“Disabling” Launch Services File Quarantine

23 Comments

Dan Benjamin of The Talk Show fame posted a general inquiry to the Twitterverse on how to disable the Leopard open confirmation dialog that comes up when you attempt to access a recently downloaded file.

This dialog is a one of Leopard’s new security features called “File Quarantine” and is primarily designed to protect users from trojan horse attacks. Any application that may download file content from the Internet can tag them as being “quarantined” to indicate that the it may be from an untrustworthy source. This is done simply by assigning values to one or more quarantine properties which preserve information about when and where the file come from.

In OS X, the majority of user-space files are opened via Launch Services. When an open event is triggered (i.e. by double-clicking on the file) the operating system checks to see if the file appears to be an application, script, or other executable file type. If that is the case, Launch Services will display an alert asking the user to confirm whether the file is some kind of application. If/once the file is opened, the quarantine properties are automatically cleared by Launch Services if the user has write access to the file.

The Gory Details

You can see this in action if you’re willing to brave the Terminal. Go ahead and download some application from the internet, say Bean 1.0 (the minimalist document editor which released version 1.0 yesterday). Open up a Terminal prompt and type:

xattr -l Downloads/Bean-Install.dmg

xattr is a command that can perform operations on extended file attributes that are normally hidden from the GUI side of OS X.

After running that command – which lists these attributes – you’ll see some very unfriendly output that looks like this (main items we care about have been highlighted:

com.apple.diskimages.recentcksum: i:4803338 on 26E026C0-FD2C-3745-8A89-3F2157D5B176 @ 1206470700 - CRC32:$E2826548
com.apple.metadata:kMDItemWhereFroms:
0000   62 70 6C 69 73 74 30 30 A2 01 02 5F 10 31 68 74    bplist00..._.1ht
0010   74 70 3A 2F 2F 77 77 77 2E 62 65 61 6E 2D 6F 73    tp://www.bean-os
0020   78 2E 63 6F 6D 2F 72 65 6C 65 61 73 65 73 2F 42    x.com/releases/B
0030   65 61 6E 2D 49 6E 73 74 61 6C 6C 2E 64 6D 67 5F    ean-Install.dmg_
0040   10 2B 68 74 74 70 3A 2F 2F 6D 61 63 75 70 64 61    .+http://macupda
0050   74 65 2E 63 6F 6D 2F 69 6E 66 6F 2E 70 68 70 2F    te.com/info.php/
0060   69 64 2F 32 34 38 38 31 2F 62 65 61 6E 08 0B 3F    id/24881/bean..?
0070   00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 03    ................
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6D    ...............m

com.apple.quarantine: 0000;47ea606e;Safari;569BD03D-469D-4546-92FF-83C0F3669A07|com.apple.Safari

  • com.apple.diskimages.recentcksum” has the checksum of the disk image which is used in verifying the integrity of the file.
  • com.apple.metadata:kMDItemWhereFroms” stores the URL where the file was downloaded from.
  • com.apple.quarantine” – however – is the entry that causes Launch Services to generate the confirmation dialog

The only way to prevent this dialog from appearing is to remove this attribute, which can easily be done by doing the following from the Terminal:

xattr -d com.apple.quarantine Downloads/Bean-Install.dmg

This is not a practical solution as it would be much easier to just click “OK” and be done with the dialog rather than go through this series of command line gyrations.

A More Elegant Solution

If you are determined to bypass this built-in security feature (which I highly caution against) then you may be interested in solution developed by Henrik and available over at The Pug Automatic. It involves an AppleScript that performs recursive “xattr -d‘s” and is then attached to key folders – like “Downloads” – as a Folder Action. Any time files are added to the folder, the script will ensure that all quarantine values are unset, freeing you from having to expend precious energy and human compute cycles to evaluate a small dialog and click “OK”.

The script/action combination works well (I tried it and then removed it), but if you know of another means to accomplish this task (a hidden “defaults” setting, perhaps) or have more questions on File Quarantine (or other Leopard security features), please drop a note in the comments.

23 Comments

PA5CAL

In order to prevent the warning dialog to appear, you can add an item named ‘LSQuarantine’ with type ‘boolean’ in the LaunchServices preferences file (e.g. ~/Library/Preferences/com.apple.LaunchServices.plist) and set it to ‘false’. For instance, you can make it by typing the following command in Terminal:

defaults write com.apple.LaunchServices LSQuarantine -bool NO

Then the Mac has to be restarted. The same command with ‘YES’ at the end enables the quarantine warning dialog again (you will have to restart your Mac too).

This works fine in Mac OS 10.6.

Note that this only prevents the appearance of the dialog. Quarantine data will still be attached to your downloaded files anyway.

Questor

As I’m interested in quarantine-ing NZB files, I added that as a file type via the the script at MyMacinations but it doesn’t work, even as I ADD NZB as a file type to NOT be flagged with an alert.

Several people at various websites have reported that it doesn’t work for them. The 2nd method, the Folder Action Scripts doesn’t work for me either and I’m on Mac OS X 10.5.8 It would be nice if this was isolated. It’s really annoying! And will Apple ever release Mac OS X 10.5.9? I hope so!

Clint

Yes, it would be much easier to just click OK when the dialog box comes up; however, I encountered a situation where clicking OK didn’t make it stop. Each and every program that was downloaded from the internet on a group of computers came up with the same message each and every time it was launched. I had downloaded all the apps as the Admin user, I repaired permissions, tried under a different admin user account, I re-downloaded the apps, I tried all kinds of things… nothing would clear that message on subsequent launches of those apps. There was some kind of glitch somewhere that prevented that attribute from clearing. I used that command to clear the attributes and now my users are happy again.

Thomas Tempelmann

@James, can you be a bit more explicit about what you did when you declared “public.item” as Neutral? How does this “neutral” word come into play here?

Dorian

This script doesnt seem to work for me. I add php files and subfolder containing CSS files and other php files, but I still get the warning for some of the php files, saying it’s a “script” downloaded from the internet.

Any one found a way to work around that ? It’s driving me crazy…

Peter da Silva

I STRONGLY recommend disabling this kind of stupid dialog. Speaking as someone who has been a Windows network admin for 20 years, the biggest effect these kinds of “you’re about to do sothing that might occasionally be stupid, but is almost always normal” dialogs is to train people to answer warning dialogs in the affirmative.

And it’s really hard to un-train them.

I’ve had several people come to me and as “Peter, it asked me ‘do you want to install a virus on your computer’ (or something equally scary) and I clicked ‘install’ before I noticed what it was saying, and now my computer’s acting funny”. The same people. Multiple times. Yes, really.

THIS IS NOT A SECURITY FEATURE. IT IS A SECURITY FLAW.

When Apple added “open safe files” to Safari I groaned. I knew some stupid thing like this was coming up.

The most fun I’ve had with this was when a screen saver tried to run a program, and LaunchServices came up with the stupid warning, AND I COULDN’T DO ANYTHING ABOUT IT BECAUSE IT WAS UNDER THE SCREEN SAVER, AND THE SCREEN SAVER WAS WAITING FOR IT. I mean, Whisky Tango Foxtrot, Apple…

James

I FINALLY got it.

I can’t believe I didn’t try that. You just have to declare “public.item” as Neutral.

I also added a folder action script that puts a red label on applications that are moved into the download folder, and removes it when they are moved out of the folder. I preserved almost all of the security and removed most of the inconvenience.

James

How about this: forcing the .app extension to be visible until an application has been opened for the first time.

I suppose you’re right though, it shouldn’t be default and Apple doesn’t like options. Although I have to say, a nag screen this annoying isn’t very “Apple”

Nectar

James wrote, “I don’t even understand the security benefit. If it’s trying to protect me from executables that appear to be something else, why does it bother me about executables that appear to be executables?”

Remember that by default, file extensions are not displayed. So for example, an application with a PDF icon will look like a PDF and not an application unless one examines it carefully (e.g. with Get Info). Even when file extensions are displayed, the “.app” at the end is a very subtle hint and easily missed.

Not a bad suggestion you make though: Perhaps when file extensions *are* displayed, the warning could be done away with. This could not be the default behavior, of course… but Apple is known for minimizing options, which may be why this is not configurable.

James

I’m having the same problem as Bob. I added:

public.html
public.executable
com.apple.application
com.apple.applicaiton-bundle
com.apple.aplication-file

and I don’t get warnings for html documents anymore, but I still get warnings for applications. Maybe it’s impossible to override the settings for applications?

This warning is extremely annoying (and insulting) and I don’t even understand the security benefit. If it’s trying to protect me from executables that appear to be something else, why does it bother me about executables that appear to be executables? Seriously… at the very least it should be disabled for files whose only extension is .app

Bob Rudis

@John: I never said (I actually contraindicated using any of this in the post) this was a good idea :-)

Sean

Apple’s answer to Oompa is a nag prompt? Hilarious.

Anyway, when you get tired of the nagging:

find . -print0 | xargs -0 ~/Applications/etc/xabatch ~/Applications/etc/com.apple.xabatch {}

Nectar

Note for those disabling quarantine:
The purpose of this functionality is one last line of defense against trojans such as OSX.Leap.A.. If you disable quarantine, you will get no warning if you download an item that appears to be an image or PDF but is actually a malicious application.

John

make sure that the file is valid xml and then you need to log out and log back in.

Although, honestly, .executable, .bundle and .application-file make for a very unwise set up.

Michel Fortin

There is a list of applications whose files are automatically quarentained by the system. Take a look at: /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Resources/Exceptions.plist

Obviously, this does not prevent applications from quarantining themselves (as Safari does).

Bob Rudis

@John: I’ve created the “com.apple.DownloadAssessment.plist” file and added:

public.disk-image
public.archive
public.item
public.content
public.data
public.executable
com.apple.bundle
com.apple.application-file

to it and re-started Safari and download dmgs and still receive the “are you sure” dialog from Launch Services. This can definitely be me missing something, tho. Anything else I need to do?

Bob Rudis

@Dan: the script should be pretty easy to tweak. If you really want that option, let me know mailto: first @ last . net

@Justin: Very cool. Really good info. As I’ve said when working with Microsoft devs w/r/t code-signing: I just hope development teams have a good way to handle this so that keys don’t make it out of their control w/o knowing. Code-signing apps is not as simple as it sounds when you factor in employees leaving and how you integrate it into your build processes.

Justin

It’s probably worth noting that at least for Cocoa apps, if the developer code signs the application, this prompt is avoided, as is the one about giving access to keychain entries.

Dan

What about a way to do it within the downloads folder by file type, so only downloaded .DMG files would be un-quarantined?

Comments are closed.