What concerns me however, is this evening, when I told her the problem I was working with, she immediately showed me this great work around she learned from her Minecraft buddies: xattr -d com.apple.quarantine and then she drags the file she wants to blow away the quarantine on to the terminal window…..
How can xattr possibly NOT be under super user restrictions? I mean, if I go into File Info on any file on my system, I have to enter my admin password to make changes to the file access.
[I'm going to skip some of the details. In reality, the Unix permissions and Access Control Lists (ACLs) allow for finer-grained controls than what I'm about to describe and can be configured to require more or less prompting to make various changes. For example, your daughter could be in a user group that has write permission for an application that she doesn't directly own.]
You don't normally have to enter your admin password to change file access if you own the file. The owner of a file can alter its access and other permission flags. The owner of a file can lock and unlock it, and decide what other users and groups are allowed to read or write it, without any prompting.
If you are prompted to change the permissions on a file in Finder, that usually means you don't own the file. Unix permissions just limit what one user can do to another user's files, they don't limit what a user can do with files they own.
When your daughter downloads a file she is the file's owner and can alter its permissions and extended attributes as she wishes.
If you download an application, only you can alter its Quarantine attribute or approve it for opening. Unless your daughter is an admin user or in a group that has write access to the application, she won't be able to use that software or remove the Quarantine attribute.
Parental Controls can be used to prevent your daughter from using specific applications like Safari or Terminal, and can prevent her from using downloaded software, even if she downloaded it. That's your best mechanism for limiting what she can do.
The Quarantine extended attribute isn't a mechanism for directly granting or denying privileges. Similar to the "locked" flag, it's merely advisory information used to ensure the user who owns the file doesn't accidentally shoot themselves in the foot by opening downloaded software without being asked first, and like the read/write/execute permissions, it can be used to limit what other users can do with it, but they do not limit the file's owner from changing these flags and attributes. When you try to open a Quarantined application, Finder will warn you. If you own the file (or otherwise have write permission) and you confirm that you want to open the application, it sets a flag in the Quarantine info to indicate that it has been user-approved and it will never warn you again. (Since the attribute is still on the file, you can use Finder's inspector to view the origin of the file even after approving it.)
If the user who owns the file opens Terminal and strips the Quarantine extended attribute with the "xattr" command, they're explicitly indicating that they trust the downloaded file just as if they had used the graphical user interface to open it after having been warned.
I don't recall you mentioning Gate Keeper, but, although Gate Keeper uses the Quarantine info to decide whether an application was downloaded, again the owner of the file can still modify or remove the Quarantine attribute as they wish. Parental Controls is the means to prevent a managed user from opening downloaded software (or from downloading it in the first place)—which it can do even if you had downloaded and approved it for use generally.
-- Chris Page The other, other AppleScript Chris Terminal lead engineer
|