knurling / ServiceStation

Service Station
39 stars 1 forks source link

Shell Scripts (bash) might not run out of the box due to Quarantine flag or missing +x bit #43

Open luckman212 opened 4 years ago

luckman212 commented 4 years ago

I decided to play around with a Bash script for Service Station today. So naturally I had a go with the Sample script. I copied it (dragged while holding the ⌥opt key) from: ~/Library/Group Containers/4G65N8LGGS.ServiceStationAppGroup/Library/Caches/Resources/Scripts/ to: ~/Library/Application Scripts/com.knurling.ServiceStation.Attendant/

When I tried to invoke the script, nothing happened. I checked Console.app for errors, and saw this:

18:13:50.197097-0400  kernel    exec of /Users/luke/Library/Application Scripts/
com.knurling.ServiceStation.Attendant/ShellScript.sh denied since it was quarantined
by Service Station and created without user consent, qtn-flags was 0x00000086

So I checked and lo and behold:

$ ls -l@ ShellScript.sh
-rwxr-xr-x@ 1 luke  staff  737 May 12 04:29 ShellScript.sh
  com.apple.quarantine   30

Once I removed the quarantine flag via

$ xattr -d com.apple.quarantine ShellScript.sh

everything was ok. But, I guess this could be a gotcha and confuse users who aren't expecting it or don't see any error message(s). Is there a way for ServiceStation to check for this "problem" and even better, auto-correct it?

luckman212 commented 4 years ago

Another scripting pitfall that just nailed me. Scripts will just silently fail if the executable bit isn't set. I was scratching my head for close to an hour wondering why my script wasn't working until it occurred to me that maybe I'd overlooked this.

It'd be nice if SS somehow checked for this when adding a script and auto-chmod u+x 'd it.

pkamb commented 4 years ago

Discussion of this issue here, I believe:

https://mjtsai.com/blog/2019/04/16/sandboxing-makes-quarantine-flags-almost-meaningless/

This seems to be mainly/only a problem in Catalina. I have not seen this myself - will test in 10.15. Thanks for reporting.

pkamb commented 4 years ago

Just talked to some Apple engineers in a WWDC 2020 remote lab.

I wasn't calling for this bug, but mentioned it when the conversation went that way. They suggested:

Service Station's NSOpenPanel is opening the .sh script in a way that it is being flagged. Make sure system never believes you are opening a script file in a way that could write to it.

Use the system fs_usage tool to point at application. Logs filesystem calls that are coming from Service Station process - might show opening or write or when the quarantine bit is set.

Will look into this more soon.

luckman212 commented 4 years ago

Oh, nice! WWDC sure dropped a lot of "bombs" this year. I hope the continued dumbing-down of macOS doesn't mean Extensions like Service Station are headed for deprecation.

weavermedia commented 4 years ago

Had this in 10.14.6 and removing the quarantine flag fixed it. It would be great is this could be added in an update.