Motorola phones only from AT&T
mac.column.ted: Leopard still holds some small surprises
Ted Landau
May 2008
Leopard is a surprising cat. Here it is, more than half year after Mac OS X 10.5's release, and I'm still discovering new features. I'm not talking about the big time features that are well publicized on Apple's Web site. Rather, I am referring to those much smaller, tucked-away features ? ones that tend to appeal more to "techies" than the mass market. These are features that Apple barely mentions in its PR, if it takes note of them at all. Of course, that's probably not unrelated to why it took me so long to discover some of them.
I now have a list of about a half-dozen of these quite recent discoveries (at least they were recent for me). For example, just last week, I came across a new "Reset Permissions and ACLs" feature in Reset Password, a utility accessed by booting from the Leopard Install DVD. Here are two other items from my list that I found particularly intriguing:
xattr and extended attributes
Briefly, extended attributes are a UNIX feature ? first introduced to Mac OS X in Tiger. In Tiger, extended attributes were largely limited to Mac OS X Server. So don't be surprised if you never heard about them back then. With Leopard, extended attributes have come into full bloom for both the server and client OS. [Giving credit where it is due, the basics of Leopard's extended attribute capabilities were documented as far back as October 2007, such as in this ars technica review.]
Loosely defined, attributes are metadata that are linked to individual files and folders. For example, the creation date of a file is an attribute of the file. Extended attributes are metadata that go beyond the standard set associated with items of a particular kind.
In Leopard, one such extended attribute assists in protecting your Mac from malicious software. You're probably more than familiar with the following warning message: "{name of program} is an application which was downloaded from the Internet. Are you sure you want to open it?" This message appears the first time you launch a program after having downloaded it. This is a security precaution, designed to have you confirm that the program is indeed one that you recognize and intended to launch. If you select to open it, the warning message should no longer appear on subsequent launches.
How, you may wonder, does Mac OS X know that a given application has never been launched before? It knows because Mac OS X (Safari specifically, which is why the message does not appear if you instead download from Firefox, for instance) assigns an extended attribute quarantine flag to the downloaded item. When the flag is detected on launch, the message appears. The flag is cleared after you first open the application, which is why the message doesn't appear again.
More generally, suppose you want to know if a given file has any extended attributes. You can do this easily enough, using Terminal. Here's how:
- Use the
cdcommand to go to the directory that contains the file or folder of interest
(such ascd ~/Downloadsto go to your Downloads folder). - Type:
ls -l
Assuming you have an assortment of stuff in your Downloads folder, you will get output that looks something like this:
Take a look at the leftmost column of data. This shows the read-write-execute (rwx) permissions for each item. In particular, notice that there is an @ character at the end of the permissions listings for some items. This character means that the item contains at least one extended attribute. Given that we are in the Downloads folder, it is a good bet that the quarantine flag is an extended attribute here.
To find out for certain if the quarantine attribute is present, you can list all the extended attributes for a given file. To do so, use the xattr command. This command is not well documented, but it's pretty simple to use. For example, if I wanted to see the extended attributes for the Mac_DLS78.dmg file (which is for Dymo Label Software), I would enter the following command:
xattr -l Mac_DLS78.dmg
Here are the results:
For our purposes, we can ignore all the output except the item at the very bottom, the one that starts with com.apple.quarantine. This confirms that the item does indeed contain a quarantine attribute.
By the way, if I were to double-click and open the disk image (.dmg) file, the warning message would not appear. This is because the .dmg file is not itself an application. However, any application contained within the image "inherits" the image's quarantine attribute. Thus, if I mount the image and launch its Dymo Label Software application, the warning message does appear.
Now, suppose I want to eliminate the flag from the image file, so as to avoid getting any warnings. Once again, we use the xattr command to do this. Type:
xattr -d com.apple.quarantine Mac_DLS78.dmg
If I were to now re-enter the xattr -l command, the quarantine item would no longer appear in the output. And, if I were to mount the image and launch the Dymo Label application, the warning message would no longer pop-up.
At this point, you may be asking, why bother? Why not just wait for the warning message to appear, click OK, and clear the flag? Isn't that a lot simpler than hassling with the xattr command? Yes, it is. However, there are a few situations where the xattr command can come in handy.
I had one such situation crop up recently, after I installed some services into the /Library/Services folder. For some reason, each and every time I later selected one of these items from a Services menu, I would get the quarantine warning message. In other words, the flag refused to clear. I have a theory as to how this could have been avoided (but I won't bore you with it). At this point, the simplest solution was to use the xattr command to get rid of the attribute. I did so ? and the messages never appeared again!
I tripped over another such situation after following the links from a TidBITs article to the CHDK (Canon Hackers Developers Kit) wiki. From here, you can download software that you copy onto a memory card for your Canon point-and-shoot camera. This, in turn, adds new features to the camera (such as the ability to save photos in RAW format). However, this wiki page notes that the hack may not succeed if you are using a Mac ? because the downloaded files contain a quarantine attribute which prevents the Canon camera from loading the software.
The solution is to delete the attribute using xattr. The wiki page also offers an alternative solution. The relevant software downloads as a zip file. Normally, you would just double-click the file to have Mac OS X expand it. However, this causes the quarantine flag to be attached to the expanded items. If you instead use a third-party utility, such as Unarchiver, the zip file expands without attaching the quarantine flag to the expanded items. Problem solved. Although the wiki did not say this, I assume that using a browser other than
Safari would also avoid the problem.
Sparse Bundle images
Sparse bundle images are another new feature in Leopard ? one you may be using even without realizing it.
Image files are often used for software downloaded from the Internet (as in the Dymo Label image cited in the previous section). When you double-click an image, it mounts almost as if you were mounting an external drive. You can then access the contents of the image file. If it is a writable image, you can even add content to it. While all images function in a similar fashion, there are actually several different types, each with its own pros and cons. Different types may also use different name extensions ? the most common one being .dmg. You can see a partial list of the different image types by setting up to create an image file yourself. To do so:
- Launch Disk Utility.
- Choose New > Blank Disk Image... from the File menu.
- From the dialog that appears, select the Image Format popup menu.
- From here, we are interested only in the bottom two options: sparse disk image and sparse bundle disk image. Choose the latter option to create a new image file in the sparse bundle format. The file name will have a .sparsebundle extension by default.
[To see a much longer list of image types, select File > New > Disk Image from Folder..., choose a folder and select the Image Format popup menu.]
Sparse disk images were available in Tiger; it is only the sparse bundle format that is new to Leopard. Both types share a similar and very useful attribute: The disk image can expand beyond its initial size, as you add more content to it. This allows you to create a functional disk image even if you don't know ultimately how much data you will be putting on it.
So why was the bundle image format added in Leopard? Because there was a significant problem with plain sparse images. A sparse image is essentially a single file. When backing up your drive, a backup utility thus sees the image as a single file, regardless of how many files are stored within the image. Further, any addition or subtraction you make to the image (such as adding even a measly 5K text document) registers the image as a modified file. This means that, if an image file were 1GB in size, the entire 1GB would need to be recopied to a backup each time the image was modified, even if the only change to the image was a 5K file addition. Not very efficient. And unnecessarily time consuming.
The sparse bundle format avoids this dilemma. Essentially, the bundle format divides the content of the image file into smaller separable bands. The image still appears as a single file in the Finder. However, it is actually a package. If you select Show Package Contents from the image's contextual menu in the Finder, you will find a bands folder containing the individual band segments (as shown in the figure below). Each band, at least in my testing, was 8MB or less. Assuming your backup software recognizes and works correctly with the bundle format, only the modified bands are copied over when backing up the image. This means that backing up the aforementioned 1GB image, with a 5K file addition, would require copying only 8MB or less!
[You can learn more about the workings of the sparse and sparse bundle formats, by accessing the manual page for the hdiutil command.]
Apple, in Disk Utility's Help pages, recommends using the sparse bundle format whenever you want to create "a blank disk image for storage." Indeed, Apple takes its own advice and uses the new format for FileVault (rather than the sparse image format used by FileVault in Tiger).
Similarly, and of particular interest here, Time Machine may also use the new sparse bundle format. It turns out that, if you back up your hard drive over a network (such as to a Time Capsule or to a USB hard drive attached to an AirPort Extreme Base Station), the backup is created and saved as a sparse bundle image. Using this image format is apparently necessary to avoid problems that Time Machine would otherwise have when trying to make incremental backups over a network.
In contrast, Time Machine does not use any image format when backing up to a drive connected directly to a Mac, via a USB or FireWire port. In this case, the individual files are copied directly and can be viewed as such in the Finder (inside a Backups.backupdb folder).
What if you've been using Time Machine to back up to a network drive and later decide to connect the drive directly to your Mac? Will Time Machine continue to work with it? As far as I can tell, no. For starters, Time Machine will not automatically recognize that this is your backup drive. You will need to reselect it first, using the Change Disk... option in the Time Machine System Preferences pane. Even after you do, Time Machine will not work properly with the sparse bundle image and you won't see any backup data listed when you open the Time Machine application. The best solution at this point is to reformat the backup drive and start over.
Note: I have seen some discussions on the Web, querying whether it is possible to avoid the need to start over by instead extracting the data from the image file and replacing the image file with the extracted data. However, I have not read of any success in these attempts. Similarly, it appears doubtful that you can take a Time Machine drive connected directly to your Mac and have it recognize your existing backup data if you move it to an AirPort Extreme. Again, your best bet when making these sorts of changes is to start over.
To send comments regarding this column directly to Ted, click here. To get Ted's latest book, Take Control of Your iPhone, click the link.
Resources
Untrue. I download using Firefox all the time and get that message in first launch every time.
Interesting...
I checked several times with Firefox before posting this article...and never got the warning message. I just tried again. While I did get the message this time after downloading a .dmg file, it still did not show up with any other files I downloaded.
- Ted
I also get the message constantly while using Camino for downloading. But then almost all my software gets downloaded in dmg form.
And out of curiosity, for those using Firefox: what is your reason to use Firefox over Camino beyond extensions and incumbency?
Ok, I downloaded a DMG file and opened that file without a warning, but when I open the application contained on the disk image, I get the warning about it being an internet download. This is with FireFox 3.0.
Mark
<b>ls -le</b>
@Rick Auricchio:<i>
> Another way to view extended attributes is by using
> ls -le
</i><br>
Well... sort of.
Operating systems such as <a href ="http://www.suse.de/~agruen/acl/linux-acls/online/">Linux</a> (and their associated filesystems) will often refer to ACLs as "extended attributes" -- and indeed, they may be implemented as such. But ls -le on Apple's OS (and others) only show<i> access control list </i>info... which makes more sense (to me anyway). So yes, we could argue that ACLs are extended attributes inasmuch as we could similarly dispute whether *everything* except the content of a file (including its name) is merely "metadata." <br>
In the end though, using the "-e" option with ls -l only adds ACL info to the long listing.
We still need to use "-@" to view all the <b>other</b> extended attributes in Ted's discussion. <br>
-HI-
<br>
Well, first off, disk images ARE finder accessible. Secondly, I would assume that the restore procedure over a network would be the same as on a local disk: boot from your 10.5 DVD and choose "restore from time-machine backup" (or whatever the exact wording is) from the menu.
However... perhaps I am misinterpreting what you said.
You stated... <i>"The disk image can expand beyond its initial size, as you add more content to it. This allows you to create a functional disk image even if you don't know ultimately how much data you will be putting on it."</i>
So I created a small 100 MB Sparse Bundle image and tried to add content beyond the original volume size of 100 MB and was immediately presented with a message stating I was attempting to add more than it would hold.
It appears that it still holds true that the maximum content size must be entered as the Volume Size.
Have I misunderstood what you have written or am I doing something wrong?
Thanks for all of the great info!
Ron
As I understand it...yes...the size you select represents the maximum size to which the image can grow. That's why you get the error message. I believe there are ways to adjust the size after the fact...using the hdiutil command in Terminal...but not from Disk Utility. (I confess I am pushing the envelope of my technical knowledge a bit here.)
As an example, I created a 20 GB sparse bundle disk image. It started empty and took up approximately only 50 MB of space. As I copied items to the mounted image, the size of the image file increased.
Are these images compressed, or just able to dynamically grow?
---
-Ernest
It appears that it alots (blocks-out) the Volume Size that the user enters but doesn't reflect the maximum size in Get Info.
I'm wondering whether this would preclude the user from using that 'blocked-out' area of the disc if the empty space is needed? If so... it would seem Apple would perhaps best indicate the maximum volume space the user had originally indicated so he doesn't think he has more space available than he does.
<i>Assuming your backup software recognizes and works correctly with the bundle format, only the modified bands are copied over when backing up the image.</i>
Can I assume SuperDuper! will support this. (I've stopped using Retrospect since it did not do anyways near as faithful of a backup as SuperDuper! does... for less money!)
My understanding is: Yes. As stated on the SuperDuper Web page: "SuperDuper v2.5...is fully Leopard compatible."
For a backup utility to work perfectly in Leopard, it should not only know how to work with sparse bundle images, but should know how to deal with hard links (as also used by Time Machine). This is noted in regard to SuperDuper on the site's blog: http://www.shirt-pocket.com/blog/.
I had a similar frustrating experience with 4 apps downloaded under the first installed account (set as Admin) which would not clear the attribute after they were installed by the second account (main user - not admin). All apps ran perfectly after acknowledgement. I could not figure out why after giving the second account Admin rights it would still not clear the flag. However logging into the user account that downloaded the apps (first account) and running them once cleared the flag. Hurrah! Next time though I'll remember the shortcut! :o) Thanks!
I experience this quarantine message all the time. My reason is simple: I have an unadorned admin account I use for all software installs, and my daily-use account (still an admin, thanks to SOHO Notes :p ) has all my goodies loaded up. When I install an app like Speed Download (even though I downloaded it with my daily account), I always see the "downloaded from the internet" warning message. If I run the app once from my plain admin account, all is well.
Thanks for the explanation, and the workaround. I hope this is addressed in 10.5.4; I hate answering that question every darn time.
- by V.K. June 3, 2008 3:08 PM PDT
- most likely, the reason you got the quarantine warning every time you launched that service is that you were doing it from a standard account. the file that had that extended attribute was installed from an admin account and standard accounts don't have the rights to change extended attributes of such files (unless you add an ACL letting them do so). to avoid that, launch that service once from an admin account. the extended attribute will clear and the warning will not show up again. the same also applies to all applications downloaded from the web and installed in /Applications. To clear the quarantine warning one has to run them once from an admin account. Otherwise they'll bug you every time you run them.
- Like this Reply to this comment
-
Showing 1 of 2 pages (23 Comments)