MacOS – What causes OS X to mark a folder as Quarantined

macoswebserverWordpress

I had a folder under ~/Sites, let's call it Foo, from which I was sharing a WordPress site-in-development via Apache. This was working fine, I'd mapped foo.local to 127.0.0.1 in my hosts file and was accessing the site from there on my laptop.

Then, I tried to access the site from my iPhone. I was able to see the root index of ~/Sites from the phone by surfing to my-computers-hostname.local, but couldn't access the WordPress site, as it had been set up to believe its address was foo.local, and therefore had hardcoded references to that URL in its database. When I attempted to change its URL setting to my-computers-hostname.local, something very strange happened: I received an authorization error when attempting to save the change. From that point forward, the entire folder containing the WordPress site disappeared from the index page at foo.local / my-computers-hostname.local, and any attempts to access it by URL were met with a 403 – Authorization Refused error from the webserver.

Listing the folder in question in the Terminal showed me that the com.apple.quarantine extended attribute had been applied to it and to all files contained within. What would cause the operating system to quarantine the folder? Was it the attempted access from another machine, or something to do with WordPress's configuration?

Best Answer

The com.apple.quarantine extended attributes probably have nothing to do with the issues you are having with Apache. They are part of the file quarantine feature that was added in 10.5:

File Quarantine is a new feature in Leopard designed to protect users from trojan horse attacks. It allows applications which download file content from the Internet to place files in “quarantine” to indicate that the file could be from an untrustworthy source. An application quarantines a file simply by assigning values to one or more quarantine properties which preserve information about when and where the file come from.

When the Launch Services API is used to open a quarantined file and the file appears to be an application, script, or other executable file type, Launch Services will display an alert to confirm the user understands the file is some kind of application.

The com.apple.quarantine extended attributes can be added when:

  • You download a file with a quarantine-aware application, like Safari, Chrome, or Transmission. For a few applications like Firefox, quarantine is forced to be enabled in /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist.
  • You extract an archive with an application like Archive Utility or OS X's tar or zip.
  • You create a file with an application that has LSFileQuarantineEnabled set to true in the Info.plist.

The extended attributes have fields for quarantine status, a timestamp, the agent that originated the quarantine event, and sometimes a UUID:

$ xattr -p com.apple.quarantine Worksheet_v10.4.pdf
0042;51ea420b;Safari.app;5E2F48EA-1356-4D57-BFEA-571EE8ADC08C
$ date -r 0x51ea420b
Sat Jul 20 10:53:47 EEST 2013
$ sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 .dump|grep 5E2F48EA-1356-4D57-BFEA-571EE8ADC08C
INSERT INTO "LSQuarantineEvent" VALUES('5E2F48EA-1356-4D57-BFEA-571EE8ADC08C',395999627.472166,'com.apple.Safari','Safari','http://images.apple.com/server/docs/Worksheet_v10.4.pdf',NULL,NULL,0,NULL,'http://images.apple.com/',NULL);

The first field is a hexadecimal bitfield, where for example the seventh bit (2^6 or 0x40) usually gets set after you open a file for the first time.

You can delete the extended attributes with xattr -dr com.apple.quarantine ~/Sites, but it won't probably have any effect on Apache. It will however disable the "is a file downloaded from the Internet" dialogs.

Related Question