

Discover more from hrbrmstr's Daily Drop
I'm technically still on holiday, so this is a bit more lightweight edition than normal. Back to the usual babblings Tuesday!
fswatch
This isn't exactly "new", but I am regularly surprised at how few folks know about fswatch
, a tool and library that monitors filesystem locations for changes.
It's likely easier to just show you how it works (I'll explain what this does below the terrible, terrible Substack code block):
$ fswatch --batch-marker -xr ${HOME}/Downloads
/Users/hrbrmstr/Downloads/.com.vivaldi.Vivaldi.xDrvc8 Created IsFile Updated Renamed AttributeModified
/Users/hrbrmstr/Downloads/Unconfirmed 920116.crdownload Created IsFile Renamed AttributeModified
/Users/hrbrmstr/Downloads/Unconfirmed 920116.crdownload OwnerModified IsFile Renamed
/Users/hrbrmstr/Downloads/2206.14539.pdf Created IsFile Renamed AttributeModified
/Users/hrbrmstr/Downloads/2206.14539.pdf OwnerModified IsFile Renamed AttributeModified
/Users/hrbrmstr/Downloads/2206.14539.pdf IsFile AttributeModified
NoOp
/Users/hrbrmstr/Downloads/2206.14539.pdf IsFile Renamed
NoOp
/Users/hrbrmstr/Downloads/.DS_Store AttributeModified IsFile Updated
NoOp
I asked fswatch
to monitor my Downloads folder, placing a NoOp
tag between "batch" filesystem operations (which is based on event timing, which is configurable), and add some details to each record (line) about what changed.
In the example, I downloaded a PDF from arXiv using Vivaldi, then deleted it using the Finder.
On proper operating systems, you can pipe the output to xargs
to run commands for each batch of operations. On macOS, I could use some built-in operating system functionality to do something similar, but then I'd be locked-in to Apple's idioms. I'd rather use fswatch
on both macOS and Linux with the same structure and commands, vs have to code-switch between the two.
It has solid docs and has worked well for ages.
sandbox-exec
The sandbox-exec
macOS utility is one more question in the "WTHeck, Apple?!" every-growing question set (and also one more addition to the "folks don't seem to know about this utility" category).
I ask you to download a ton of binaries in these newsletter editions. I try them all ahead of time (or have used them for ages), but none of us should trust anything we get from the internets. Apple's sandbox-exec
utility lets you fence-in applications, and only allow them to access resources in constrained ways, using rules created in a Scheme-like language (b/c we totally needed one more configuration language).
Why "WTHeck, Apple?!"? Well, Apple doesn't want you to use this utility, even though they installed it for you, and comes with zero official documentation, though you can browse rulesets that come with macOS in /System/Library/Sandbox/Profiles
.
Karl Tarvas did a decent job collecting some resources on sandbox-exec
a while back, which hold-up pretty well today, and "7402" has some extended examples.
More recently, Kevin Lynagh made sandboxitron
— a shell script and a set of boilerplate rulesets that makes it super easy to sandbox CLI tools:
sb
opens a shell in an offline sandbox that can only read/write the current directory and its children.sb online
opens a shell in an online sandbox.sb online -- ping www.google.com
runsping www.google.com
in an online sandbox and returns.
aws-nuke
This needs no real exposition, since the sole purpose of aws-nuke
is to delete every AWS resource from an account. It's kind of like Iron Man's Clean Slate Protocol, only lamer b/c it doesn't involve fancy battle suits.
Use it with caution, though, you have to use the option --no-dry-run
for it to destroy anything.
FIN
Celebrate your remaining freedoms (in the U.S.) while you can, today. Me? I'd rather pretend we're commemorating the defeat of an alien horde who tried to take over the Earth. ☮