Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

Corrupt system preference file problem?

iGreg
2008-12-13
2012-10-09
  • iGreg
    iGreg
    2008-12-13

    When I check preferences with applejack, I am seeing it say that 1 system file is corrupt. It is "./cov.apple.systemloginitems.plist" and Applejack tells me that it is moving it to "/Library/preferences (corrupt). However, I am then told that it is not allowed.

    When I reboot I see the folder called "/Library/preferences (corrupt)" is created, but the folder is empty.

    Please advise.

     
    • Ronald
      Ronald
      2009-01-02

      Correction (there does not seem to be a way to edit a posting?):

      Of course I meant a file /Library/Preferences/com.apple.SystemLoginItems.plist

      and it is the folder /Library/Preferences/ where admin and world have write access, to the folder /Library/ admin has write access.

       
    • Steve Anthony
      Steve Anthony
      2008-12-18

      Could you post the applejack log file, located at /var/log/applejack.log? It will let me see exactly what applejack said it did. Thanks.

      -Steve

       
    • iGreg
      iGreg
      2008-12-22

      Can you please delete my previous posting showing my complete AppleJack log. I am concerned about possible passwords possibly being listed in all that junk. Of course, can you check the part pertinent to my issue before you delete the whole log. Thanks.

       
      • I'm not sure your post can be completely deleted by the sourceforge.net forums. I clicked the "delete" button next to your post, and the message I got was that the message had been hidden. Hopefully that means it will be hidden from everybody.

        i didn't see anything in the log file that struck me as an issue regarding security.

        I have e-mailed the log to ultramathman, who was helping you with the issue.

         
    • Would you mind doing the following command in your terminal (if you know how).

      $ ls -al /Library/Preferences/com.apple.systemloginitems.plist

      We would need to see what your ownership is set to. You should see something like:
      $ ls -al /Library/Preferences/com.apple.SystemLoginItems.plist
      -rw-r--r-- 1 root admin 260 Sep 14 2006 /Library/Preferences/com.apple.SystemLoginItems.plist

       
      • iGreg
        iGreg
        2008-12-23

        i copy and pasted it in Terminal and hist Enter and I get "Command not found"

         
      • iGreg
        iGreg
        2008-12-28

        ok I did the Terminal thing again and got this:

        Last login: Sat Dec 27 20:20:37 on console
        gregory-martinezs-imac:~ gmartinez$ ls -al /Library/Preferences/com.apple.systemloginitems.plist
        -rw-r--r-- 1 root admin 0 Aug 6 00:41 /Library/Preferences/com.apple.systemloginitems.plist
        gregory-martinezs-imac:~ gmartinez$

         
        • Can you send me the com.apple.systemloginitems.plist file in an e-mail? I'll send you an e-mail directly that you can respond to. That way I can test it and see whether it actually is corrupt.

           
    • Ronald
      Ronald
      2008-12-27

      You probably copied and pasted the initlal "$ " with it. The command starts with "ls".

       
    • Er, I mean, you can send me an e-mail to the address listed on this page: https://sourceforge.net/users/kwidholm/

       
    • I tried opening and testing your .plist, and it's blank, so it would definitely be considered corrupt. It's an interesting case.

      I put the file you sent me in /Library/Preferences and AppleJack did mark it as corrupt, as expected. However, it also successfully moved it to /Library/Preferences (Corrupt).

      The only thing I can imagine at the moment is that something odd is going on with your hard disk.

       
      • iGreg
        iGreg
        2008-12-30

        Suggestions? What if I were to delete it?

         
    • iGreg
      iGreg
      2008-12-30

      BTW, file I sent you was not locked. It is locked on my system.

       
    • Steve Anthony
      Steve Anthony
      2008-12-30

      From what I've been able to find, it's not something you should be too worried about (mostly because there's not much you can do about it). The file should be safe to delete provided no application is using it, which seems to be the case since it's empty; it was formally used by programs such as Timbuktu.

      MacShadows has an interesting entry on that plist.
      http://www.macshadows.com/kb/index.php?title=Com.apple.SystemLoginItems.plist_Exploit

      -Steve

       
      • iGreg
        iGreg
        2009-01-01

        Well, I deleted it. However, upon rebooting the exact same file was created. It is just like the file I deleted. It is locked. Has no contents. AppleJack reports it as corrupted, just like the one I deleted.

         
    • Ronald
      Ronald
      2009-01-02

      I may have information that sheds some light on this issue.

      I had a file /Library/com.apple.SystemLoginItems.plist that had some content, that was not locked and that AppleJack did not consider corrupted.

      Owner: root r/w
      Group: admin r
      World: r

      The content:
      Key: Root, Type: Dictionary, Value: (1 item):
      Key: AutoLaunchedApplicationDictionary, Type: Array, Value: (0 items)

      I moved the file from the /Library/ folder to my Desktop (admin and world have write acces to the /Library/ folder) and I restarted my Mac.

      There is now a new file /Library/com.apple.SystemLoginItems.plist which is empty (0 bytes) and which is locked.

      Owner: root r/w
      Group: wheel r
      World: r

      (After this experiment I will now put the original file back in place.)

       
  • Let's hope Apple has plugged this vulnerability since this issue was reported.
    If Timbuktu is still using this mechanism to launch their tools, they should
    be rapped over the knuckles and use a legitimate launchd file instead :-)