Running Launchd Services with Non Root User on macOS

Question

I am building a launchctl service which can run a java service. I am able to create launchctl service with root user and test start/stop/status/automatic start at reboot use cases.

I am struggling with running same launchctl service with non root user(ec2-user in my case)

My plist file looks like below

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>siem</string>
  <key>ProgramArguments</key>
  <array>
    <string>java</string>
    <string>-jar</string>
    <string>/Users/ec2-user/siem.jar</string>
  </array>
  <key>RunAtLoad</key>
  <true/> <!-- run the program at login -->
  <key>KeepAlive</key>
  <true/> <!-- run the program again if it terminates -->
  <key>WorkingDirectory</key>
  <string>/Users/ec2-user</string>
   <key>StandardErrorPath</key>
   <string>/tmp/mycommand.err</string>
   <key>StandardOutPath</key>
   <string>/tmp/mycommand.out</string>
</dict>
</plist>

I have tried various steps to run the above service with ec2-user. UID for ec2-user is 501.

ec2-user@ip-172-31-30-212 ~ % launchctl bootstrap gui/501 ~/Library/LaunchDaemons/siem.plist
Bootstrap failed: 125: Unknown error: 125

Verified the content of plist file

ec2-user@ip-172-31-30-212 ~ % plutil ~/Library/LaunchDaemons/siem.plist
/Users/ec2-user/Library/LaunchDaemons/siem.plist: OK

Tried bootstraping service with user

ec2-user@ip-172-31-30-212 ~ % launchctl bootstrap user/501 ~/Library/LaunchDaemons/siem.plist
Bootstrap failed: 5: Input/output error

All of the above errors are not verbose and doesn't seem to find any way.

My goal : I want to run launchctl service with non root user.

Environment Details:

OS : macOS on AWS EC2 Instance

macOS Version : BigSur and Monterey

Thanks in advance.

Answer 1

I just spent a significant time getting this to work, but it is complicated.

The gui domain is only available after a user has logged in with a graphical user session. Trying to add services to it when it is not available results in an error.

The user domain is available after a login (such as through SSH), but to add a service to this domain your .plist must contain the following key & value:

<key>LimitLoadToSessionType</key>
<string>Background</string>

If this key is not present, you get the dreaded "Input/output error", as the default value for this property is Aqua (ie. requires a GUI context). For more information about these session types see here.

The problem is any of these services in the user domain do not get automatically started on reboot. The best solution to have a process running after reboot is to add them as root to the system domain and then add the <UserName> key to your .plist to run it as a specific user.

Answer 2

Assuming you want to run your launchd agent as a user do the following:

Instead of calling java directly in your .plist file, pass the command to shell. This ensures all environment variables which are necessary for java (like JAVA_HOME) are set. Also, use absolute paths:

<key>ProgramArguments</key>
<array>
  <string>/bin/zsh</string>
  <string>-c</string>
  <string>java -jar /Users/ec2-user/siem.jar</string>
</array>

Next, I think your bootstrap command is wrong. I guess you have to use it like this:

launchctl bootstrap gui/"$(id -u)"/siem

To verify the agent starts successfully do

launchctl kickstart gui/"$(id -u)"/siem

Another good resource is https://launchd.info/