What is "sh" and why does it want access?

Hello,

Recently I got a message regarding “sh” wanting access to something in particular on my Mac. At the time I freaked out and in a hurry I clicked “don’t allow”. I know for a fact it wasn’t something related to Safari though, as I saw with another user’s post.

Here’s the context. I have a 2019 16 inch MacBook Pro which is on system 12.4 Monterey.

A little before I got the prompt for sh wanting access I had uninstalled my college’s out of school VPN software. I started editing a video via Final Cut Pro and used my MacBook for watching Youtube. A little later I used my Windows device. I then deleted an old Final Cut Pro library and it’s backup because I already had finished that particular video. When I deleted it and emptied my trash, a huge amount of files seemed to be deleted. I’m talking 3.3k+. Final Cut Pro library deletions are typically pretty big though, so I didn’t think much of it at the time even if it was a bit unusual.

When I returned to Final Cut Pro later, a library I was currently using had disappeared. The library was still on my Mac where I had saved it, however I could not open it via Final Cut Pro, or via clicking it in Finder because of the error “The library “the name I gave it” cannot be found in its original location. To open this library backup, click Save and choose a new location to save the library.”

However, I simply clicked save, made a new folder for the library, and I was able to open it again without much of a hitch.

Something else I noticed with my Final Cut Pro though, were that my presets were a bit messed up. My key binds worked fine, and when I imported new media into the project that was in the library, it saved when I closed and reopened Final Cut Pro. However, my screen arrangement as well as my clip sizing settings did not save.

Below are two screenshots with where I can find “sh” in my privacy section of system preferences. I ran a MalwareBytes scan and it didn’t detect anything.

I’m honestly not sure what action to take, or if I should simply ignore it.

https://preview.redd.it/iabrqedqinb91.png?width=636&format=png&auto=webp&s=1ae51f18669625c1b8177a9af4f6b2b955e31531

https://preview.redd.it/t62y6idqinb91.png?width=631&format=png&auto=webp&s=d62ef5a9b45184564facc5bea4f1376811f5a157

‘sh’ is short for shell. The shell is an interface to your computer’s exposed services. And based on the screenshots you have sent, it’s probably a shell script writing, viewing, or deleting files or directories to your computer’s disk; hence, it is under the ‘Automation’ and “Full Disk Access” panel. I could be wrong in that regard though, since you could do much with your shell. As to exactly what it is doing or what triggers it, I have no clue. I guess you start by opening up Activity Monitor and try to find it there. If you can’t, try opening apps that you suspect might trigger it.

Wouldn’t be surprised if the college VPN was harder to uninstall than dragging to the trash or that using an uninstaller didn’t catch a ‘helper’ app or shell script. It is, therefore, not particularly a big deal to have orphaned pieces of apps around, but snooping around regarding removing helper apps (called daemons in the old days and in Unix/Unix-like circles) might be an interesting and productive exercise.

I inherited a MacBook pro from my old company. It had swollen batteries and they didn’t want to deal with it. So they gave it to me. It had all kinds of VPN, and invasive monitoring stuff on it. So I just wiped it and reinstalled Mac OS (Catalina I think). It’s much easier than trying to fix this stuff. The batteries were easy and cheap to replace BTW.

Their own tech support staff had trouble removing the older VPN system from laptops. Plus, the machine was encrypted.

So I just open various apps and see if “sh” is running?

Should I give “sh” access before I do this?

Also do you personally see what I see in these screenshots?

How should I go about fishing the remaining stuff out? I will admit the uninstall wasn’t smooth. There was a little thing at the top right on the bar at top near the battery percent icon which remained for a bit. It disappeared later though before this all occurred.

Also, how would that affect my FCP stuff?

Is a full wipe truly necessary?

Shell is part of the OS kernel. It’s equivalent to the term “GUI” but without anything visible. Finder and Final Cut Pro and other apps are running in “GUI mode” of macOS, and other background processes are running in “Shell mode” of macOS.

Not accurate but easier to understand.

​

So I just open various apps and see if “sh” is running?

Just the opposite, shell is running before you can see the login screen when you power on your computer.

You get this message because that “various app” needs shell to do something. But whether that “various app” is a legit app or malicious one, is another question, and that question can’t be answered.

​

Also do you personally see what I see in these screenshots?

Actually we can see more than what you can see.

We know what sh is. We know why it’s here. And we know what would cause sh to demand for access.

But the thing we don’t know is “who is behind this and what does it want to do ?”

You get sh demand for access because the application had thrown requests to the system. These requests demand sh to do their deeds, which involves sending AppleEvents to another application.

For example, this line of code in C language will trigger the same effect as you’ve seen in your screenshot:

system("osascript -e \'tell application \"Safari\" to quit\'");

And this line of code, if permitted, will send a CMD+Q equivalent event to Safari, telling it to quit. Now you get the idea.

​

Should I give “sh” access before I do this?

If I were you, I won’t do that.

As I’ve said, we don’t know “who is behind this and what does he want to do”. AppleEvents can be useful tools and a lot of helper tools would use that to do some automation tasks, such as adding a new events to your calendar; but it can also be used by malicious attacks to inject something bad into your system.

You shall enable it only when you find that you can’t do something in legit apps.

Yes and for the second question, no. If you happen to have opened the app that triggers it, that app would ask for permission to enable the ‘sh’ access.

Really shouldn’t have impacted FCP, but something evidently happened. If FCP was opened up while not having enough room to work, that might have caused an issue unrelated to the VPN thing.

Manually removing things in LaunchAgents or LaunchDaemons requires knowing what you’re going after. If you know the name of the VPN that the college used, you should start by Googling the uninstall process for that app to see if there are steps or gotchas identified by others that you didn’t know to do. And Google macOS (or OS X) and LaunchAgents or LaunchDaemons. The more details that you can give or find out, the more of a chance that someone will be able to offer specific assistance.

Shell is part of the OS kernel

NO! No, it is not part of the OS kernel. Sheesh.

A “shell” is a purely text-based interface to your computer. There are many shells out there, but “sh” (aka the Bourne shell) is the first and oldest. Shells can be run interactively, where they wait for a user to type in commands, then run the commands and display the results, or they can run commands from a pre-written file, called a script.

Shell scripts are a convenient way to move files around and make other adjustments to them. Scripts are, in essence, little programs written in a language that is convenient for manipulating files. A shell script might be used during the installation and/or de-installation of a software package, e.g. your VPN.

And that’s likely to be what happened here. Having denied sh access to your drive, it was prevented from completing a task that you probably initiated. As a result, there are probably some leftover files lying around. Hopefully, nothing too bad, but you might see some errors if a lingering file is still sitting in a place where it could ask the OS to do something for you, especially on startup.

Don’t sweat it. A UNIX nerd could probably locate that script and re-run it, at which point you could grant the access and let it complete, but it’s probably not going to hurt anything.

Thank you for such a detailed response.

So basically I should just wait until I discover some sort of legit application I have doesn’t have functionality. Leave it unchecked until then?

Is there truly no way to answer who is behind it and what does it want to do otherwise?

Okay so this morning I have navigated from Go → My Mac’s partition → Library → Launch Agents and Launch Daemons. There is nothing there. Should I be concerned?

Shells are “userland,” and absolutely not part of the kernel.

What about the 3rd question?

Okay so this morning I have navigated from Go → My Mac’s partition → Library → Launch Agents and Launch Daemons.

There is nothing there. Should I be concerned?

I know what it is. I’m working on this for 30 years. As I said, it’s easier for beginners to understand. It’s interfacing other userland processes and the OS kernel so I’m saying it’s part of system. I don’t bother lecturing another computer structure course here.

Maybe I should use the word “core” instead.

Unfortunately no. Processes pass there demands to shell and shell pass this to system, so the system only knows it’s shell that request coming from shell.

Basically it’s not something that an application will normally do , since there are other APIs for the same thing and way more efficient than passing it through shell.

Usually it’s the process that interprets user-defined scripts for extended functions. Such as Workflow in Alfred, or user-defined gestures in BetterTouchTools, or user-defined hot keys in Keyboard Maestro. Something like that.

IMO, the chance of malicious attacks is rather low. As I said, it’s not an effective approach for what it wants to do. But I won’t take the risk.

Not all malicious attacks will inject launch service scripts there. It can be a compromised legit application.

That said, this request can also be totally legit. We don’t know about that.