The macOS Privacy Settings Deleted My Backups

The other day I logged in to my NAS to find that all of my backed up media files were gone. No errors, the drives were fine, the directory was there, but the files were gone. Thankfully it wasn’t a freak out moment as I had my originals and my other backups, but it was a mystery. The answer turned out to be the macOS privacy settings, and while I certainly support the spirit of what they are doing, in practice the way this worked was so confusing that if you told me they were trying to screw with me, I wouldn’t be shocked.

Let’s talk it through.

Here’s how the backup is suppose to run: I have a Mac Mini with a bunch of media files on an external drive, and I want to back those files up on the NAS. This happens via a simple bash script with rsync, and it used to run on a cron, but I moved it to a Keyboard Maestro macro because I’m moving all of my Mac cron jobs there for improved portability and discoverability [Editor’s Note: FORESHADOWING!]

Here’s the bash script. As I said, it’s very simple:

#!/bin/bash

rsync -av --progress --delete --ignore-errors --ignore-existing --dry-run --no-perms --no-owner --no-group  "/Volumes/Media Files/" nas:/volume1/media/

It runs within a macro that runs nightly after checking if the removable drive is mounted and if an arbitrary directory exists in the volume, just to make sure the drive is really mounted. Everything looks fine. The macro and script both run without any errors, but the files are not on my NAS.

So, I ran the script manually in the terminal and the rsync ran without issue and the files ended up on the NAS. Hmm.

Then I ran the script from within Keyboard Maestro and rsync runs fine…and deletes every single file on the NAS. WTF! But the drive is mounted at it sees a directory in the mounted directory? Why is the script saying that there aren’t any files?! In fact, when I update the bash script to just print out the contents of the Media Files directory, it returns:

> total 0

No error. Just an empty directory listing. Remember, this script is running after checks to make sure the drive is mounted and a folder on that mount has been found!

So, as you know, dear reader, it was macOS’ privacy settings. What I needed to do was give Keyboard Maestro full disk access and then the macro and script ran without issue. Ok, fine. I’m not mad about an extra layer of permission, especially one that I can resolve, if I choose to, quickly. What’s annoying is how the blocking worked. No error. No alert saying an app or script asked to do something and it was blocked. It didn’t even return an error code, it just said the directory was empty…so rsync deleted everything. That’s crazy! I still don’t really understand why Keyboard Maestro was able to see the existence of a child directory but not list files. It’s really odd and really frustrating. I mean really frustrating. Like working at Twitter and having an idiot man child ask you why his unfunny joke tweets don’t get the reach he expected, and then getting fired for no reason frustrating.

Ok, maybe not that frustrating, but I sure with Apple would do something to improve this.