The Quarantine Room Mac OS
I recently drew attention to the fact that, without a quarantine flag set on a download, it’s all too easy for malware to gain entry to a Mac, particularly if it’s running Mojave or earlier. This article looks in more detail at how setting the quarantine flag is controlled by apps and macOS, and explains how Apple mitigates this issue.
Apr 15, 2020 Prepare for your Mac to be out-of-action for at least a day while you do it. Follow these steps to erase your Mac and reinstall macOS: Create a new backup of your Mac using Time Machine. Hold Command+R while your Mac powers on to boot into Recovery Mode. From the macOS Utilities window, open Disk Utility. Xattr -p com.apple.quarantine /Users/user/dnscrypt-osxclient-1.0.12.dmg quarantine.attr xattr -w com.apple.quarantine '`cat quarantine.attr`' test.command This will apply the data gathered from the.dmg to the.command file - including download date and download app of the original dmg file.
Although apps and other software can set and remove quarantine flags using explicit code, this is most usually left to a setting in the Info.plist property list which every app is required to contain. The entry there which controls flag behaviour is named LSFileQuarantineEnabled, and you can inspect this in each app to check what should happen when that app creates a new file, for example when downloading something from the Internet. When this is set to true, every new file created by that app should have the quarantine flag set; when false, they won’t unless macOS overrides that behaviour. If an unsandboxed app’s Info.plist doesn’t set LSFileQuarantineEnabled explicitly, then the default is not to set the quarantine flag.
You can of course edit an app’s Info.plist, but in doing so will break its signature. You may be able to get away with this for the time being, particularly on older versions of macOS, but it generally isn’t a wise choice.
macOS also provides a set of overrides to what appears in the Info.plist of many apps. These are listed in the Additions item in /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist.
The Exceptions.plist property list contains five dictionaries:
- Additions, which assigns a lot of app categories, sets Java version requirements, and determines default settings for quarantine on documents created by apps.
- AppNapOverrides, which sets App Nap behaviours.
- HighResolutionOverrides, which overrides High Res options for apps.
- LaunchOverrides, which can disable specific version ranges of apps from being launched; these prevent many older apps from being run.
- MergeDocumentTypes, which merges some document types such as doc and docx for specific apps.
- Overrides, which can override other settings.
For example, the entry in the Additions dictionary for the popular BitTorrent client Transmission reads:<key>org.m0k.transmission</key>
<dict>
<key>LSApplicationCategoryType</key>
<string>public-category.internet</string>
<key>LSFileQuarantineEnabled</key>
<true/>
</dict>
Referring to the app by its ID of org.m0k.transmission, that first assigns the app to an app category of public-category.internet, and then sets the app to set the quarantine flag on all documents that it creates, including everything that it downloads.
Among the existing overrides in Catalina, for example, are org.pythonmac.unspecified.BitTorrent and org.xlife.Xtorrent, which ensures that Transmission, Xtorrent and PythonMac BitTorrent clients should write quarantine flags to all their downloaded files. Although this Exceptions property list doesn’t cover every client, it should ensure that most do protect their downloads with quarantine flags.
There are two snags to this otherwise protective system: first, the file containing these overrides is protected, in Catalina being on the System volume, so the user is effectively prevented from changing it. Unlike app preferences, which can be managed by the user at the command line, there’s no way for the user to add their own overrides. If you download items using an app which doesn’t itself require the quarantine flag to be set, and Apple doesn’t provide an override for it to do so, there doesn’t appear to be any good way to add that yourself.
It’s also unclear whether this system works with command tools, which are single file executables. They can have their Info.plist embedded in the executable, but this is rare unless they need to be notarized. For many users, it might be helpful, for example, if the standard tool curl were to set quarantine flags, as it’s often used to bypass quarantine and thus presents a significant vulnerability.
Finally, for some users at least, an app setting the quarantine flag isn’t of much use, as that user routinely strips the flag from downloads. If you do that, you’re steering into as much as danger as you would using an app which never sets them in the first place.
I’m enormously grateful to @rosyna who pointed me in the right direction, again.
Display and manipulate extended attributes
xattr [-lrsvx]file …
xattr -p [-lrsvx]name file …
xattr -w [-rsx]name value file …
xattr -d [-rsv]name file …
xattr -c [-rsv]file …
Display, modify or remove the extended attributes of files, directories or symbolic links.
These are indicated by ls with an @, for example:Extended attributes are arbitrary metadata stored separately from the basic filesystem attributes (such as modification time or file size).
without an operation, displays name only | ||
-l | long format, both names and values are displayed. Default: only names or values. For hexadecimal display, output is preceeded with the hexadecimal offset, values and followed by ASCII display, enclosed by hexdump -C. | |
-p [-lrsvx]name file … | print the value for nameDisplayed as strings, unless nulls are in the data or with -x then they are displayed in hexadecimal. | |
-w [-rsx]name value file … | write name and value.value a string or with -x hexadecimal (whitespace ignored) The xxd utility can be used to create hexadecimal representations from binary data. | |
-d [-rsv]name file … | delete name ( and value) | |
-c [-rsv]file … | clear all extended attributes | |
| Options: | ||
-r | recursively process directories | |
-s | symbolic link itself is acted on, if file is a symbolic link, | |
-v | verbosely display file name ( with only one file the name is otherwise supressed) | |
-x | display in hexadecimal | |
| ||
value is often a null-terminated UTF-8 string, but can be arbitrary binary data.
The Quarantine Room Mac Os Pro
Exit status
On error, non-zero is returned, and an error message is output to standard error.HOWEVER, no message is displayed and then return code is 0 if the file does not exist!
For system call errors, both the error code and error string are output
No such file: file with a return status of 1 is reported for symbolic links if -s is not supplied!
[Errno 32] Broken pipe might be reported if xattr is piped to head
ENOATTR | No extended attribute |
EEXIST | named attribute exists with XATTR_CREATE |
ENOATTR | no attribute with XATTR_REPLACE |
EACCES | Access denied for search for a component of path or permission is denied to read attributes from . |
EROFS | Read Only File System |
EINVAL | invalid name or options has an unsupported bit set. |
EISDIR | Is a Directory but the attribute in question is only applicable to files. Similar to EPERM. |
ELOOP | Looping symbolic links |
EFAULT | path points to an invalid address. |
ENOTSUP | NOT Supported by the file system or xattr is disabled. |
ENOTDIR | NOT a DIRectory |
ENAMETOOLONG | name exceeds XATTR_MAXNAMELEN UTF-8 bytes, or a component of path exceeds NAME_MAX characters, or the entire path exceeds PATH_MAX characters. |
ERANGE | namebuf (as indicated by size) is too small to hold the list of names. |
EPERM | path or fd refer to a file system object that does not support extended attributes. For example, resource forks don't support extended attributes. |
EIO | I/O error occurred. |
EINVAL | INVAiLd options |
E2BIG | size of the extended attribute is too large. |
ENOSPC | Not enough SPaCe left on the file system. |
The Quarantine Room Mac Os 13
Some attribute data may have a fixed length that is enforced by the system. For example,
Thecom.apple.FinderInfo attribute must be 32 bytes in length.Warning:
- Some extended attribute values can be VERY large (like 3,649,818 bytes producing a hex&char display of several megabytes).
- Displaying this to a terminal may not be a good idea.
EXAMPLES
'file.jar' can't be opened because it is from an unidentified developer.
Your securty preferences allow installation of onlyapps from the App Store and identified developers.
browser downloaded this file xxx at hh:mm from
domain
com.apple.FinderInfo attribute to the MyDir from the /usr directory list then Clear xattributes additional bytes totaling 17,793,106!As of OS X El Captian 10.11Some examples:| com.apple.lastuseddate#PS: 3D 6A 45 60 00 00 00 00 53 20 D4 38 00 00 00 00 | NSMetadataItemLastUsedDateKey | |||||||
| com.apple.quarantine | a quarantine status, the time when a file was quarantined, and the application that downloaded a file. | |||||||
| com.apple.metadata:kMDItemWhereFroms | 100-566 the URL where a file was downloaded from, sometimes also including the chain of URLs that were redirected to that URL. | |||||||
| com.apple.metadata:kMDItemDownloadedDate | 53 time when a file was downloaded. | |||||||
| com.apple.metadata:kMDItemFinderComment | Spotlight comment, which is usually also stored in a .DS_Store file. | |||||||
| com.apple.metadata:_kMDItemUserTags | tags. | |||||||
| com.apple.metadata:kMDItemDownloadedDate 53 | ||||||||
| com.apple.metadata:kMDItemWhereFroms78,119 | ||||||||
| com.apple.metadata:kMDLabel_jmugefj4ksjcrhaoknys6lqqay 89 | ||||||||
| com.apple.metadata:com_apple_backup_excludeItem | 61 | |||||||
| com.apple.decmpfs | implement HFS+ compression. It is not shown by xattr. | |||||||
| com.apple.diskimages.fsck | 20 verification status for DMG files. | |||||||
| com.apple.FinderInfo | 32 file flags, which are not actually stored as an extended attribute. | |||||||
| com.apple.lastuseddate#PS 16 | ||||||||
| com.apple.progress.fractionCompleted | 1,4 for a .download bundle. | |||||||
| com.apple.ResourceFork | 286 which is not actually stored as an extended attribute. | |||||||
| com.apple.system.Security | implement ACLs. It is not shown by xattr. | |||||||
| com.apple.TextEncoding 11,15 | for a file saved with an application like TextEdit. | |||||||
| com.apple.ubd.prsid | ? Library/Mobile Documents.95670203: | |||||||
| com.apple.Preview.UIstate.v1 244,252,255,258,262 | ||||||||
| com.apple.diskimages.recentcksum 79 ,80,81 | ||||||||
| com.apple.quarantine 22,25,26,30,31,34,38,42,46,49,54,57,60,61,70,74,78,85,89NSImageMetadata | ||||||||
com.apple.diskimages.fsck:000 CD B4 BF D6 65 3E 83 91 82 4E 6B D3 00 1E 6B 60 ....e>...Nk...k` 010 B4 26 CE 16 .&.. 014 | ||||||||
| com.apple.diskimages.recentcksum: i:6200308 on B1CA7351-D631-3AA7-8D0F-B2BC3D7CA2E4 @ 1449099544 - CRC32:$7BA8C2E1 | ||||||||
| com.apple.quarantine: 0002;5786571b;Safari.app;A7173968-A74A-4CF6-A618-781494E1E0FE | ||||||||