Corrupt system preference file problem?

iGreg
2008-12-13
2012-10-09
  • iGreg

    iGreg - 2008-12-13

    When I check preferences with applejack, I am seeing it say that 1 system file is corrupt. It is "./cov.apple.systemloginitems.plist" and Applejack tells me that it is moving it to "/Library/preferences (corrupt). However, I am then told that it is not allowed.

    When I reboot I see the folder called "/Library/preferences (corrupt)" is created, but the folder is empty.

    Please advise.

     
    • Ronald

      Ronald - 2009-01-02

      Correction (there does not seem to be a way to edit a posting?):

      Of course I meant a file /Library/Preferences/com.apple.SystemLoginItems.plist

      and it is the folder /Library/Preferences/ where admin and world have write access, to the folder /Library/ admin has write access.

       
    • Steve Anthony

      Steve Anthony - 2008-12-18

      Could you post the applejack log file, located at /var/log/applejack.log? It will let me see exactly what applejack said it did. Thanks.

      -Steve

       
    • iGreg

      iGreg - 2008-12-22

      Can you please delete my previous posting showing my complete AppleJack log. I am concerned about possible passwords possibly being listed in all that junk. Of course, can you check the part pertinent to my issue before you delete the whole log. Thanks.

       
      • Kristofer Widholm

        I'm not sure your post can be completely deleted by the sourceforge.net forums. I clicked the "delete" button next to your post, and the message I got was that the message had been hidden. Hopefully that means it will be hidden from everybody.

        i didn't see anything in the log file that struck me as an issue regarding security.

        I have e-mailed the log to ultramathman, who was helping you with the issue.

         
    • Kristofer Widholm

      Would you mind doing the following command in your terminal (if you know how).

      $ ls -al /Library/Preferences/com.apple.systemloginitems.plist

      We would need to see what your ownership is set to. You should see something like:
      $ ls -al /Library/Preferences/com.apple.SystemLoginItems.plist
      -rw-r--r-- 1 root admin 260 Sep 14 2006 /Library/Preferences/com.apple.SystemLoginItems.plist

       
      • iGreg

        iGreg - 2008-12-23

        i copy and pasted it in Terminal and hist Enter and I get "Command not found"

         
      • iGreg

        iGreg - 2008-12-28

        ok I did the Terminal thing again and got this:

        Last login: Sat Dec 27 20:20:37 on console
        gregory-martinezs-imac:~ gmartinez$ ls -al /Library/Preferences/com.apple.systemloginitems.plist
        -rw-r--r-- 1 root admin 0 Aug 6 00:41 /Library/Preferences/com.apple.systemloginitems.plist
        gregory-martinezs-imac:~ gmartinez$

         
        • Kristofer Widholm

          Can you send me the com.apple.systemloginitems.plist file in an e-mail? I'll send you an e-mail directly that you can respond to. That way I can test it and see whether it actually is corrupt.

           
    • Ronald

      Ronald - 2008-12-27

      You probably copied and pasted the initlal "$ " with it. The command starts with "ls".

       
    • Kristofer Widholm

      Er, I mean, you can send me an e-mail to the address listed on this page: https://sourceforge.net/users/kwidholm/

       
    • Kristofer Widholm

      I tried opening and testing your .plist, and it's blank, so it would definitely be considered corrupt. It's an interesting case.

      I put the file you sent me in /Library/Preferences and AppleJack did mark it as corrupt, as expected. However, it also successfully moved it to /Library/Preferences (Corrupt).

      The only thing I can imagine at the moment is that something odd is going on with your hard disk.

       
      • iGreg

        iGreg - 2008-12-30

        Suggestions? What if I were to delete it?

         
    • iGreg

      iGreg - 2008-12-30

      BTW, file I sent you was not locked. It is locked on my system.

       
    • Steve Anthony

      Steve Anthony - 2008-12-30

      From what I've been able to find, it's not something you should be too worried about (mostly because there's not much you can do about it). The file should be safe to delete provided no application is using it, which seems to be the case since it's empty; it was formally used by programs such as Timbuktu.

      MacShadows has an interesting entry on that plist.
      http://www.macshadows.com/kb/index.php?title=Com.apple.SystemLoginItems.plist_Exploit

      -Steve

       
      • iGreg

        iGreg - 2009-01-01

        Well, I deleted it. However, upon rebooting the exact same file was created. It is just like the file I deleted. It is locked. Has no contents. AppleJack reports it as corrupted, just like the one I deleted.

         
    • Ronald

      Ronald - 2009-01-02

      I may have information that sheds some light on this issue.

      I had a file /Library/com.apple.SystemLoginItems.plist that had some content, that was not locked and that AppleJack did not consider corrupted.

      Owner: root r/w
      Group: admin r
      World: r

      The content:
      Key: Root, Type: Dictionary, Value: (1 item):
      Key: AutoLaunchedApplicationDictionary, Type: Array, Value: (0 items)

      I moved the file from the /Library/ folder to my Desktop (admin and world have write acces to the /Library/ folder) and I restarted my Mac.

      There is now a new file /Library/com.apple.SystemLoginItems.plist which is empty (0 bytes) and which is locked.

      Owner: root r/w
      Group: wheel r
      World: r

      (After this experiment I will now put the original file back in place.)

       
  • Kristofer Widholm

    Let's hope Apple has plugged this vulnerability since this issue was reported.
    If Timbuktu is still using this mechanism to launch their tools, they should
    be rapped over the knuckles and use a legitimate launchd file instead :-)

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks