[HN Gopher] macOS gatekeeper and file quarantine bypass
___________________________________________________________________
macOS gatekeeper and file quarantine bypass
Author : robertkrahn01
Score : 213 points
Date : 2021-04-26 17:58 UTC (5 hours ago)
(HTM) web link (objective-see.com)
(TXT) w3m dump (objective-see.com)
| jdlshore wrote:
| Fascinating article. Short version: there was a bug in the part
| of Apple's Gatekeeper code that checked whether a file was an
| application bundle. Bundles that only contained a script, and not
| a plist file, were considered "not a bundle," and this bypasses
| the Gatekeeper checks.
|
| The issue is fixed in the latest version of Big Sur. Be sure to
| upgrade. It's being exploited in the wild.
| LeoPanthera wrote:
| Is this how early versions of the Zoom installer bypassed
| gatekeeper for a zero-click install?
| Xeago wrote:
| That worked by using the preinstall check that Installer.app
| invokes to do the installation. It would finish by force
| quitting Installer.
| benatkin wrote:
| > Be sure to upgrade.
|
| This is a technical crowd, so some of us don't need to rush to
| download things like this. I'll upgrade when it's convenient,
| thank you very much.
| puszczyk wrote:
| Why is the technical crowd less in need of an upgrade? My
| proverbial "grandmother" only accesses her gmail and one news
| page. Arguably she's at less risk than someone testing new
| software.
| sildur wrote:
| Funny that when you started with "this is a technical crowd"
| I thought you will continue with "we don't need to be
| reminded to upgrade".
| submeta wrote:
| What about macOS Catalina users? Any updates / fixes for them?
| Do you happen to know?
| phnofive wrote:
| It appears this behavior was introduced in Catalina, so I'd
| assume a complimentary fix to 11.3 will be available for 10.x
| - no word on timing AFAIK.
| ilikepi wrote:
| Security Update bundles were released for Catalina and
| Mojave as well.
|
| The list of security fixes for the Big Sur update 11.3 has
| three entries mentioning Gatekeeper:
| https://support.apple.com/en-us/HT212325
|
| ...whereas the list for Catalina has only one:
| https://support.apple.com/kb/HT212326
| pier25 wrote:
| Did Apple finally fix the bug where every Big Sur update nukes
| Xcode tools like Git?
| ezfe wrote:
| No problems here - I'm on beta cycle so I get new Big Sur
| updates fairly often (every few weeks) and haven't had any git
| issues.
| zanethomas wrote:
| nice!!!
| lovelyviking wrote:
| >But first, go update your macOS systems to 11.3
|
| Unofortunately the risk is to high. Last time I was trying to
| update to 11.2 my MacBook M1 showed black screen with instruction
| to find another Mac. During Covid situation I had to endanger
| myself with going to look for this 'another' Mac. No thank you
| very much. Not possible for now, who knows will it stuck this
| time or not. I do not wish loose my ability to work again.
|
| Looks like to update safely you need to have another Mac. I mean
| if you _for sure_ wish to get the guaranteed result.
|
| BTW, I was reporting about this situation over here and about my
| surprise to the amount of bugs I have stumbled on . For those who
| was fast to suggest that there is some hardware issue with this
| specific machine - you were too fast to suggest something that
| you wanted very much to be the case. I leave it to your karma why
| you wanted it but _No hardware issues_ have been found so far
| till this very day. It passes all tests including speed tests.
| All of the problems were software bugs and issues. All of them
| were perfectly known when you search the info about them.
|
| For instance ScreenShot was slow when Mic was selected as sound
| input source for Screen Video Recording. ScreenShot have nothing
| to do with Mic as far as I know because no sound is recorded in
| ScreenShot last time I've checked :) and yet it was slow because
| of that(I guess it was trying to initialize the Mic for each
| screenshot). Once you select _None_ as sound input source for
| Screen Video Recording the ScreenShot works again quickly like it
| supposed to be.
|
| If this is not funny then what is? And it's very known problem if
| you google it, yet some people were donwvoting even that! Some
| people do not like facts it seems.
|
| So I state again what I was stating back then. It's so far the
| buggiest Mac I ever had.
| pehtis wrote:
| I will never understand why "Show all filename extensions" is
| unchecked by default in Finder.
| Closi wrote:
| It's also unchecked in Windows by default - I suspect that in
| reality the concept of extensions probably confuses some users,
| who end up changing the extension and then struggle to work out
| how to open their saved files.
|
| ( I always prefer to see the extensions too though :) )
| setr wrote:
| Windows gives you a big warning when you change the
| extension, which seems to me both sufficient and better than
| hiding the extension altogether (which, like URL hiding, is a
| fairly dangerous and largely unnecessary convenience)
| davemp wrote:
| Like browsers, file navigation UIs could also just grey out
| the file extension.
| dataflow wrote:
| The warning is a massive inconvenience. It reverts the file
| name if you cancel, so if you spent any effort on the new
| name, it will be wasted. Moreover, people often expect to
| change the file _type_ by changing the _name_ , and they
| get confused when it doesn't work (or it works for them in
| some case and they expect it will work here too). Lastly,
| users often don't read error messages, let alone understand
| them ("file extension" is hardly an easy concept...), so
| it's not necessarily helpful to them. Really, the number of
| cases where you'd need to change a file extension are so
| small compared to when you don't that I completely
| understand why they made this choice. It's imperfect, but I
| don't know of a better solution.
| judge2020 wrote:
| I've learned to never underestimate users' ability to shoot
| themselves in the foot. People will click through any popup
| dialogue which might suggest that their decision to perform
| an action was wrong.
| FridayoLeary wrote:
| because most of them are clearly fearmongering by ms,
| apple et al, scaring you into staying subscribed to their
| particular product. If they abuse their own warning
| systems, why should we respect them?
| vbezhenar wrote:
| Users are well-trained to ignore warnings.
| djxfade wrote:
| It works exactly the same way in macOS Finder as in Windows
| Explorer. Extensions are hidden by default. You can enable
| to show extensions (either by individual file, or
| globally). If a file has it's extension shown, you will get
| a confirmation prompt warning you of the consequences by
| changing the file extension.
| elliekelly wrote:
| Is there any way to turn this off _only_ for applications? Or
| even just in the applications directory? I find it irrationally
| annoying that everything in the applications folder shows the
| ".app" extension.
| floatingatoll wrote:
| If you use the dashboard app switcher (iirc the F3 or F4
| key), it hides .app in that list, it has a search field and I
| believe it accepts drag-and-drops.
|
| That's not exactly an answer to your question, but there's a
| chance it's an acceptable solution, so duly noted.
| lostgame wrote:
| It's F4 on my MacBook Pro 2018 Catalina. :)
| boomboomsubban wrote:
| Genuine question, does MacOS actually care about file
| extensions? I would guess not, though there are probably some
| compatibility features that will do things if they are there.
| bobbylarrybobby wrote:
| I was under the impression that unless a file contains some
| other metadata (most don't), that the extension is _the_ way
| the OS chooses which app to use to open it.
| boomboomsubban wrote:
| Unix-based has almost always used internal metadata, and
| the "dot" is just another character. I thought Windows was
| unique in relying on the suffixes, but Wikipedia suggests
| MacOS inherited some form from NextSTEP.
| spijdar wrote:
| "Unix" OSes in my experience simply don't (universally)
| have a way to "open this file in the correct
| application". It's a foreign concept. Files are just
| sequences of bytes, and file paths are just addresses to
| those bytes. The file extensions are, then, purely for
| the sake of the user, as there is no (standard) way to
| store file metadata. There are specific filesystems with
| these metadata extensions, but otherwise, you need to
| resort to commands like file and libmagic for
| _heuristics_ on determining file-type.
|
| Or just use the file suffix, which is AFAIK what all the
| mainstream Linux desktop environments do, through
| Freedesktop's MIME implementation. I don't know if it
| supports using metadata or file magics instead, but a
| quick glance shows almost every MIME definition uses file
| globbing.
|
| You can check this in the files located at
| "/usr/share/mime/application" and
| "/usr/share/mime/packages" on most distros. Most (all?)
| definitions use a "glob pattern" to match files.
| pehtis wrote:
| Yes it cares. If you rename a folder to folder.app then it
| will change to look and "behave" like an app. Or if you
| change the extension of a video file to mp3 you'll loose the
| icon preview.
|
| Finder does try to help with renaming and when you try to
| rename a file only the filename is selected and not the
| extension.
| Spivak wrote:
| What you're describing is just Finder caring. Linux doesn't
| care at all about your file extensions but Nautilus sure
| does.
|
| In GNOME for example gio handles opening files in the
| "correct" application by way of the MIME database in
| /usr/share/application/mimeapps.list and
| ~/.local/share/applications/mimeapps.list.
| jpeter wrote:
| Same on windows
| [deleted]
| kossTKR wrote:
| Does anyone know how trustworthy this objective-see project is?
|
| I remember once installing several of his apps, but then coming
| to the conclusion that i don't know enough - even though he
| consistently seems to find and fix flaws in OSX.
|
| Why isn't Apple hiring this man?
|
| EDIT: Why are people downvoting this question? If i'm implying
| something then i'm unaware of it.
| ghughes wrote:
| The tools are legit, and the bugs are real, but he has a
| distasteful habit of feeding sensationalist quotes to outlets
| like Forbes and Vice.
|
| This time, he told Forbes that "the hacks effectively take Mac
| security back a decade" [1], and Vice quotes him as saying
| "this is likely the worst or potentially the most impactful bug
| to everyday macOS users in recent memory". [2]
|
| Forbes ran the story with the headline "The 'Worst Hack In
| Years' Hits Apple Computers". Giving them cover to write such
| bullshit is a quick way to dispose of any credibility among
| industry peers.
|
| 1.
| https://www.forbes.com/sites/thomasbrewster/2021/04/26/updat...
|
| 2. https://www.vice.com/en/article/wx5855/massive-mac-apple-
| sec...
| savoytruffle wrote:
| Some people don't want to be coerced into working remotely near
| Cupertino ...
| kossTKR wrote:
| And that's fair, i wouldn't either, what i mean is they
| should seriously consider giving him some consultancy fees,
| bounties / whatever since he's consistently doing good work.
| jrochkind1 wrote:
| i don't get it
| aledalgrande wrote:
| Is it me or Apple isn't even listing the patch in the 11.3
| changelog? https://developer.apple.com/documentation/macos-
| release-note...
| infinita740 wrote:
| Security patches are in a separate article:
| https://support.apple.com/en-us/HT212325
| aledalgrande wrote:
| Oh cool thanks!
| smoldesu wrote:
| Gatekeeper is one of the most frustrating things I have to fight
| whenever I try using MacOS. It feels like DRM for my
| applications, which in turn makes everything feel clunkier, and
| less integrated. I would genuinely pay Apple extra for a version
| of MacOS that just trusts me and lets me install what I want
| without the some esoteric mechanism stopping me at every step of
| the way...
| cloogshicer wrote:
| Agreed. It's ridiculous that we can't even fully disable it in
| the latest macOS releases (the commands others posted below
| don't work in Big Sur to completely disable quarantine).
|
| Thankfully there is a simple workaround:
| https://hiringengineersbook.com/post/disable-quarantine/
| Wowfunhappy wrote:
| Note, the single command _does_ turn off Gatekeeper. File
| quarantine is separate and needs a separate command. That is
| as it should be IMO, they're completely different things.
| cloogshicer wrote:
| Right, but do you know if there is a command to actually
| turn off quarantine? I mean really turning it off, not just
| removing it from already existing files. To my knowledge,
| that doesn't exist.
| minhazm wrote:
| You can disable Gatekeeper.
|
| https://disable-gatekeeper.github.io/
| kstrauser wrote:
| What frustrates you about it? I rarely bump into Gatekeeper and
| I'm doing the normal dev things.
| lovelyviking wrote:
| Sometimes I compile my program and when I move it to the
| Applications folder and trying to run MacOS says, you do not
| have permission to do it. May be it's not a gatekeeper, who
| knows.
|
| The keyword here is _sometimes_ This is what I _Love_ about
| current state of MacOS.
|
| To fix it nothing works until you delete it completely and
| only then if you lucky etc ... It just reminds me those old
| good days with Microsoft many years ago. Turn it off then
| turn it on few times .. it may work ...
| mlindner wrote:
| I've always found it to be extremely consistent and never
| does anything strange like you're describing. Works for me.
| [deleted]
| Klonoar wrote:
| Is this an Xcode project, or something outside of it?
|
| I regularly build both and have run them in the same way
| you're talking about here, without issue... the latter
| migth be a bit more nuanced, but when set up properly does
| work fine, so I'm inclined to think this is more a problem
| with how you're doing things.
| Isthatablackgsd wrote:
| I'm assuming you don't use the package manager like Homebrew
| or MacPorts? this is where the gatekeeper will annoy the hell
| out of me. Apps installed via Homebrew often will encounter
| Gatekeeper alerts. Half of them will give the option to open
| it and the other half, the gatekeeper --demands-- gently ask
| me to put it in the Trash without the option to open it.
| mlindner wrote:
| A simple right click on the app and selecting the open
| dialogue and it works fine.
| breakfastduck wrote:
| You need to disable gatekeeper like shown in another of the
| comments. It'll permanently create a new option in your
| settings to allow installations from "anywhere" too.
| Wowfunhappy wrote:
| Nitpick, I don't actually think the option in System
| Preferences is permanent? Is it still there if you change
| it back and restart System Preferences?
| breakfastduck wrote:
| Not sure, I leave it on permanently on 'anywhere'. It
| still gives a prompt to confirm execution but it becomes
| a click through rather than anything actually trying to
| stop you doing stuff.
| na85 wrote:
| Homebrew apps only ask for permissions when they get
| updated because gatekeeper treats it like a fresh install,
| I guess.
| herrkanin wrote:
| I'm using homebrew all day long, and I don't remember ever
| having this issue.
| xrisk wrote:
| Homebrew cask.
| ezfe wrote:
| I use Homebrew Cask and don't run into any unusual
| problems with Gatekeeper. The flow is always the same as
| if I manually downloaded it (meaning I sometimes get a
| prompt on first run, but that's expected).
| kstrauser wrote:
| I use Homebrew daily. In System Preferences, I have
| Security & Privacy > General > Allow apps downloaded from:
| App Store and identified developers, and I don't remember
| the last time I got a Gatekeeper alert.
| Isthatablackgsd wrote:
| I have that option enabled since the first booting of my
| Macbook Air M1 and gatekeeper alert is still showing. And
| I am sure we are not using the same apps that ran into
| those alerts. I have Vivaldi, Alfred, AppCleaner,
| EasyFind, iTerm2, KeepassXC, MacPass, Keka, MediaInfo,
| NoMachine, Numi, OBS, odrive, Signal, Slack, TexStudio
| and VLC ran into those alert.
|
| I am genuinely curious why people are singing that "I
| don't have that such problems in my computer!" slogan
| repeatedly? Some of us have that problem and just because
| we have the same OS and possible the same hardware didn't
| mean it is impossible. I wish people change that
| particular mindset and be aware that those problems does
| exist.
| kstrauser wrote:
| You're hugely misreading my intentions. I'm an engineer:
| I see something unexpected, I want to figure out what's
| happening. You and I are both using the same software and
| you're seeing problems that I didn't even know affected
| some people. I'm not saying "this works for me so I don't
| know what you're complaining about". I'm saying "huh,
| this works for me. I wonder what's different between our
| systems? Is this something that's going to spontaneously
| start affecting me if I click the wrong toggle
| somewhere?"
|
| Obviously the problem is possible. It's happening to you.
| I'd like to find out why so that I can troubleshoot and
| fix the problem if it starts happening to me or my
| friends or coworkers. And really, I'd like to help you
| fix it, too, if I could figure out what's causing it.
| Isthatablackgsd wrote:
| Apologies for misreading you, I'm just frustrated and
| accepted the fact that it is by design.
|
| I been reading other comments and as someone (xrisk)
| pointed out that it is Homebrew Casks which it made sense
| since all of the gatekeeper alerts is coming from 'Cask-
| ed' apps. I could disable Gatekeeper but I rather not
| because MacOS is not my daily driver. I rather to keep
| Gatekeeper active to protect itself from moronic me.
| setr wrote:
| Probably the simplest thing then would be to alias brew
| install to something like spctl --master-disable; brew
| install $1; spctl --master-enable
| Wowfunhappy wrote:
| `spctl --master-disable` requires root permissions
| (sudo).
|
| You could edit sudoers so the command doesn't require a
| password. But really, at that point I'd just leave
| Gatekeeper off.
| btilly wrote:
| Given how ubiquitous your problem is, I would be
| suspicious that security alerts are going off because you
| have a real security problem. I've seen similar problems
| when a piece of malware keeps trying to inject itself
| into various things, and Gatekeeper is catching it. The
| variety of places where you're getting alerts is a
| testament to the persistence of the malware, and not the
| fact that everything is actually broken.
| kstrauser wrote:
| That's OK. If I were in your boat, I'd probably be pretty
| frustrated.
|
| Does the method of right-clicking on an app, then "Open",
| in Finder work to tell Gatekeeper to quit complaining?
| nomel wrote:
| The latest time I had a Homebrew package fail to install,
| due to security restrictions that work just fine for the
| other thousands of packages there, it was the package
| trying to do something it shouldn't have, and was
| promptly fixed. You may have run into a similar scenario.
| setr wrote:
| Because if they can't reproduce, then much more likely
| than not, the problem is not inherent to the platform. In
| this case, there's probably a deviation in config
| settings.
|
| Additionally if they can't reproduce, they can't offer
| any advice or help.
|
| It's highly unlikely that MacOS behaves specially for
| your existence.
| xrisk wrote:
| He's talking about Homebrew Cask.
| fryktelig wrote:
| I've been having issues with non-cask Homebrew packages
| getting blocked by some Gatekeeper/SIP related watchdog
| on my new M1 system. Stuff would just get insta-killed at
| load. Anyway, it seems to have been sorted now, and
| through identifying which packages were having the issue
| in Console and reinstalling them, I've resolved the
| issues.
| Someone wrote:
| Slightly educated guess: did you install the x64 emulator
| between when you had the problems and when they went
| away?
|
| I can see brew trying to run x64 code while the emulator
| isn't there blocking code from running in weird ways.
|
| Alternatively, it might be that package updates fixed the
| packages that behaved incorrectly. Again, just a slightly
| educated guess.
| fryktelig wrote:
| I had Rosetta well before I ran into these issues, I
| think Homebrew still required it when I got the computer.
|
| Before I figured out the way to identify the offending
| dependencies I sorted the issue through signing the
| executable with codesign, in a way that required me to
| disable part of SIP. So the code was working, it was just
| not being allowed to run.
| oivey wrote:
| Even more specifically, the only time I've ran into
| Gatekeeper is with apps that install into /Applications
| and have a GUI. I've never had this issue with stuff I
| only access via CLI.
| xrisk wrote:
| You have to Ctrl+right click the app, then click Open.
| mschuster91 wrote:
| Macports doesn't give you any headaches, it follows Unix
| principles.
|
| Homebrew is a keg of worms, if you excuse the bad pun.
| Sadly (because it seems to be easier to get started?) many
| developers prefer it over Macports...
| Isthatablackgsd wrote:
| As an end-user, I prefer Homebrew over MacPorts because
| Homebrew is simpler to get it installed and use in the
| terminal. MacPorts in other hand, takes some tinkering to
| get it working. It has problem detecting installed XCode
| because it was looking for a specific outdated version
| (this happened last month when I decided to give MacPorts
| a try and I uninstalled Homebrew before trying it out
| since both of them cannot co-exist together.)
|
| It is likely that it is not the devs prefers it over
| MacPorts, it is likely that end-users prefers it and the
| devs are following what the end-users desires. Homebrew
| have huge catalog of software and libraries than
| MacPorts.
| saagarjha wrote:
| This is because Homebrew Cask explicitly adds the
| quarantine attribute to things it downloads. Perhaps there
| is some easy way to disable it or patch out this
| functionality?
| xrisk wrote:
| Ctrl+right click to get the option to open it.
| crazygringo wrote:
| That's... unusual.
|
| I use Homebrew constantly and have never seen such a thing
| in my life, in any version of macOS/OSX over the past
| several years. Not in building from source, not in casks.
|
| Like another commenter the only security change I have is
| "Allow apps downloaded from" set to "App store and
| identified developers" -- which I'd assume virtually every
| Mac user on HN has also set.
|
| Perhaps you have some kind of unusual configuration? Or
| there's some very specific subcategory of Homebrew packages
| that encounter this problem?
| fiddlerwoaroof wrote:
| Apple has been moving toward a capability-based security model
| for a while now, I think: it's a bit annoying because their
| implementation also acts like DRM, but I think the mode itself
| is a better security model than standard POSIX file permissions
| and ACLs
| Wowfunhappy wrote:
| Then turn it off. Open the Terminal and run:
| sudo spctl --master-disable
|
| That's it, it will never bother you again, unless you turn it
| back on or reinstall the OS from scratch. If macOS is still too
| limiting, you can also turn off System Integrity Protection, at
| which point you can do just about whatever the heck you want.
|
| I personally kept both Gatekeeper and SIP turned off, back when
| I used modern macOS. But if they _are_ turned on, they ought to
| work.
| joshspankit wrote:
| Does turning those off still leave the logs redacted?
|
| Or do you _also_ have to install the profile after you tell
| it to get out of your way?
| azinman2 wrote:
| That has nothing to do with log redaction. That's to
| prevent private data escaping apps and either being sent to
| Apple or readable by others. You want that on.
| Wowfunhappy wrote:
| I don't use Big Sur but I don't think it has any affect on
| logs. Without SIP, you could patch the kernel or something
| and change whatever you want, but that would of course be
| nuts.
|
| I share your curiosity. If your computer isn't already
| managed, installing an MDM profile in order to view logs is
| ridiculous. I don't even think there's a way to do it
| without paying money.
| [deleted]
| jcelerier wrote:
| No, this still keeps some gatekeeper checks, popups when
| downloading files, weird arguments being passed to apps on
| first launch, etc. Even if doing it in the root recovery
| mode.
| unicornporn wrote:
| What would I need to get it down to a Mojave level of
| inconvenience?
| Wowfunhappy wrote:
| _That_ I can 't answer. The most recent version of macOS
| I've used for any length of time was High Sierra, because
| even Mojave broke something essential for me--Apple Events
| need to be authorized once for every combination of (1) the
| app being controlled and (2) the app sending the event.
| Combined with the fact that my authorizations were often
| reset when I edited a script, this made most of my
| Applescripts effectively useless.
|
| But it's a very different problem from Gatekeeper. And from
| iOS, where the user legitimately has no control. If SIP is
| turned off, you _could_ write an app that strips out every
| macOS behavior you dislike, because without SIP apps can
| patch whatever they want.
___________________________________________________________________
(page generated 2021-04-26 23:00 UTC)