“Disabling” Launch Services File Quarantine
Dan Benjamin of The Talk Show fame posted a general inquiry to the Twitterverse on how to disable the Leopard open confirmation dialog that comes up when you attempt to access a recently downloaded file.
This dialog is a one of Leopard’s new security features called “File Quarantine” and is primarily designed to protect users from trojan horse attacks. Any application that may download file content from the Internet can tag them as being “quarantined” to indicate that the it may be from an untrustworthy source. This is done simply by assigning values to one or more quarantine properties which preserve information about when and where the file come from.
In OS X, the majority of user-space files are opened via Launch Services. When an open event is triggered (i.e. by double-clicking on the file) the operating system checks to see if the file appears to be an application, script, or other executable file type. If that is the case, Launch Services will display an alert asking the user to confirm whether the file is some kind of application. If/once the file is opened, the quarantine properties are automatically cleared by Launch Services if the user has write access to the file.
The Gory Details
You can see this in action if you’re willing to brave the Terminal. Go ahead and download some application from the internet, say Bean 1.0 (the minimalist document editor which released version 1.0 yesterday). Open up a Terminal prompt and type:
xattr -l Downloads/Bean-Install.dmg
xattr is a command that can perform operations on extended file attributes that are normally hidden from the GUI side of OS X.
After running that command – which lists these attributes – you’ll see some very unfriendly output that looks like this (main items we care about have been highlighted:
com.apple.diskimages.recentcksum: i:4803338 on 26E026C0-FD2C-3745-8A89-3F2157D5B176 @ 1206470700 - CRC32:$E2826548 com.apple.metadata:kMDItemWhereFroms: 0000 62 70 6C 69 73 74 30 30 A2 01 02 5F 10 31 68 74 bplist00..._.1ht 0010 74 70 3A 2F 2F 77 77 77 2E 62 65 61 6E 2D 6F 73 tp://www.bean-os 0020 78 2E 63 6F 6D 2F 72 65 6C 65 61 73 65 73 2F 42 x.com/releases/B 0030 65 61 6E 2D 49 6E 73 74 61 6C 6C 2E 64 6D 67 5F ean-Install.dmg_ 0040 10 2B 68 74 74 70 3A 2F 2F 6D 61 63 75 70 64 61 .+http://macupda 0050 74 65 2E 63 6F 6D 2F 69 6E 66 6F 2E 70 68 70 2F te.com/info.php/ 0060 69 64 2F 32 34 38 38 31 2F 62 65 61 6E 08 0B 3F id/24881/bean..? 0070 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 03 ................ 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6D ...............m com.apple.quarantine: 0000;47ea606e;Safari;569BD03D-469D-4546-92FF-83C0F3669A07|com.apple.Safari
- “
com.apple.diskimages.recentcksum” has the checksum of the disk image which is used in verifying the integrity of the file. - “
com.apple.metadata:kMDItemWhereFroms” stores the URL where the file was downloaded from. - “
com.apple.quarantine” – however – is the entry that causes Launch Services to generate the confirmation dialog
The only way to prevent this dialog from appearing is to remove this attribute, which can easily be done by doing the following from the Terminal:
xattr -d com.apple.quarantine Downloads/Bean-Install.dmg
This is not a practical solution as it would be much easier to just click “OK” and be done with the dialog rather than go through this series of command line gyrations.
A More Elegant Solution
If you are determined to bypass this built-in security feature (which I highly caution against) then you may be interested in solution developed by Henrik and available over at The Pug Automatic. It involves an AppleScript that performs recursive “xattr -d’s” and is then attached to key folders – like “Downloads” – as a Folder Action. Any time files are added to the folder, the script will ensure that all quarantine values are unset, freeing you from having to expend precious energy and human compute cycles to evaluate a small dialog and click “OK”.
The script/action combination works well (I tried it and then removed it), but if you know of another means to accomplish this task (a hidden “defaults” setting, perhaps) or have more questions on File Quarantine (or other Leopard security features), please drop a note in the comments.
Tweet This (5)
Dan on March 26th, 2008 at 12:57 pm
What about a way to do it within the downloads folder by file type, so only downloaded .DMG files would be un-quarantined?
Justin on March 26th, 2008 at 1:01 pm
It’s probably worth noting that at least for Cocoa apps, if the developer code signs the application, this prompt is avoided, as is the one about giving access to keychain entries.
Staff Comment Bob Rudis, TheAppleBlog on March 26th, 2008 at 1:22 pm
@Dan: the script should be pretty easy to tweak. If you really want that option, let me know mailto: first @ last . net
@Justin: Very cool. Really good info. As I’ve said when working with Microsoft devs w/r/t code-signing: I just hope development teams have a good way to handle this so that keys don’t make it out of their control w/o knowing. Code-signing apps is not as simple as it sounds when you factor in employees leaving and how you integrate it into your build processes.
John on March 26th, 2008 at 1:39 pm
Apple provides the mechanism to exclude files from being quarantined by file type. Read this article about it:
http://mymacinations.com/2008/02/06/changing-the-systems-default-settings-for-html-files-safe/
Staff Comment Bob Rudis, TheAppleBlog on March 26th, 2008 at 2:37 pm
@John: I’ve created the “com.apple.DownloadAssessment.plist” file and added:
public.disk-image
public.archive
public.item
public.content
public.data
public.executable
com.apple.bundle
com.apple.application-file
to it and re-started Safari and download dmgs and still receive the “are you sure” dialog from Launch Services. This can definitely be me missing something, tho. Anything else I need to do?
Michel Fortin on March 26th, 2008 at 8:58 pm
There is a list of applications whose files are automatically quarentained by the system. Take a look at: /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Resources/Exceptions.plist
Obviously, this does not prevent applications from quarantining themselves (as Safari does).
John on March 26th, 2008 at 10:27 pm
make sure that the file is valid xml and then you need to log out and log back in.
Although, honestly, .executable, .bundle and .application-file make for a very unwise set up.
Nectar on March 27th, 2008 at 9:58 am
Note for those disabling quarantine:
The purpose of this functionality is one last line of defense against trojans such as OSX.Leap.A.. If you disable quarantine, you will get no warning if you download an item that appears to be an image or PDF but is actually a malicious application.
Sean on March 28th, 2008 at 12:05 am
Apple’s answer to Oompa is a nag prompt? Hilarious.
Anyway, when you get tired of the nagging:
find . -print0 | xargs -0 ~/Applications/etc/xabatch ~/Applications/etc/com.apple.xabatch {}
Sean on March 28th, 2008 at 12:12 am
Whoops, that’s using the ACP.
find . -print0 | xargs -0 xattr -d com.apple.quarantine
Staff Comment Bob Rudis, TheAppleBlog on March 28th, 2008 at 7:56 am
@John: I never said (I actually contraindicated using any of this in the post) this was a good idea :-)
James on October 15th, 2008 at 3:04 am
I’m having the same problem as Bob. I added:
public.html
public.executable
com.apple.application
com.apple.applicaiton-bundle
com.apple.aplication-file
and I don’t get warnings for html documents anymore, but I still get warnings for applications. Maybe it’s impossible to override the settings for applications?
This warning is extremely annoying (and insulting) and I don’t even understand the security benefit. If it’s trying to protect me from executables that appear to be something else, why does it bother me about executables that appear to be executables? Seriously… at the very least it should be disabled for files whose only extension is .app
Nectar on October 15th, 2008 at 8:21 am
James wrote, “I don’t even understand the security benefit. If it’s trying to protect me from executables that appear to be something else, why does it bother me about executables that appear to be executables?”
Remember that by default, file extensions are not displayed. So for example, an application with a PDF icon will look like a PDF and not an application unless one examines it carefully (e.g. with Get Info). Even when file extensions are displayed, the “.app” at the end is a very subtle hint and easily missed.
Not a bad suggestion you make though: Perhaps when file extensions *are* displayed, the warning could be done away with. This could not be the default behavior, of course… but Apple is known for minimizing options, which may be why this is not configurable.
James on October 15th, 2008 at 6:31 pm
How about this: forcing the .app extension to be visible until an application has been opened for the first time.
I suppose you’re right though, it shouldn’t be default and Apple doesn’t like options. Although I have to say, a nag screen this annoying isn’t very “Apple”
James on October 16th, 2008 at 3:05 am
I FINALLY got it.
I can’t believe I didn’t try that. You just have to declare “public.item” as Neutral.
I also added a folder action script that puts a red label on applications that are moved into the download folder, and removes it when they are moved out of the folder. I preserved almost all of the security and removed most of the inconvenience.
Peter da Silva on November 11th, 2008 at 8:30 am
I STRONGLY recommend disabling this kind of stupid dialog. Speaking as someone who has been a Windows network admin for 20 years, the biggest effect these kinds of “you’re about to do sothing that might occasionally be stupid, but is almost always normal” dialogs is to train people to answer warning dialogs in the affirmative.
And it’s really hard to un-train them.
I’ve had several people come to me and as “Peter, it asked me ‘do you want to install a virus on your computer’ (or something equally scary) and I clicked ‘install’ before I noticed what it was saying, and now my computer’s acting funny”. The same people. Multiple times. Yes, really.
THIS IS NOT A SECURITY FEATURE. IT IS A SECURITY FLAW.
When Apple added “open safe files” to Safari I groaned. I knew some stupid thing like this was coming up.
The most fun I’ve had with this was when a screen saver tried to run a program, and LaunchServices came up with the stupid warning, AND I COULDN’T DO ANYTHING ABOUT IT BECAUSE IT WAS UNDER THE SCREEN SAVER, AND THE SCREEN SAVER WAS WAITING FOR IT. I mean, Whisky Tango Foxtrot, Apple…
Dorian on December 15th, 2008 at 4:52 am
This script doesnt seem to work for me. I add php files and subfolder containing CSS files and other php files, but I still get the warning for some of the php files, saying it’s a “script” downloaded from the internet.
Any one found a way to work around that ? It’s driving me crazy…
Thomas Tempelmann on April 4th, 2009 at 4:58 am
@James, can you be a bit more explicit about what you did when you declared “public.item” as Neutral? How does this “neutral” word come into play here?
Clint on July 14th, 2009 at 11:46 am
Yes, it would be much easier to just click OK when the dialog box comes up; however, I encountered a situation where clicking OK didn’t make it stop. Each and every program that was downloaded from the internet on a group of computers came up with the same message each and every time it was launched. I had downloaded all the apps as the Admin user, I repaired permissions, tried under a different admin user account, I re-downloaded the apps, I tried all kinds of things… nothing would clear that message on subsequent launches of those apps. There was some kind of glitch somewhere that prevented that attribute from clearing. I used that command to clear the attributes and now my users are happy again.