ServiceStation icon indicating copy to clipboard operation
ServiceStation copied to clipboard
verified publisher icon knurling

Shell Scripts (bash) might not run out of the box due to Quarantine flag or missing +x bit

Open luckman212 opened this issue 5 years ago • 5 comments

I decided to play around with a Bash script for Service Station today. So naturally I had a go with the Sample script. I copied it (dragged while holding the ⌥opt key) from: ~/Library/Group Containers/4G65N8LGGS.ServiceStationAppGroup/Library/Caches/Resources/Scripts/ to: ~/Library/Application Scripts/com.knurling.ServiceStation.Attendant/

When I tried to invoke the script, nothing happened. I checked Console.app for errors, and saw this:

18:13:50.197097-0400  kernel    exec of /Users/luke/Library/Application Scripts/
com.knurling.ServiceStation.Attendant/ShellScript.sh denied since it was quarantined
by Service Station and created without user consent, qtn-flags was 0x00000086

So I checked and lo and behold:

$ ls -l@ ShellScript.sh
-rwxr-xr-x@ 1 luke  staff  737 May 12 04:29 ShellScript.sh
  com.apple.quarantine   30

Once I removed the quarantine flag via

$ xattr -d com.apple.quarantine ShellScript.sh

everything was ok. But, I guess this could be a gotcha and confuse users who aren't expecting it or don't see any error message(s). Is there a way for ServiceStation to check for this "problem" and even better, auto-correct it?

luckman212 avatar Jun 13 '20 23:06 luckman212

Another scripting pitfall that just nailed me. Scripts will just silently fail if the executable bit isn't set. I was scratching my head for close to an hour wondering why my script wasn't working until it occurred to me that maybe I'd overlooked this.

It'd be nice if SS somehow checked for this when adding a script and auto-chmod u+x 'd it.

luckman212 avatar Jun 14 '20 00:06 luckman212

Discussion of this issue here, I believe:

https://mjtsai.com/blog/2019/04/16/sandboxing-makes-quarantine-flags-almost-meaningless/

This seems to be mainly/only a problem in Catalina. I have not seen this myself - will test in 10.15. Thanks for reporting.

pkamb avatar Jun 15 '20 08:06 pkamb

Just talked to some Apple engineers in a WWDC 2020 remote lab.

I wasn't calling for this bug, but mentioned it when the conversation went that way. They suggested:

Service Station's NSOpenPanel is opening the .sh script in a way that it is being flagged. Make sure system never believes you are opening a script file in a way that could write to it.

Use the system fs_usage tool to point at application. Logs filesystem calls that are coming from Service Station process - might show opening or write or when the quarantine bit is set.

Will look into this more soon.

pkamb avatar Jun 23 '20 17:06 pkamb

Oh, nice! WWDC sure dropped a lot of "bombs" this year. I hope the continued dumbing-down of macOS doesn't mean Extensions like Service Station are headed for deprecation.

luckman212 avatar Jun 23 '20 18:06 luckman212

Had this in 10.14.6 and removing the quarantine flag fixed it. It would be great is this could be added in an update.

weavermedia avatar Sep 14 '20 07:09 weavermedia