[File] How to detect go mac executables with magic.h?
Guy Harris
gharris at sonic.net
Tue May 25 22:47:54 UTC 2021
On May 25, 2021, at 2:52 PM, Matthew Czarnek <matthew.czarnek at verizonmedia.com> wrote:
> I've been using this go library to detect file types to block our users from uploading exes:
> https://github.com/rakyll/magicmime
>
> On a mac it is capable of using the magic.h header to detect the file type of a go program compiled for mac as mime type "application/x-mach-binary",
I didn't know that macOS's cat was written in Go:
$ /usr/bin/file --mime-type /bin/cat # macOS file, based on file-5.39
/bin/cat: application/x-mach-binary
/bin/cat (for architecture x86_64): application/x-mach-binary
/bin/cat (for architecture arm64e): application/x-mach-binary
$ /usr/local/bin/file --mime-type /bin/cat # file-5.39
/bin/cat: application/x-mach-binary
(NARRATOR: It's not.)
I.e., this has nothing to do with Go, and everything to do with Darwin (the operating system, not Ian Darwin :-)). The file format for Darwin (macOS, iOS, iPadOS, tvOS, watchOS) binaries is called Mach-O:
https://en.wikipedia.org/wiki/Mach-O
and it's used regardless of what language the file was written in (the exec calls will only launch Mach-O binaries and #! scripts).
> on Linux however, it is not able to detect those executables, only executables compiled for Linux.
I suspect it could also detect executables compiled for *BSD and Solaris, as the current binary format for Linux is the ELF format:
https://en.wikipedia.org/wiki/Executable_and_Linkable_Format
originally developed by AT&T for System V Release 4, and subsequently adopted by *BSD and Solaris (and possibly others).
> I'm guessing this is a matter of not having this file type registered in the magic database/file containing all the magic numbers?
It is in the magic database; unfortunately, for fat executables with code for multiple instruction sets, the magic number is big-endian 0xcafebabe, which is also the magic number for Java class files, so it's handled in a magic source file named cafebabe, where it tries to distinguish between Java class files and fat Mach-O files.
The non-fat Mach-O format has the magic number 0xfeedface, which is in the byte order of the host for which it's intended, and is handled in the file named mach.
More information about the File
mailing list