[HN Gopher] macOS gatekeeper and file quarantine bypass ___________________________________________________________________ macOS gatekeeper and file quarantine bypass Author : robertkrahn01 Score : 213 points Date : 2021-04-26 17:58 UTC (5 hours ago) (HTM) web link (objective-see.com) (TXT) w3m dump (objective-see.com) | jdlshore wrote: | Fascinating article. Short version: there was a bug in the part | of Apple's Gatekeeper code that checked whether a file was an | application bundle. Bundles that only contained a script, and not | a plist file, were considered "not a bundle," and this bypasses | the Gatekeeper checks. | | The issue is fixed in the latest version of Big Sur. Be sure to | upgrade. It's being exploited in the wild. | LeoPanthera wrote: | Is this how early versions of the Zoom installer bypassed | gatekeeper for a zero-click install? | Xeago wrote: | That worked by using the preinstall check that Installer.app | invokes to do the installation. It would finish by force | quitting Installer. | benatkin wrote: | > Be sure to upgrade. | | This is a technical crowd, so some of us don't need to rush to | download things like this. I'll upgrade when it's convenient, | thank you very much. | puszczyk wrote: | Why is the technical crowd less in need of an upgrade? My | proverbial "grandmother" only accesses her gmail and one news | page. Arguably she's at less risk than someone testing new | software. | sildur wrote: | Funny that when you started with "this is a technical crowd" | I thought you will continue with "we don't need to be | reminded to upgrade". | submeta wrote: | What about macOS Catalina users? Any updates / fixes for them? | Do you happen to know? | phnofive wrote: | It appears this behavior was introduced in Catalina, so I'd | assume a complimentary fix to 11.3 will be available for 10.x | - no word on timing AFAIK. | ilikepi wrote: | Security Update bundles were released for Catalina and | Mojave as well. | | The list of security fixes for the Big Sur update 11.3 has | three entries mentioning Gatekeeper: | https://support.apple.com/en-us/HT212325 | | ...whereas the list for Catalina has only one: | https://support.apple.com/kb/HT212326 | pier25 wrote: | Did Apple finally fix the bug where every Big Sur update nukes | Xcode tools like Git? | ezfe wrote: | No problems here - I'm on beta cycle so I get new Big Sur | updates fairly often (every few weeks) and haven't had any git | issues. | zanethomas wrote: | nice!!! | lovelyviking wrote: | >But first, go update your macOS systems to 11.3 | | Unofortunately the risk is to high. Last time I was trying to | update to 11.2 my MacBook M1 showed black screen with instruction | to find another Mac. During Covid situation I had to endanger | myself with going to look for this 'another' Mac. No thank you | very much. Not possible for now, who knows will it stuck this | time or not. I do not wish loose my ability to work again. | | Looks like to update safely you need to have another Mac. I mean | if you _for sure_ wish to get the guaranteed result. | | BTW, I was reporting about this situation over here and about my | surprise to the amount of bugs I have stumbled on . For those who | was fast to suggest that there is some hardware issue with this | specific machine - you were too fast to suggest something that | you wanted very much to be the case. I leave it to your karma why | you wanted it but _No hardware issues_ have been found so far | till this very day. It passes all tests including speed tests. | All of the problems were software bugs and issues. All of them | were perfectly known when you search the info about them. | | For instance ScreenShot was slow when Mic was selected as sound | input source for Screen Video Recording. ScreenShot have nothing | to do with Mic as far as I know because no sound is recorded in | ScreenShot last time I've checked :) and yet it was slow because | of that(I guess it was trying to initialize the Mic for each | screenshot). Once you select _None_ as sound input source for | Screen Video Recording the ScreenShot works again quickly like it | supposed to be. | | If this is not funny then what is? And it's very known problem if | you google it, yet some people were donwvoting even that! Some | people do not like facts it seems. | | So I state again what I was stating back then. It's so far the | buggiest Mac I ever had. | pehtis wrote: | I will never understand why "Show all filename extensions" is | unchecked by default in Finder. | Closi wrote: | It's also unchecked in Windows by default - I suspect that in | reality the concept of extensions probably confuses some users, | who end up changing the extension and then struggle to work out | how to open their saved files. | | ( I always prefer to see the extensions too though :) ) | setr wrote: | Windows gives you a big warning when you change the | extension, which seems to me both sufficient and better than | hiding the extension altogether (which, like URL hiding, is a | fairly dangerous and largely unnecessary convenience) | davemp wrote: | Like browsers, file navigation UIs could also just grey out | the file extension. | dataflow wrote: | The warning is a massive inconvenience. It reverts the file | name if you cancel, so if you spent any effort on the new | name, it will be wasted. Moreover, people often expect to | change the file _type_ by changing the _name_ , and they | get confused when it doesn't work (or it works for them in | some case and they expect it will work here too). Lastly, | users often don't read error messages, let alone understand | them ("file extension" is hardly an easy concept...), so | it's not necessarily helpful to them. Really, the number of | cases where you'd need to change a file extension are so | small compared to when you don't that I completely | understand why they made this choice. It's imperfect, but I | don't know of a better solution. | judge2020 wrote: | I've learned to never underestimate users' ability to shoot | themselves in the foot. People will click through any popup | dialogue which might suggest that their decision to perform | an action was wrong. | FridayoLeary wrote: | because most of them are clearly fearmongering by ms, | apple et al, scaring you into staying subscribed to their | particular product. If they abuse their own warning | systems, why should we respect them? | vbezhenar wrote: | Users are well-trained to ignore warnings. | djxfade wrote: | It works exactly the same way in macOS Finder as in Windows | Explorer. Extensions are hidden by default. You can enable | to show extensions (either by individual file, or | globally). If a file has it's extension shown, you will get | a confirmation prompt warning you of the consequences by | changing the file extension. | elliekelly wrote: | Is there any way to turn this off _only_ for applications? Or | even just in the applications directory? I find it irrationally | annoying that everything in the applications folder shows the | ".app" extension. | floatingatoll wrote: | If you use the dashboard app switcher (iirc the F3 or F4 | key), it hides .app in that list, it has a search field and I | believe it accepts drag-and-drops. | | That's not exactly an answer to your question, but there's a | chance it's an acceptable solution, so duly noted. | lostgame wrote: | It's F4 on my MacBook Pro 2018 Catalina. :) | boomboomsubban wrote: | Genuine question, does MacOS actually care about file | extensions? I would guess not, though there are probably some | compatibility features that will do things if they are there. | bobbylarrybobby wrote: | I was under the impression that unless a file contains some | other metadata (most don't), that the extension is _the_ way | the OS chooses which app to use to open it. | boomboomsubban wrote: | Unix-based has almost always used internal metadata, and | the "dot" is just another character. I thought Windows was | unique in relying on the suffixes, but Wikipedia suggests | MacOS inherited some form from NextSTEP. | spijdar wrote: | "Unix" OSes in my experience simply don't (universally) | have a way to "open this file in the correct | application". It's a foreign concept. Files are just | sequences of bytes, and file paths are just addresses to | those bytes. The file extensions are, then, purely for | the sake of the user, as there is no (standard) way to | store file metadata. There are specific filesystems with | these metadata extensions, but otherwise, you need to | resort to commands like file and libmagic for | _heuristics_ on determining file-type. | | Or just use the file suffix, which is AFAIK what all the | mainstream Linux desktop environments do, through | Freedesktop's MIME implementation. I don't know if it | supports using metadata or file magics instead, but a | quick glance shows almost every MIME definition uses file | globbing. | | You can check this in the files located at | "/usr/share/mime/application" and | "/usr/share/mime/packages" on most distros. Most (all?) | definitions use a "glob pattern" to match files. | pehtis wrote: | Yes it cares. If you rename a folder to folder.app then it | will change to look and "behave" like an app. Or if you | change the extension of a video file to mp3 you'll loose the | icon preview. | | Finder does try to help with renaming and when you try to | rename a file only the filename is selected and not the | extension. | Spivak wrote: | What you're describing is just Finder caring. Linux doesn't | care at all about your file extensions but Nautilus sure | does. | | In GNOME for example gio handles opening files in the | "correct" application by way of the MIME database in | /usr/share/application/mimeapps.list and | ~/.local/share/applications/mimeapps.list. | jpeter wrote: | Same on windows | [deleted] | kossTKR wrote: | Does anyone know how trustworthy this objective-see project is? | | I remember once installing several of his apps, but then coming | to the conclusion that i don't know enough - even though he | consistently seems to find and fix flaws in OSX. | | Why isn't Apple hiring this man? | | EDIT: Why are people downvoting this question? If i'm implying | something then i'm unaware of it. | ghughes wrote: | The tools are legit, and the bugs are real, but he has a | distasteful habit of feeding sensationalist quotes to outlets | like Forbes and Vice. | | This time, he told Forbes that "the hacks effectively take Mac | security back a decade" [1], and Vice quotes him as saying | "this is likely the worst or potentially the most impactful bug | to everyday macOS users in recent memory". [2] | | Forbes ran the story with the headline "The 'Worst Hack In | Years' Hits Apple Computers". Giving them cover to write such | bullshit is a quick way to dispose of any credibility among | industry peers. | | 1. | https://www.forbes.com/sites/thomasbrewster/2021/04/26/updat... | | 2. https://www.vice.com/en/article/wx5855/massive-mac-apple- | sec... | savoytruffle wrote: | Some people don't want to be coerced into working remotely near | Cupertino ... | kossTKR wrote: | And that's fair, i wouldn't either, what i mean is they | should seriously consider giving him some consultancy fees, | bounties / whatever since he's consistently doing good work. | jrochkind1 wrote: | i don't get it | aledalgrande wrote: | Is it me or Apple isn't even listing the patch in the 11.3 | changelog? https://developer.apple.com/documentation/macos- | release-note... | infinita740 wrote: | Security patches are in a separate article: | https://support.apple.com/en-us/HT212325 | aledalgrande wrote: | Oh cool thanks! | smoldesu wrote: | Gatekeeper is one of the most frustrating things I have to fight | whenever I try using MacOS. It feels like DRM for my | applications, which in turn makes everything feel clunkier, and | less integrated. I would genuinely pay Apple extra for a version | of MacOS that just trusts me and lets me install what I want | without the some esoteric mechanism stopping me at every step of | the way... | cloogshicer wrote: | Agreed. It's ridiculous that we can't even fully disable it in | the latest macOS releases (the commands others posted below | don't work in Big Sur to completely disable quarantine). | | Thankfully there is a simple workaround: | https://hiringengineersbook.com/post/disable-quarantine/ | Wowfunhappy wrote: | Note, the single command _does_ turn off Gatekeeper. File | quarantine is separate and needs a separate command. That is | as it should be IMO, they're completely different things. | cloogshicer wrote: | Right, but do you know if there is a command to actually | turn off quarantine? I mean really turning it off, not just | removing it from already existing files. To my knowledge, | that doesn't exist. | minhazm wrote: | You can disable Gatekeeper. | | https://disable-gatekeeper.github.io/ | kstrauser wrote: | What frustrates you about it? I rarely bump into Gatekeeper and | I'm doing the normal dev things. | lovelyviking wrote: | Sometimes I compile my program and when I move it to the | Applications folder and trying to run MacOS says, you do not | have permission to do it. May be it's not a gatekeeper, who | knows. | | The keyword here is _sometimes_ This is what I _Love_ about | current state of MacOS. | | To fix it nothing works until you delete it completely and | only then if you lucky etc ... It just reminds me those old | good days with Microsoft many years ago. Turn it off then | turn it on few times .. it may work ... | mlindner wrote: | I've always found it to be extremely consistent and never | does anything strange like you're describing. Works for me. | [deleted] | Klonoar wrote: | Is this an Xcode project, or something outside of it? | | I regularly build both and have run them in the same way | you're talking about here, without issue... the latter | migth be a bit more nuanced, but when set up properly does | work fine, so I'm inclined to think this is more a problem | with how you're doing things. | Isthatablackgsd wrote: | I'm assuming you don't use the package manager like Homebrew | or MacPorts? this is where the gatekeeper will annoy the hell | out of me. Apps installed via Homebrew often will encounter | Gatekeeper alerts. Half of them will give the option to open | it and the other half, the gatekeeper --demands-- gently ask | me to put it in the Trash without the option to open it. | mlindner wrote: | A simple right click on the app and selecting the open | dialogue and it works fine. | breakfastduck wrote: | You need to disable gatekeeper like shown in another of the | comments. It'll permanently create a new option in your | settings to allow installations from "anywhere" too. | Wowfunhappy wrote: | Nitpick, I don't actually think the option in System | Preferences is permanent? Is it still there if you change | it back and restart System Preferences? | breakfastduck wrote: | Not sure, I leave it on permanently on 'anywhere'. It | still gives a prompt to confirm execution but it becomes | a click through rather than anything actually trying to | stop you doing stuff. | na85 wrote: | Homebrew apps only ask for permissions when they get | updated because gatekeeper treats it like a fresh install, | I guess. | herrkanin wrote: | I'm using homebrew all day long, and I don't remember ever | having this issue. | xrisk wrote: | Homebrew cask. | ezfe wrote: | I use Homebrew Cask and don't run into any unusual | problems with Gatekeeper. The flow is always the same as | if I manually downloaded it (meaning I sometimes get a | prompt on first run, but that's expected). | kstrauser wrote: | I use Homebrew daily. In System Preferences, I have | Security & Privacy > General > Allow apps downloaded from: | App Store and identified developers, and I don't remember | the last time I got a Gatekeeper alert. | Isthatablackgsd wrote: | I have that option enabled since the first booting of my | Macbook Air M1 and gatekeeper alert is still showing. And | I am sure we are not using the same apps that ran into | those alerts. I have Vivaldi, Alfred, AppCleaner, | EasyFind, iTerm2, KeepassXC, MacPass, Keka, MediaInfo, | NoMachine, Numi, OBS, odrive, Signal, Slack, TexStudio | and VLC ran into those alert. | | I am genuinely curious why people are singing that "I | don't have that such problems in my computer!" slogan | repeatedly? Some of us have that problem and just because | we have the same OS and possible the same hardware didn't | mean it is impossible. I wish people change that | particular mindset and be aware that those problems does | exist. | kstrauser wrote: | You're hugely misreading my intentions. I'm an engineer: | I see something unexpected, I want to figure out what's | happening. You and I are both using the same software and | you're seeing problems that I didn't even know affected | some people. I'm not saying "this works for me so I don't | know what you're complaining about". I'm saying "huh, | this works for me. I wonder what's different between our | systems? Is this something that's going to spontaneously | start affecting me if I click the wrong toggle | somewhere?" | | Obviously the problem is possible. It's happening to you. | I'd like to find out why so that I can troubleshoot and | fix the problem if it starts happening to me or my | friends or coworkers. And really, I'd like to help you | fix it, too, if I could figure out what's causing it. | Isthatablackgsd wrote: | Apologies for misreading you, I'm just frustrated and | accepted the fact that it is by design. | | I been reading other comments and as someone (xrisk) | pointed out that it is Homebrew Casks which it made sense | since all of the gatekeeper alerts is coming from 'Cask- | ed' apps. I could disable Gatekeeper but I rather not | because MacOS is not my daily driver. I rather to keep | Gatekeeper active to protect itself from moronic me. | setr wrote: | Probably the simplest thing then would be to alias brew | install to something like spctl --master-disable; brew | install $1; spctl --master-enable | Wowfunhappy wrote: | `spctl --master-disable` requires root permissions | (sudo). | | You could edit sudoers so the command doesn't require a | password. But really, at that point I'd just leave | Gatekeeper off. | btilly wrote: | Given how ubiquitous your problem is, I would be | suspicious that security alerts are going off because you | have a real security problem. I've seen similar problems | when a piece of malware keeps trying to inject itself | into various things, and Gatekeeper is catching it. The | variety of places where you're getting alerts is a | testament to the persistence of the malware, and not the | fact that everything is actually broken. | kstrauser wrote: | That's OK. If I were in your boat, I'd probably be pretty | frustrated. | | Does the method of right-clicking on an app, then "Open", | in Finder work to tell Gatekeeper to quit complaining? | nomel wrote: | The latest time I had a Homebrew package fail to install, | due to security restrictions that work just fine for the | other thousands of packages there, it was the package | trying to do something it shouldn't have, and was | promptly fixed. You may have run into a similar scenario. | setr wrote: | Because if they can't reproduce, then much more likely | than not, the problem is not inherent to the platform. In | this case, there's probably a deviation in config | settings. | | Additionally if they can't reproduce, they can't offer | any advice or help. | | It's highly unlikely that MacOS behaves specially for | your existence. | xrisk wrote: | He's talking about Homebrew Cask. | fryktelig wrote: | I've been having issues with non-cask Homebrew packages | getting blocked by some Gatekeeper/SIP related watchdog | on my new M1 system. Stuff would just get insta-killed at | load. Anyway, it seems to have been sorted now, and | through identifying which packages were having the issue | in Console and reinstalling them, I've resolved the | issues. | Someone wrote: | Slightly educated guess: did you install the x64 emulator | between when you had the problems and when they went | away? | | I can see brew trying to run x64 code while the emulator | isn't there blocking code from running in weird ways. | | Alternatively, it might be that package updates fixed the | packages that behaved incorrectly. Again, just a slightly | educated guess. | fryktelig wrote: | I had Rosetta well before I ran into these issues, I | think Homebrew still required it when I got the computer. | | Before I figured out the way to identify the offending | dependencies I sorted the issue through signing the | executable with codesign, in a way that required me to | disable part of SIP. So the code was working, it was just | not being allowed to run. | oivey wrote: | Even more specifically, the only time I've ran into | Gatekeeper is with apps that install into /Applications | and have a GUI. I've never had this issue with stuff I | only access via CLI. | xrisk wrote: | You have to Ctrl+right click the app, then click Open. | mschuster91 wrote: | Macports doesn't give you any headaches, it follows Unix | principles. | | Homebrew is a keg of worms, if you excuse the bad pun. | Sadly (because it seems to be easier to get started?) many | developers prefer it over Macports... | Isthatablackgsd wrote: | As an end-user, I prefer Homebrew over MacPorts because | Homebrew is simpler to get it installed and use in the | terminal. MacPorts in other hand, takes some tinkering to | get it working. It has problem detecting installed XCode | because it was looking for a specific outdated version | (this happened last month when I decided to give MacPorts | a try and I uninstalled Homebrew before trying it out | since both of them cannot co-exist together.) | | It is likely that it is not the devs prefers it over | MacPorts, it is likely that end-users prefers it and the | devs are following what the end-users desires. Homebrew | have huge catalog of software and libraries than | MacPorts. | saagarjha wrote: | This is because Homebrew Cask explicitly adds the | quarantine attribute to things it downloads. Perhaps there | is some easy way to disable it or patch out this | functionality? | xrisk wrote: | Ctrl+right click to get the option to open it. | crazygringo wrote: | That's... unusual. | | I use Homebrew constantly and have never seen such a thing | in my life, in any version of macOS/OSX over the past | several years. Not in building from source, not in casks. | | Like another commenter the only security change I have is | "Allow apps downloaded from" set to "App store and | identified developers" -- which I'd assume virtually every | Mac user on HN has also set. | | Perhaps you have some kind of unusual configuration? Or | there's some very specific subcategory of Homebrew packages | that encounter this problem? | fiddlerwoaroof wrote: | Apple has been moving toward a capability-based security model | for a while now, I think: it's a bit annoying because their | implementation also acts like DRM, but I think the mode itself | is a better security model than standard POSIX file permissions | and ACLs | Wowfunhappy wrote: | Then turn it off. Open the Terminal and run: | sudo spctl --master-disable | | That's it, it will never bother you again, unless you turn it | back on or reinstall the OS from scratch. If macOS is still too | limiting, you can also turn off System Integrity Protection, at | which point you can do just about whatever the heck you want. | | I personally kept both Gatekeeper and SIP turned off, back when | I used modern macOS. But if they _are_ turned on, they ought to | work. | joshspankit wrote: | Does turning those off still leave the logs redacted? | | Or do you _also_ have to install the profile after you tell | it to get out of your way? | azinman2 wrote: | That has nothing to do with log redaction. That's to | prevent private data escaping apps and either being sent to | Apple or readable by others. You want that on. | Wowfunhappy wrote: | I don't use Big Sur but I don't think it has any affect on | logs. Without SIP, you could patch the kernel or something | and change whatever you want, but that would of course be | nuts. | | I share your curiosity. If your computer isn't already | managed, installing an MDM profile in order to view logs is | ridiculous. I don't even think there's a way to do it | without paying money. | [deleted] | jcelerier wrote: | No, this still keeps some gatekeeper checks, popups when | downloading files, weird arguments being passed to apps on | first launch, etc. Even if doing it in the root recovery | mode. | unicornporn wrote: | What would I need to get it down to a Mojave level of | inconvenience? | Wowfunhappy wrote: | _That_ I can 't answer. The most recent version of macOS | I've used for any length of time was High Sierra, because | even Mojave broke something essential for me--Apple Events | need to be authorized once for every combination of (1) the | app being controlled and (2) the app sending the event. | Combined with the fact that my authorizations were often | reset when I edited a script, this made most of my | Applescripts effectively useless. | | But it's a very different problem from Gatekeeper. And from | iOS, where the user legitimately has no control. If SIP is | turned off, you _could_ write an app that strips out every | macOS behavior you dislike, because without SIP apps can | patch whatever they want. ___________________________________________________________________ (page generated 2021-04-26 23:00 UTC)