather the files and directories needed into a single location and allow SciTE to only access that location.
When using a revision control system like Mercurial or git, the project root directory should be made accessible so these systems can work. Other directories that may need to be made accessible are the location of the executables and security keys used in their operation. In the above screenshot, the "/usr/local/bin" directory was made accessible as that is where the "hg" executable was stored as was the "~/.ssh" directory which contains the key files used when synchronizing changes with a shared repository.
SciTE runs command line tools using the system shell, bash. If SciTE can read the ~/.bashrc file then it is executed before running commands. Since this file is initially hidden by the sandbox, if you want it to be executed by SciTE then access to it should be allowed through the Allow Access command.
File quarantine in OS X was originally introduced to warn users of potential problems with downloaded files. It works by adding an extended attribute "com.apple.quarantine" to files. Earlier versions of SciTE could not create files without the quarantine attribute set which meant that programs compiled within SciTE could not be run easily. This was fixed in version 3.3.2 by adding the entitlement com.apple.security.files.user-selected.executable.
On OS X 10.9 Mavericks, system tools such as the Clang C++ compiler will not run within the sandbox. These tools are wrapped by 'xcrun' in order to allow choosing between different tool chains. The xcrun program will not run in the sandbox, instead showing a message like "xcrun: error: cannot be used within an App Sandbox". While different compilers can be downloaded and built locally, the compilers run other system tools such as the linker and assembler, causing further failures.
There is currently no known workaround for this issue, so compilations should be performed in a Terminal session.
For common installations of TeX on OS X, you should allow access to ~/.bashrc, /usr/local/texlive, and the directory containing your TeX files. The /usr/texbin directory should be added to the PATH in ~/.bashrc which can be defined like:
export PATH=$PATH:/usr/texbin
SciTE is built with entitlements to print, to be a network client, to access serial and USB ports, to read and write files selected by the user, allow creating excutables without the quarantine attribute, and to retain access to files selected by the user between sessions.
If other entitlements are required for your projects then contact me at scite-support @ scintilla.org and I'll investigate adding these to a future release of SciTE.
Versions of SciTE that have not been sandboxed are available as SciTEUnboxed. These will only work when the corresponding sandboxed release has already been installed from the Mac App Store.