![]() Successful completion of that first run check doesn’t alter the quarantine xattrs attached to non-executable files within an app bundle, though.Įarlier versions of macOS have used other bits in the quarantine value too. Subsequent attempts to run that code are then no longer blocked for the first run Gatekeeper check to be performed. If that is successful, the quarantine value on all checked executable code is changed from (for example) If the executable code hasn’t been cleared previously by a full Gatekeeper check, that is deemed to be its first run, and a full check is performed. When an app or other executable is run, its quarantine xattr is checked before opening. If a quarantine flag bearing a UUID reference is removed, that entry should also be removed from the database, but macOS doesn’t appear to check that it is, nor does it scan through database entries to check whether their quarantine flags still exist. At no time does macOS appear to perform any maintenance or checks on that database. There appears to be no system-level equivalent, so each user is only able to access details of their own quarantine events, not those of other users. The QuarantineEvents database is an SQLite database at ~/Library/Preferences/2. a UUID referring to the entry for this quarantine flag in the QuarantineEvents database.the app or agent responsible for creating the xattr (normally the downloading app too),.the time at which the xattr was attached, in hexadecimal,.In macOS Mojave, a typical quarantine xattr consists of a Unicode string of the formĠ083 5991b778 Safari.app BC4DFC58-0D26-460D-9688-81D119298642 This isn’t, though, imposed by macOS, and some tools and utilities which can decompress archives may not follow this behaviour the bundled Archive Utility does, though. When you unZip an archive which has been flagged, the xattr is normally propagated to all items which are saved from that, a behaviour which ensures that compressed apps retain their flag when uncompressed, for example. The quarantine flag is among the stickiest of all xattrs. The use of these flags in security is very much a gentleman’s agreement, which is easily broken when software doesn’t behave like a gentleman. Any developer, including malware authors, can download files from the Internet without setting the flag on them, and any app on your Mac can change or strip the quarantine flag on any item to which it has write permission. It’s essential to remember that the quarantine flag is an opt-in system, and not one imposed by macOS itself. But custom app download-installers and most updaters either don’t set the flag at all, or, when one is set, remove it (for example, Sparkle-based updaters). ![]() If you download an archive or installer from a website using your browser, a flag will normally be attached. Commonly-used apps such as Safari, third party browsers, and most mail clients respect this, but apps giving access to torrents and the command tool curl don’t. ![]() In this first of two articles, I look at how quarantine works for apps and other executables, including both code and scripts.Īll files which are downloaded from the Internet, using HTTPS or HTTP, in email messages, and by other means, can have a quarantine flag attached to them by the app which performs the downloading. Apple’s original and updated accounts for users only refer to quarantine of apps for Gatekeeper’s checks. Quarantine and the extended attribute (xattr) originated in macOS 10.5 in 2007, although Gatekeeper didn’t appear until 10.7 in 2011-12, at around the same time that sandboxing was introduced. And in most cases, macOS doesn’t even know why they are there. For a start, the majority of items on your Mac which carry a quarantine flag aren’t apps at all, but non-executable documents. Conventional wisdom is that a ‘quarantine flag’ is attached to files which are downloaded from the Internet, using most but not all apps, and is used to determine whether an app or other executable code needs to undergo a full first run check by Gatekeeper.Īlthough there’s nothing inherently wrong with that, there’s a great deal more to quarantine and its extended attribute than that.
0 Comments
Leave a Reply. |