How to bypass Mac OS X’s Gatekepeer and run arbitrary programs as a non-admin user

Gatekeeper is Apple’s name for a feature in Mac OS X that prevents a user from opening certain programs based on a few different security preferences. (Under the hood, it’s actually part of Mac OS X’s security assessment policy subsystem, which you can manipulate from the command line with the spctl command if you have admin privileges.) If you’ve ever downloaded an app from the Internet rather than the Mac App Store, you might have seen a dialogue box appear when you tried to open the app preventing you from doing so, like this:

Screenshot of Mac OS X Gatekeeper preventing TorBrowser.app from running "because it is from an unidentified developer."

Ordinarily, this is (mostly) a good thing. It’s a warning from your Mac alerting you to the fact that the author of the program you’re trying to run hasn’t registered themselves with Apple. It’s not a warning that the program is actually a virus or some kind of malware—those warnings are more explicit and actually say that the program “will damage your computer”—but the fact that the developer isn’t recognized could be a legitimate concern. Of course, it might also be completely innocent, as it is in the case of TorBrowser.

If have administrator privileges on the Mac, you tell Gatekeeper to permit the program to run by right-clicking on it and selecting “Open” from the contextual menu that appears, as Apple describes in “How to open an app from an unidentified developer and exempt it from Gatekeeper.” But what if you’re not an admin user? It turns out there are a number of ways you can work around Gatekeeper to open the app anyway.

This may sound like a security risk and thus a bad idea, but there are times when you might need to do this for innocent reasons.

For example, last night, my Mac’s hard drive crashed. :( I’ve been keeping regular backups, but I’ve also been working on a programming project that’s changing rapidly. The crash happened at the worst possible time: immediately after I’d just completed another chunk of work, but before the next backup was scheduled to run. It’s only about an hour’s worth of coding, but that’s still a chunk of effort I’d like not to have lost. Naturally, I’m now running SpinRite, a hard drive maintenance and data recovery tool, on the disk, and hopefully I’ll be able to get my work back. Meanwhile, however, I’m borrowing a Mac from someone else. The account I’m using doesn’t have admin privileges, but I still need to install some programs that Gatekeeper won’t allow, such as the Tor Browser, and my favorite text editor, MacVim.

So I went about trying to find ways to work around Gatekeeper, and I found two really simple workarounds that worked for me on a fully-patched Mac OS X 10.9.5 Mavericks system with Gatekeeper enabled, of course. They may work in earlier or later versions of Mac OS X, too.

Use the command line, not the Finder

Possibly the most obvious workaround to Gatekeeper is simply to bypass it entirely by not using the Finder to open the applications that you want to run. If the program is designed as a command line application in the first place, then Gatekeeper won’t have anything to say about it. But even if it’s designed as a fully-featured graphical app, you can still launch it from the command line, thus avoiding Gatekeeper’s restrictions altogether.

For example, although Gatekeeper gets in my way after double-clicking on the TorBrowser, opening it from the command line by calling its executable directly works like a charm:

TorBrowser.app/Contents/MacOS/firefox

The reason this works is because on Mac OS X, an “app” is really just a folder with its own files inside of it. One of those files is the app’s information property list (typically the bundle’s Contents/Info.plist) file, which is an XML file that lets app developers communicate a bunch of stuff to the Mac OS X Finder about how their app works. One of the most important of these properties is, of course, which file to actually run when the user double-clicks on the app icon. That’s saved in the CFBundleExecutable key, so let’s grep it out:

$ grep -r -A 1 CFBundleExecutable TorBrowser.app/Contents/Info.plist
TorBrowser.app/Contents/Info.plist:	<key>CFBundleExecutable</key>
TorBrowser.app/Contents/Info.plist-	<string>firefox</string>

By running the app’s main executable directly, you avoid Gatekeeper in the same way as other command line applications do. Note that the open command doesn’t avoid Gatekeeper because it actually calls to the Finder.

Remove the com.apple.quarantine extended attributes

Another way to make sure that Gatekeeper doesn’t get called when you’re opening an app is to strip the app itself of the attribute that tells the Finder to call Gatekeeper. In this case, that’s the com.apple.quarantine extended file attribute. Most modern operating systems, including Mac, Linux, and Windows, have filesystems that can attach arbitrary metadata to files, and this metadata is generically known as extended file attributes. On a Mac, you can use the xattr command to inspect the extended attributes associated with any file or folder.

Indeed, inspecting the extended attributes on the TorBrowser I just downloaded revealed the relevant attribute:

$ xattr TorBrowser.app/
com.apple.quarantine

The -l@ switches to the more common ls command works, too, but produces different output:

$ ls -l@ TorBrowser.app/
total 272
drwxr-x---@ 6 maymay  staff     204 Dec 31  1999 Contents
	com.apple.quarantine	    26 
drwxr-x---@ 5 maymay  staff     170 Dec 31  1999 TorBrowser
	com.apple.quarantine	    26 
-rw-r-----@ 1 maymay  staff  137761 Dec 31  1999 precomplete
	com.apple.quarantine	    26 

Since we own the downloaded file, we can modify its extended attributes, no admin privileges needed. Removing com.apple.quarantine recursively is enough to disable Gatekeeper. We again use xattr, along with its -d switch, to accomplish that:

xattr -r -d com.apple.quarantine TorBrowser.app/

With the quarantine extended attribute removed, the Mac OS X Finder never calls to Gatekeeper so double-clicking on the app will work as if Gatekeeper was disabled.

So there you have it. Two simple ways to bypass Gatekeeper and open arbitrary programs even without administrator approval. None of this helps fix my broken hard drive, of course. I’ll still need to buy a replacement for my Mac (and since I work and live on a donations-only basis, if you can part with a few bucks by sending a donation to help me out here, I’d really appreciate it) but at least I can still install the tools I need to get stuff done while borrowing other laptops. And so can you!