Explaining Leopard's Quarantine issues for Windows

[frizbot]

I need to post this somewhere on the internet so that I'll be able to find it again, and other people will be able to find it.

 

10.5 institutes a new feature called File Quarantine. It sets a HFS+ attribute to files that were "downloaded from the internet", effectively locking them from certain file operations until cleared in the GUI. When double-clicked, these files will give some warning about executing them. Fine.

 

When files are transferred to an OS X Samba share from Windows 2008 (and probably Windows 2003 (Win2008 & Win2003) and probably any other system), the Quarantine attribute is set. You can see this by in a terminal entering "ls -all" in the folder, and noting the "@" at symbol in the permissions for the new files. These files are "Quarantined". Fine.

 

When trying to copy these files from the share to another machine, Windows 2003 will give the error "Cannot copy <filename>: Cannot read from source file or disk". Windows 2008 will give the error "Invalid File Handle". The file is not corrupted in any way despite these errors being associated with disk corruption and corrupted data (specifically a WHS drive corruption issue). The file is simply "Quarantined", which Samba is respecting (or is affected by), and Windows is simply freaking out. This is not a Windows issue despite looking like one, and the Apple Quarantine feature explains a few Windows people freaking out lately.

 

I've been searching, but there appears to be no way to disable Apple File Quarantine directly. One option is to set more "safe" file extensions or MIME types, another is to run an apple/shell script that unsets the quarantine attributes recursively over every drive. The apple UNIX application in question is xattr, which has no man page. The command would be "xattr -d com.apple.quarantine thefilenamehere", but here that gives the error "No such xattr: com.apple.quarantine", and there appears to be no fix for this.

 

If this post in the wrong place, please move it instead of deleting it, since I want people searching for the information to be able to find it. I'd also like to thank Apple for emulating Microsoft's quagmire of various and unhelpful security "features".

[frizbot]

I've made some progress on this.

 

It turns out that this isn't Apple's quarantine. Quarantine might have similar issues, but this is a Windows issue that 10.5 is supporting erroneously.

 

Using xattr -l [filename], you'll get this data-

:ZONE.IDENTIFIER:$DATA: [ZoneTransfer]

ZoneId=3

 

The attribute (@) in ls -all is showing this attribute, not Quarantine, though Quarantine would also show the file has an attribute. ZoneId is a Windows feature that tells what "zone" or security level a file is. Zone 3 is Microsoft's untrusted online download zone, which is why it can add attributes to any file type. The quirky bit is that this stupidness is being supported in OS X.

 

Windows uses NTFS streams to store this data. Samba on OS X advanced enough to support these alternate data streams as file attributes. The problem is that Windows will write a file on a network share with this stream, which turns into an attribute, but it can't read it back fully. It will read the file, but it can't copy it back. Under Windows, you can clear this attribute by getting properties and clicking "unlock".

 

To get Samba to stop working in this half broken way, in the /etc/smb.conf , change "vfs objects = darwinacl, darwin_streams" to "vfs objects = darwinacl", and change each "yes" in "stream support = yes" and "ea support = yes" to "no". That prevents writing the attribute, and disables all alternative stream saving (which might cause problems, but likely is just more secure anyway). This should work, unless it ignores the configuration.

 

The files that still have the attribute are harder to clear. There's a program pack called ACP that purports to do it by searching out all Xattr attributes on OS X, but it is neither opensource nor free. There's also Windows programs that can clear Alternative Data Streams, like Sysinternals' Streams, or other annoying {censored} (like ADSSpy (integrated into Hijack This), which only works on NTFS local drives). The best I've found is ZoneIDTrimmer, which is freeware but annoying as a contextual menu explorer addon, at http://www.gasanov.net/ZoneIDTrimmer.asp . I ran that and found a thousand ZoneID settings on my network share. That tool won't remove all attributes, but it should fix the problem on any given file.

 

This somewhat solves the issue. Changing Samba's configuration stops the files from being written in an unsupported way. ZoneIDTrimmer removes the offending attribute.