Error: Operation not permitted @ rb_sysopen Installing Cask ngrok

[ActualAl]

Verification

• [X] I understand that if I ignore these instructions, my issue may be closed without review.
• [X] I have retried my command with --force.
• [X] I ran brew update-reset && brew update and retried my command.
• [X] I ran brew doctor, fixed as many issues as possible and retried my command.
• [X] I have checked the instructions for reporting bugs.
• [X] I made doubly sure this is not a checksum does not match / SHA256 mismatch error (do not open an issue before trying to open a PR to fix first).

Description of issue

I'm getting an error installing ngrok on my silicon M2 mac book pro.

The error I'm getting is Error: Operation not permitted @ rb_sysopen - /private/tmp/homebrew-unpack20240308-72463-jgoaoj/ngrok

The file permissions on /private/tmp are drwxrwxrwt which looking at my other mac seem correct.

Command that failed

brew install --force ngrok/ngrok/ngrok

Output of command with --verbose --debug

/opt/homebrew/Library/Homebrew/brew.rb (Formulary::FromTapLoader): loading ngrok/ngrok/ngrok
/opt/homebrew/Library/Homebrew/brew.rb (Formulary::FromTapLoader): loading ngrok/ngrok/ngrok
/opt/homebrew/Library/Homebrew/brew.rb (Cask::CaskLoader::FromTapLoader): loading ngrok/ngrok/ngrok
==> Cask::Installer#install
==> Printing caveats
==> Cask::Installer#fetch
==> Downloading https://bin.equinox.io/a/qZzy6MZGEs/ngrok-v3-3.6.0-darwin-arm64.zip
/usr/bin/env /opt/homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.2.11-94-g815db06\ \(Macintosh\;\ arm64\ Mac\ OS\ X\ 14.4\)\ curl/8.4.0 --header Accept-Language:\ en --retry 3 --fail --location --silent --head https://bin.equinox.io/a/qZzy6MZGEs/ngrok-v3-3.6.0-darwin-arm64.zip
/usr/bin/env /opt/homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.2.11-94-g815db06\ \(Macintosh\;\ arm64\ Mac\ OS\ X\ 14.4\)\ curl/8.4.0 --header Accept-Language:\ en --retry 3 --fail --location --silent --head --request GET https://bin.equinox.io/a/qZzy6MZGEs/ngrok-v3-3.6.0-darwin-arm64.zip
Already downloaded: /Users/my_user/Library/Caches/Homebrew/downloads/8e8b28f24935eaaaa47ec6e3cb7c47eb4ad69555162eaaa9acf982357dd78465--ngrok-v3-3.6.0-darwin-arm64.zip
==> Checking quarantine support
/usr/bin/env /usr/bin/xattr -h
/usr/bin/env /Library/Developer/CommandLineTools/usr/bin/swift -target arm64-apple-macosx14 /opt/homebrew/Library/Homebrew/cask/utils/quarantine.swift
==> Quarantine is available.
==> Verifying Gatekeeper status of /Users/my_user/Library/Caches/Homebrew/downloads/8e8b28f24935eaaaa47ec6e3cb7c47eb4ad69555162eaaa9acf982357dd78465--ngrok-v3-3.6.0-darwin-arm64.zip
/usr/bin/env /usr/bin/xattr -p com.apple.quarantine /Users/my_user/Library/Caches/Homebrew/downloads/8e8b28f24935eaaaa47ec6e3cb7c47eb4ad69555162eaaa9acf982357dd78465--ngrok-v3-3.6.0-darwin-arm64.zip
==> /Users/my_user/Library/Caches/Homebrew/downloads/8e8b28f24935eaaaa47ec6e3cb7c47eb4ad69555162eaaa9acf982357dd78465--ngrok-v3-3.6.0-darwin-arm64.zip is quarantined
==> Verifying checksum for '8e8b28f24935eaaaa47ec6e3cb7c47eb4ad69555162eaaa9acf982357dd78465--ngrok-v3-3.6.0-darwin-arm64.zip'
/usr/bin/env hdiutil imageinfo -format /Users/my_user/Library/Caches/Homebrew/downloads/8e8b28f24935eaaaa47ec6e3cb7c47eb4ad69555162eaaa9acf982357dd78465--ngrok-v3-3.6.0-darwin-arm64.zip
/usr/bin/env zipinfo -1 /Users/my_user/Library/Caches/Homebrew/downloads/8e8b28f24935eaaaa47ec6e3cb7c47eb4ad69555162eaaa9acf982357dd78465--ngrok-v3-3.6.0-darwin-arm64.zip
==> Installing Cask ngrok
==> Cask::Installer#stage
==> Extracting primary container
==> Using container class UnpackStrategy::Zip for /Users/my_user/Library/Caches/Homebrew/downloads/8e8b28f24935eaaaa47ec6e3cb7c47eb4ad69555162eaaa9acf982357dd78465--ngrok-v3-3.6.0-darwin-arm64.zip
/usr/bin/env zipinfo -1 /Users/my_user/Library/Caches/Homebrew/downloads/8e8b28f24935eaaaa47ec6e3cb7c47eb4ad69555162eaaa9acf982357dd78465--ngrok-v3-3.6.0-darwin-arm64.zip
/usr/bin/env PATH=/opt/homebrew/Library/Homebrew/shims/shared:/usr/bin:/bin:/usr/sbin:/sbin unzip -o /Users/my_user/Library/Caches/Homebrew/downloads/8e8b28f24935eaaaa47ec6e3cb7c47eb4ad69555162eaaa9acf982357dd78465--ngrok-v3-3.6.0-darwin-arm64.zip -d /private/tmp/homebrew-unpack20240308-68173-uau877
==> Purging files for version 3.6.0 of Cask ngrok
Error: Operation not permitted @ rb_sysopen - /private/tmp/homebrew-unpack20240308-68173-uau877/ngrok
/opt/homebrew/Library/Homebrew/extend/pathname.rb:476:in `binread'
/opt/homebrew/Library/Homebrew/extend/pathname.rb:476:in `binread'
/opt/homebrew/Library/Homebrew/extend/pathname.rb:476:in `magic_number'
/opt/homebrew/Library/Homebrew/unpack_strategy/tar.rb:25:in `can_extract?'
/opt/homebrew/Library/Homebrew/unpack_strategy.rb:73:in `block in from_magic'
/opt/homebrew/Library/Homebrew/unpack_strategy.rb:73:in `each'
/opt/homebrew/Library/Homebrew/unpack_strategy.rb:73:in `find'
/opt/homebrew/Library/Homebrew/unpack_strategy.rb:73:in `from_magic'
/opt/homebrew/Library/Homebrew/unpack_strategy.rb:84:in `detect'
/opt/homebrew/Library/Homebrew/unpack_strategy.rb:136:in `block in extract_nestedly'
/opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.1.4/lib/ruby/3.1.0/tmpdir.rb:96:in `mktmpdir'
/opt/homebrew/Library/Homebrew/unpack_strategy.rb:128:in `extract_nestedly'
/opt/homebrew/Library/Homebrew/cask/installer.rb:220:in `extract_primary_container'
/opt/homebrew/Library/Homebrew/cask/installer.rb:81:in `stage'
/opt/homebrew/Library/Homebrew/cask/installer.rb:108:in `install'
/opt/homebrew/Library/Homebrew/cmd/install.rb:246:in `block in install'
/opt/homebrew/Library/Homebrew/cmd/install.rb:235:in `each'
/opt/homebrew/Library/Homebrew/cmd/install.rb:235:in `install'
/opt/homebrew/Library/Homebrew/brew.rb:86:in `<main>'

Output of brew doctor and brew config

`brew doctor`

Please note that these warnings are just used to help the Homebrew maintainers
with debugging if you file an issue. If everything you use Homebrew for is
working fine: please don't worry or file an issue; just ignore this. Thanks!

Warning: Some installed formulae are deprecated or disabled.
You should find replacements for the following formulae:
  openssl@1.1

brew config

HOMEBREW_VERSION: 4.2.11-94-g815db06
ORIGIN: https://github.com/Homebrew/brew
HEAD: 815db0637a350db412fb951d74d2ad1c15906704
Last commit: 6 hours ago
Core tap JSON: 08 Mar 15:04 UTC
Core cask tap JSON: 08 Mar 15:04 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 10
Homebrew Ruby: 3.1.4 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.1.4/bin/ruby
CPU: 10-core 64-bit arm_blizzard_avalanche
Clang: 15.0.0 build 1500
Git: 2.44.0 => /opt/homebrew/bin/git
Curl: 8.4.0 => /usr/bin/curl
macOS: 14.4-arm64
CLT: 15.3.0.0.1.1708646388
Xcode: N/A
Rosetta 2: false

### Output of `brew tap`

```shell
`brew tap`

homebrew/bundle
ngrok/ngrok

[SMillerDev]

What does ls -al /private/tmp/homebrew-unpack20240308-68173-uau877/ngrok say?

[ActualAl]

What does ls -al /private/tmp/homebrew-unpack20240308-68173-uau877/ngrok say?

Hi @SMillerDev thanks for your reply. There is no such file or directory so I'm wondering if the issue is that the file can't be written

[ActualAl]

I think this issue is actually caused by a corporate anti virus quarantining the ngrok exe.

Apologies for taking up your time 😞

[skplunkerin]

Just had the exact same problem, been searching for a solution for hours until I found this. Thank you for pointing me in the right direction @ActualAl !

[cheerfulstoic]

OMG, mentioning that this was a problem caused by antivirus was exactly what I needed, thank you! (It was Avira for me)

[Ramilko37]

I've also faced this problem. Avast put it into quarantine due to the presence of malware. Now I'm afraid to install it)

[sanak]

Thanks for the information. I couldn't find a good way to add ngrok to antivirus software exception list, so I uninstalled ngrok from brew, then installed it manually (download zip and unzip it into /usr/local/bin).

• https://ngrok.com/docs/faq
• https://ngrok.com/download

=> Well, even if installation was succeeded, executing ngrok command still causes antivirus software detection, so adding exception list is still necessary...

[skplunkerin]

=> Well, even if installation was succeeded, executing ngrok command still causes antivirus software detection, so adding exception list is still necessary...

Yeah, it was ridiculous for me to get this working.

The only way I was able to get it whitelisted from my antivirus software (Avira) was updating the antivirus real-time protection to "let me decide each time" instead of immediately "quarantee threat"; then ran Ngrok again, excluded it, and verified Ngrok was now on the exclusion list. (but... I think I also had to temporarily disable Avira in order for Ngrok to be able to get installed since the install process creates a randomly named temp file that you can't approve in time for install to finish (if you see the prompt and approve it, the install has already failed; and if you try installing it again, same issue with the new randomly named temp file)... but once I got it installed I then re-enabled Avira and changed the real-time protection setting).

[nachogon1]

Same issue here, but this time Microsoft Defender, I had to add ngrok as Exclusion

[CyrusDavis]

@nachogon1 , how did you add ngrok as an Exclusion in Defender? I added an exclusion for Ngrok in Endpoint Security Policies, but it's still not allowing it to be installed. Seeing how you fixed yours up. We use the admin portal too btw, so if it's a fix on the device itself it won't work as users can't make these adjustments on their devices.

[truthdoug]

Is there something specific in the changes for 3.9.0 that triggered this?

With other recent supply chain attacks, I want to make sure that this is a legitimate false positive and not the antivirus catching an actual problem.

[nachogon1]

@CyrusDavis I was able to reproduce it again after uninstalling it and removing the exception. Just in case, try first brew cleanup ngrok/ngrok/ngrok. Add the exception as a process: try to install it again brew install ngrok/ngrok/ngrok

@truthdoug I don't know. In my case was the antivirus

[truthdoug]

I've submitted a support request to ngrok:

I installed ngrok using homebrew, per the instructions on the getting started guide.

With the upgrade from 3.8.0 to 3.9.0, my antivirus caught something that it didn't like. There are others who have reported the same problem – see this discussion https://github.com/Homebrew/homebrew-cask/issues/168593

Can you advise if there's something in this release which might've triggered this antivirus response? Can you verify that the hash associated with the homebrew formula is accurate?

I will respond when I hear anything back.

[CyrusDavis]

Good to see we're not the only one with the issue. Weird thing is that it's only happening to one of our users. Maybe the others haven't updated Ngrok yet and we'll run into it more when the updates hit. I'll give the above steps a go next time it pops up. I was able to get it working with an exception Thanks again for helping with this.

On Sat, May 11, 2024 at 8:59 AM Doug Harris @.***> wrote:

I've submitted a support request to ngrok:

I installed ngrok using homebrew, per the instructions on the getting started guide.

With the upgrade from 3.8.0 to 3.9.0, my antivirus caught something that it didn't like. There are others who have reported the same problem – see this discussion #168593 https://github.com/Homebrew/homebrew-cask/issues/168593

Can you advise if there's something in this release which might've triggered this antivirus response? Can you verify that the hash associated with the homebrew formula is accurate?

I will respond when I hear anything back.

— Reply to this email directly, view it on GitHub https://github.com/Homebrew/homebrew-cask/issues/168593#issuecomment-2105940125, or unsubscribe https://github.com/notifications/unsubscribe-auth/BGPJRWO3DLCKOPUIUCZJU2DZBY57PAVCNFSM6AAAAABEM7N4W2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBVHE2DAMJSGU . You are receiving this because you were mentioned.Message ID: @.***>

-- Cyrus Davis Security & IT Analyst AstrumU® e-mail: @. @.>

[truthdoug]

A response from ngrok:

ngrok is beloved for our ease of use and powerful capability. Unfortunately, those same attributes also make us an attractive target for bad actors trying to phish credentials or create back doors into private networks. We proactively monitor and ban any accounts we identify that are involved with these attacks, and also work with 3rd parties that report malware and abuse via abuse@ngrok.com and our abuse APIs. Because ngrok is sometimes used by bad actors for attacks, we are occasionally flagged by some antivirus companies as malware or a potentially unwanted application (PAU). We actively monitor and reach out to these companies and attempt to obtain the correct classification in their system and be added to the allow lists. If you receive a notice from your antivirus software when installing ngrok software, be sure to verify the following:

• Our official binaries can be downloaded from our ngrok Downloads page, and the binaries themselves are hosted at bin.equinox.io. If you installed ngrok from another source, you should be careful.
• There are no open source versions of our ngrok Agent and the source code is not available. If you have downloaded anything claiming to be ngrok agent source code or built our agent from source, it is most likely malicious.
• All of our binaries are signed using ngrok certificates. You can verify the integrity of the application by checking that the binary is signed by an ngrok LLC authority. See these instructions from Microsoft for verifying the digital signatures in Windows binaries.

We can confirm the homebrew download is safe and it should be whitelisted and reported to your antivirus as a false positive.

[CyrusDavis]

Thank you for this detailed information. I appreciate the follow through.

On Mon, May 13, 2024 at 5:47 PM Doug Harris @.***> wrote:

A response from ngrok:

ngrok is beloved for our ease of use and powerful capability. Unfortunately, those same attributes also make us an attractive target for bad actors trying to phish credentials or create back doors into private networks. We proactively monitor and ban any accounts we identify that are involved with these attacks, and also work with 3rd parties that report malware and abuse via @.*** and our abuse APIs https://ngrok.com/docs/api/resources/abuse-reports/. Because ngrok is sometimes used by bad actors for attacks, we are occasionally flagged by some antivirus companies as malware or a potentially unwanted application (PAU). We actively monitor and reach out to these companies and attempt to obtain the correct classification in their system and be added to the allow lists. If you receive a notice from your antivirus software when installing ngrok software, be sure to verify the following:

• Our official binaries can be downloaded from our ngrok Downloads https://ngrok.com/download page, and the binaries themselves are hosted at bin.equinox.io. If you installed ngrok from another source, you should be careful.
• There are no open source versions of our ngrok Agent and the source code is not available. If you have downloaded anything claiming to be ngrok agent source code or built our agent from source, it is most likely malicious.
• All of our binaries are signed using ngrok certificates. You can verify the integrity of the application by checking that the binary is signed by an ngrok LLC authority. See these instructions from Microsoft https://support.microsoft.com/en-us/office/view-digital-signature-and-certificate-details-76ba00cb-1e58-42aa-8717-0caee76bb3cf for verifying the digital signatures in Windows binaries.

We can confirm the homebrew download is safe and it should be whitelisted and reported to your antivirus as a false positive.

— Reply to this email directly, view it on GitHub https://github.com/Homebrew/homebrew-cask/issues/168593#issuecomment-2109066567, or unsubscribe https://github.com/notifications/unsubscribe-auth/BGPJRWI4HH6EIHXU4FSPIVTZCFNK5AVCNFSM6AAAAABEM7N4W2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBZGA3DMNJWG4 . You are receiving this because you were mentioned.Message ID: @.***>

-- Cyrus Davis Security & IT Analyst AstrumU® e-mail: @. @.>