back to article macOS? More like mac-woe-ess: Google Chrome slip-up trips up SIP-less Apple Macs

On Tuesday, Google halted deployment of a Chrome update that damaged the file system on some macOS computers and rendered them unable to boot up as normal. The issue affected enough Mac Pro workstations to warrant attention from Avid, a maker of professional audio and video applications. The company on Tuesday reassured …

  1. tip pc Silver badge

    Not good

    Probably of no use to hackers but demonstrates the faith we place in vendors of free software to not do any harm.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not good

      Probably of no use to hackers but demonstrates the faith we place in vendors of software to not do any harm.

      FTFY

    2. FuzzyWuzzys
      Stop

      Re: Not good

      Oh come on, since when has Google software ever been free? We all know the price, or should I say "the toll", Google exacts when you use any of their software.

  2. Anonymous Coward
    Anonymous Coward

    How can a user-level program affect the system files like this?

    1. DesktopGuy

      Bad software affects some users

      If Google Chrome has automatic updates enabled (not on by default and need admin elevation), it does this through a LaunchAgent in Library.

      This has elevated privileges so can mess with everything IF someone actively disables SIP.

      To disable SIP, you have to reboot into recovery mode first, then issue the command - csrutil disable

      It's only going to mess with people who have actively subverted the OS X security for whatever reason.

      Adobe did a similar thing a while ago where an updater/installer started deleting things it shouldn't as part of it's cleanup process.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bad software affects some users

        Or someone that is using a machine that doesn't support the feature. Like, say, someone with a Mac that Apple has declared "too old" to support with new OS releases.

        1. Chris 3

          Re: Bad software affects some users

          To be clear, if it doesn't run El Capitan (which introduced SIP and is a free upgrade) we are talking about a machine older than 2007.

          1. jtaylor

            Re: Bad software affects some users

            My 2008 MacBook has an Intel graphics chipset. 10.7 was the last version of MacOS supported on that. Newer releases check the hardware and refuse to install.

        2. Anonymous Coward
          Anonymous Coward

          Re: Bad software affects some users

          Go on, install the latest Chrome on OS X that old and see if it works. Hint it doesn't.

          1. Anonymous Coward
            Anonymous Coward

            Re: Bad software affects some users

            paaaah, your hint should have had spoiler tags!

      2. Chris 3

        Re: Bad software affects some users

        > It's only going to mess with people who have actively subverted the OS X security for whatever reason.

        Or those with older versions of MacOS, without SIP. I guess Avid users were disproportionately getting caught because they were adding 3rd Party GPUs and were disabling SIP to install various kernal extensions.

        1. Anonymous Coward
          Anonymous Coward

          Re: Bad software affects some users

          To use Chrome Browser on Mac, you'll need:

          OS X Yosemite 10.10 or later

        2. SamX

          Re: Bad software affects some users

          Shouldn't this be a one off thing? Disabling SIP for installing kernel extensions and enabling it again? un less, of course they change the GPU every day....

      3. Anonymous Coward
        Anonymous Coward

        Re: Bad software affects some users

        "It's only going to mess with people who have actively subverted the OS X security for whatever reason"

        One "whatever reason" being able to trace and debug programs with raised priviliedges to find out how they work and exactly what they're doing. Otherwise with SIP enabled dtruss and lldb just tell you to go do one.

      4. Stevie

        Re: Bad software affects some users

        Waitwaitwaitwaitwait;

        A broswer update needs to mess with the system filesystem settings? Since when? The browser update should be sandboxed in a "unix-like" O/S, surely? How is it even possible it starts deleting softlinks?

        BAD DOG! NO BISCUIT!

    2. revenant

      I'm more interested in why a program would delete such an apparently obviously critical file.

      1. Anonymous Coward
        Anonymous Coward

        Why?

        ever heard of /var/log ????

        All sorts of useful information get put in there. Could Google be slurping it and then deleting it to hide any tracks that might expose their crimes.

        IMHO, because of this, Chrome should be banned from the appStore until they behave properly. But this is Google (who is evil through and through) we are talking about.

        I've just added another 100+ google slurping and ad slinging domains to my firewall.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why?

          I've just added another 100+ google slurping and ad slinging domains to my firewall.

          That reminds me, I need to do that to the MacOS hosts file. Which list have you used?

        2. ratfox
          Gimp

          Re: Why?

          This may be Google, but Apple don't care. They ban whoever they want.

        3. mr-slappy

          Re: Why?

          "IMHO, because of this, Chrome should be banned from the appStore until they behave properly"

          I'm not at my Mac at the moment, but IIRC Chrome is installed on Mac by downloading a .dmg, not through the MacOS App Store. So the only control Apple has is to somehow remove it from their list of signed software (which is easily circumvented).

        4. elgarak1

          Re: Why?

          "IMHO, because of this, Chrome should be banned from the appStore until they behave properly."

          Chrome is not on the Mac AppStore. One has to download it from the web.

        5. Scroticus Canis
          Devil

          Re: Why?

          To bring the Windows 10 Update experience to Mac users?

    3. Ilgaz

      They have auto update running as root

      Keystone runs as root as far as I remember.

  3. sbt
    Thumb Down

    Not surprised

    Keystone is one of the most persistent auto-installers and hard to stay rid of. I ended up just black-holing the phone home domain, like apple's gsp servers.

    1. Pascal Monett Silver badge

      Re: Not surprised

      Google is nothing if not persistent. I have Chrome on my work laptop and I installed Google Earth as well. Thinking it would be useful on my home computer, I installed Google Earth there as well. To my surprise, at next boot I found out my home computer had Chrome installed as well.

      I didn't want Chrome, so I removed it. The following boot I found it there again. I'll spare you the details (rummaging around the Registry, checking startup options, controlling services, etc) but suffice it to say that after four days of these shenanigans, I gave up and removed anything Google from my home computers and Google is blacklisted on my personal hardware.

      1. Muscleguy Silver badge

        Re: Not surprised

        I updated Earth a couple of years ago (mid 2010 Macbook Pro) and it was unusable. So I tried to use Time Machine to go back to the old one and it kept getting reinstalled, like a virus or a worm.

        I forget how I killed the process but it was not a consumer level fix. My version of Earth is now no longer updated on startup with new data, it just runs. Things like bus stop data are out of date. If I need more up to date stuff I have to use Maps on my Android phone instead.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not surprised

          AFAIK it uses an old virus technique, a persistent mount. You can see it if you execute "df" from the command line, but I can't recall how I got rid of it in the end. I think I did an fgrep through the entire file system to find where it was mounted from, and only after that mount was gone was it possible to nuke the damn thing permanently.

  4. Blockchain commentard

    Why was Chrome randomly deleting directories it didn't own? So what have Windows/Chromebook owners to worry about in the future?

    1. IGotOut Silver badge

      As far as I'm aware, been a while, you can no longer delete critical Windows files...and if somehow you magically do, they reinstall on reboot.

      Now deleting other files, thats a different ball game.

  5. Korev Silver badge
    Pint

    /var-sectomy

    ^^^ love it.

    More Linux, Unix /etc puns please

  6. Dedobot

    Why Chrome on a production workstations , that's I can't understand?

    Shotgun, Core and other collaborative soft works fine with firefox and safari . Chrome is not just "browser" long time ago.

    1. DougMac

      Oh, I wish I could be 100% chrome free.

      It has turned into the IE6 of today. Many websites I need to use are coded only so they work in Chrome. :-(

      Thankfully that is a very small percentage, but its enough that I need to run Chrome for some of those damn work SaaS offerings they insist on using.

    2. elgarak1

      This.

      If it's a developer machine ... well, that's always a risk if you test software.

      But video/audio work? Why would you even hook this up to the web if it's your livelihood depending on this machine running? Now, maybe you need a web connection to get source material in. Fair enough. But even so, the software on there should be secure and not auto-update. Never change a running system. It may be better to do the web thing on another machine, and use physical means to carry over the video and audio files with checks. In the lab I was working the PC running our main science machine was islanded, and we (I as the de-facto lab manager) vetted the USB sticks used to get the data out. The students weren't allowed to use their own...

      1. Anonymous Coward
        Anonymous Coward

        That nice and all but doesn't really help when you have cloud based DRM on your production software and plugins.

  7. Muscleguy Silver badge

    Help please.

    I inherited this machine from my very techie daughter who might have disabled SIP if it got in her way. How do I tell if it is active? I can't see anything that looks like it on Activity Monitor. Any quick and easy Terminal ways to find out?

    Belay that, the SIP link in the article tells you how. Enabled. Ta very much El Reg!

    1. Sgt_Oddball Silver badge

      Re: Help please.

      Run csrutil status in terminal - if its enabled, all's well. If not... Well follow google's fix I suppose before you restart it.

  8. Dedobot

    By the way week ago i had similar issue with freebsd, serving as router. Reboot , can't boot due unable to mount missing folders . Single user log on and I discovered the /var is empty . Workarounded it creating manually the folders. There was nothing critical. Still investigate it but its suspiciosly close to this macos issue.

    1. Anonymous Coward
      Anonymous Coward

      Suspic

      > Single user log on and I discovered the /var is empty.

      Sounds more like your /var is a filesystem mount point, and the mounting didn't work. Maybe check in /var/log/messages or similar?

  9. phuzz Silver badge
    Pint

    SIPping

    SIP of course, should not be confused with SIP, or indeed with SIP or SIP, and definitely not with SIP.

    Hope I've cleared up any confusion there.

    Now sip this >>>>

    1. mark l 2 Silver badge

      Re: SIPping

      The IT industry sure loves its acronyms, can't see why everything needs an acronym though. Especially if it then makes one that is the same as commonly used IT term already as it just causes extra confusion.

      1. Pirate Dave Silver badge
        Pirate

        Re: SIPping

        "can't see why everything needs an acronym though."

        SENACA - Surely Everything Needs A Clever Acronym.

        1. Charlie van Becelaere
          Pint

          Re: SIPping

          ""can't see why everything needs an acronym though."

          SENACA - Surely Everything Needs A Clever Acronym."

          Right you are, Dave. They all need some TLA - Three Letter Acronyms.

          1. phuzz Silver badge

            Re: SIPping

            There's TFM TLAs

          2. Arthur the cat Silver badge

            Re: SIPping

            SENACA - Surely Everything Needs A Clever Acronym."

            Right you are, Dave. They all need some TLA - Three Letter Acronyms.

            Please note, SENECA is an XTLA(*).

            (*) eXtended TLA.

            1. Steve Aubrey
              Joke

              Re: SIPping

              Rule 3(A) from http://mri.beckman.illinois.edu/resources/writing_tips.pdf

              ASBMAETP: Acronyms Should Be Memorable And Easy To Pronounce

              (3B is "SATAN: Select Acronyms That Are Non-offensive")

              1. Dave559 Silver badge

                Re: SIPping

                See also: PCMCIA - People Can't Memorise Computer Industry Acronyms

    2. David Shaw

      Re: SIPping

      there are more ICT SIP's out there, here's one that I remember, but then I worked for STET

  10. thondwe

    Audio and Video Software Users...

    "users of audio and video software like Avid's tools, are among those most likely disable SIP."

    So users of an Application for editing Video and Audio files are mostly likely to need to disable "System Integrity Protection"? What!?

    1. Anonymous Coward
      Anonymous Coward

      Re: Audio and Video Software Users...

      Perhaps they need to install software into one or more of the protected directories and don't want to use the default installer.

    2. FuzzyWuzzys
      Facepalm

      Re: Audio and Video Software Users...

      Sounds like a case of "Vendor can't be arsed to fix sloppy code, work around issue by raising privs. Tell user to run as root/admin.", in this case disable a crucial piece of the O/S protection to get their app working properly.

    3. Ozzard
      Boffin

      Re: Audio and Video Software Users...

      I do a fair chunk of AV work (on PC, luckily, so I don't run into this problem). Audio and video processing are both notoriously power-hungry - video more than audio, but try running lots of effects on lots of audio channels and you'll eat a lot of cycles very easily. So essentially all the pro-level audio and video suites use GPU acceleration, and the higher-end ones can use multiple GPUs. Take a look at BlackMagic's Da Vinci Resolve (https://www.blackmagicdesign.com/uk/products/davinciresolve) for one such video suite.

      The GPUs built into most Macs aren't great. Luckily, there's long been good external connectivity on Macs to add an external GPU (eGPU) or two. Apple even support this and sell their own eGPUs. See https://support.apple.com/en-gb/HT208544 for the currently supported list... I'll wait...

      ... it's a bit crap, isn't it? ATI/AMD cards only, for example. Nothing nVidia is even supported. So you end up having to add custom device drivers into your OS kernel to support any sane eGPU at any sane price. Which means modifying the kernel. Which means disabling SIP.

      So that's why the AV community are some of the most likely to disable SIP.

      1. Anonymous Coward
        Anonymous Coward

        Re: Audio and Video Software Users...

        How do they modify the kernel? Sure you can download the darwin code from github and compile but there's no way the MacOS boot loader will boot it without it being signed and good lluck getting the keys from Apple.

        1. Crazy Operations Guy

          Re: Audio and Video Software Users...

          Kernel modules.

    4. elgarak1

      Re: Audio and Video Software Users...

      It's not the video and audio editors per se. It's mostly drivers to allow special hardware to work, like graphic cards and I/O devices (the latter needed to get the video/audio into the production stream.)

      1. thondwe

        Re: Audio and Video Software Users...

        (I'm a Windows Guy and have UAC maxed out) - But surely you temp disable SIP to add drivers, then put it back on to keep yourself safe?

        1. Colin Wilson 2

          Re: Audio and Video Software Users...

          "But surely you temp disable SIP to add drivers, then put it back on to keep yourself safe?"

          Yes - that's exactly what you'd normally do - disable SIP, install your strange kexts then re-enable SIP.

          I'm not sure why anyone would want/need to leave it permanetly disabled?

          1. elgarak1

            Re: Audio and Video Software Users...

            I've never use such specialised hard- or software... but I can imagine crappily written software to run some special hardware that trigger SIP every time it is run. Mostly because there's lazy developers who cannot adjust to a stricter security regimen. There's quite a bit of such software for Macs.

    5. Dedobot

      Re: Audio and Video Software Users...

      Yes, its really sounds stupid for someone outside video processing field .

      Working professional in apple's environment is perfect description of PITA. Just simple example - Sonet 10gbe NIC, placed in Sonet TB expansion box dissconects/connects randomly until I disabled the ....postfix daemon . I can think of plenty of cases where SiP needs to be neglected.

  11. Anonymous Coward
    Anonymous Coward

    One line in your script, like I do

    I like this part of your script:

    rm -rf /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle

    1. Anonymous Coward
      Anonymous Coward

      Re: One line in your script, like I do

      rm -rf / Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle

      would have a greater effect.

      1. Androgynous Cupboard Silver badge

        Re: One line in your script, like I do

        ... where "greater" is used in the sense of "larger". Not "better". Definitely not better.

    2. Borg.King

      Re: One line in your script, like I do

      I do not like that the box that's displaying these commands in the article has

      rm -rf

      on a single line, and the bundle specifier on the next.

      Someone is going to find these instructions and think they need to hit enter after each line.

  12. Captain Scarlet Silver badge
    Trollface

    Oh look its like the Chromebook advert

    So it was an Apple machine in several parts of that advert!*

    *Edit and yes more than likely a Windows machine for 80% of the advert

  13. IGnatius T Foobar !
    Pint

    system management...

    All of these woes could be avoided if MacOS would simply use systemd like everyone else.

    <ducks>

  14. Kevin McMurtrie Silver badge
    Big Brother

    Remember random Mac sleeping?

    GoogleSoftwareUpdate used to interfere with MacOS power management so its daemon stalled. When the daemon finally aborted talking to GoogleSoftwareUpdate, it would become confused by the time jump and instantly put the system to sleep.

    I'm sure it's not talking to the power management for data slurping. Google would never do that.

  15. chivo243 Silver badge
    Facepalm

    I play devil's advocate here

    Why in the hell would any professional use their "production" rig to do any web surfing regardless of OS...

    1. Kevin McMurtrie Silver badge

      Re: I play devil's advocate here

      My last few jobs have been creating professional web applications. JavaScript is quite powerful so it's possible to create some kinds of web applications with the same performance as desktop applications. JavaScript + WebSockets + a lean Java/Jetty backend (no Spring) makes a real-time application. As fussy as browsers are, supporting them is a breeze compared to thousands of old beater Mac and Windows systems with sketchy anti-virus and data leak protection software.

    2. Ozzard

      Re: I play devil's advocate here

      Getting material in and out of said production rig.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022