Go Back   The macosxhints Forums > OS X Help Requests > System



Reply
 
Thread Tools Rate Thread Display Modes
Old 02-09-2005, 12:50 PM   #1
scottw
Prospect
 
Join Date: Feb 2005
Posts: 5
Bit rot on MacOS 10.3.7

I wondered if anyone else is seeing these symptoms, or can advise me what is causing them. I have a Dual MDD G4, running 10.3.7 with a stripe RAID pair of disks. The OS seems to be slowly failing. The clearest example of this is that I've found two system utilities (Preview and TextEdit) where the executable files were present, but were of zero length. There seems evidence that other executables have been affected (I am only be certain of zero-length files in MacOS 9 at the moment, but I have never used them so am not sure they installed correctly)
The "drive open" key no longer works for my two optical drives - this is a software fault, since booting from an existing installation on a different disk removes the problem. I suspect that this is something to do with losing the key binding - using a script to open the drive still works.
One of the optical drives has stopped mounting disks - haven't yet checked if this occurs with the other boot disk.
I have the usual issue that "repair privileges" always finds some work to do (why?)
SMARTReporter shows no problems with the disk.

In summary, I seem to have an unexplained case of bit rot. I'm concerned because my data (particularly iPhoto) may become corrupted. Is anyone else seeing anything like this, or has anyone any idea what's doing it?
scottw is offline   Reply With Quote
Old 02-09-2005, 03:22 PM   #2
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,459
1) Disk Utility's "Repair Disk Permissions" may always find a few things to repair simply due to bugs in its underlying program and the data files (in /Library/Receipts) it uses. Don't worry about it unless there are lots of things needing repair.

2) Much more important is "Repair Disk" - this fixes filesystem corruption which it sounds like you have. See this Apple doc for details on using this:
http://docs.info.apple.com/article.html?artnum=106214
Note that SMART reports on hardware problems with the disk. Filesystem corruption can happen without any hardware problem on the disk.

3) Launch the "Console" application (under /Applications/Utilities) and look for relevant error messages. Note that messages are labeled with the date & time so you can use that to locate the part of the log to look at. Copy & paste the relevant messages back here so we can see them.
hayne is offline   Reply With Quote
Old 02-10-2005, 02:57 PM   #3
scottw
Prospect
 
Join Date: Feb 2005
Posts: 5
Thanks for the response. I should have noted that I'd run Repair Disk, and found nothing amiss. BTW, I use journalling. There's nothing related to this problem showing in the Console log at the moment, but actually I couldn't run Console from the Applications folder, and had to use the command line - then found this in the log:

dyld: /Applications/Utilities/Console.app/Contents/Macos/Console load_shared_file() failed for "System/Library/Frameworks/Foundation/.framework/Versions/C/Foundation (Cannot allocate memory, errno = 12)"

Now just to make things interesting, I had to type that in by hand. Copy and Paste has just stopped working.

I'm now installing the 10.3.8 combo installer which in theory should overwrite all the system files installed since 10.3.0. I'm getting a little worried: if this were a Windows machine, I'd have concluded that this was malware some time ago.
scottw is offline   Reply With Quote
Old 02-10-2005, 03:15 PM   #4
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,459
Quote:
Originally Posted by scottw
Thanks for the response. I should have noted that I'd run Repair Disk, and found nothing amiss. BTW, I use journalling.

Disk Repair is still useful even with journalled filesystems. At least I assume it is. The underlying program used by Disk Utility is 'fsck'. I always use this (fsck) from single-user mode instead of using Disk Utility for filesystem repair. With 'fsck' you need to use the "-f" option to force repairs on a journalled file system. It sometimes finds something to repair.

Quote:
dyld: /Applications/Utilities/Console.app/Contents/Macos/Console load_shared_file() failed for "System/Library/Frameworks/Foundation/.framework/Versions/C/Foundation (Cannot allocate memory, errno = 12)"

That sounds indicative of a more serious problem. Could it be that your RAM is failing? (Check it with 'memtest': http://www.memtestosx.org/)

Quote:
Copy and Paste has just stopped working.

That probably means that the pasteboard server process 'pbs' has crashed. There should be a log entry about this in /var/log/system.log
I recall a few old threads about 'pbs' crashing - maybe something in them would help you.
hayne is offline   Reply With Quote
Old 02-10-2005, 05:46 PM   #5
scottw
Prospect
 
Join Date: Feb 2005
Posts: 5
Thanks again for the advice. I've tried running "fsck_hfs -f", which came up clean. I'm running memtest at the moment, but no errors in the first hour or so of operation. Unfortunately I didn't think of copy and paste being implemented by a separate executable, so I didn't check if that file had softly and silently vanished away before I put the 10.3.8 combo update on the system, but I suspect that was the problem. There's nothing in the system log about it.

Since the update c&p has started working again, and the key bindings for opening the optical drives work again.

As an aside: I've tried using "find" (i.e. the command line utility) to find further zero-length files: thought I'd found thousands but when I checked with File | Get Info in the Finder some (possibly all) of them showed non-zero and it was possible to open or run them. I think this is some HFS+ wierdness to do with the resource fork (do Macs still have them?) or with storing small files in the directory entry in the way that NTFS does. Anyway, this wasn't why I thought I had a problem originally - the files I was interested in were very definitely zeroed out and had a non-zero length when I restored them with Pacifist.

My thinking is that a memory error or anything that low level would tend to cause errors (crashes perhaps) in running applications, but not have the very specific and repeated effect of making files zero-length. For a while I thought malware would not be possible because of the privileges required to act on a system file, but this turns out not to be the case. The TextEdit executable has privileges -rwxrwxr-x and is of group admin. My user id is in group admin, so it turns out that I can do stuff like erasing the executable without using sudo. Scary! I knew that the Finder could do this, but I rather assumed it was running suid to give it root privileges. This discovery means that any of the third-party sw I installed could have mangled the files. This is deeply disappointing - it means that apparently MacOS doesn't offer the security of Windows with respect to the integrity of its own system files.

Basically I'm now fairly sure that this is either an OS problem (but nothing's showing up on Google) or malware, probably a Trojan. An argument against it being a Trojan is that I have no unexpected zero-length files in my Document, Music or Pictures directories - i.e. no evidence of an attack on my data.
scottw is offline   Reply With Quote
Old 02-10-2005, 09:52 PM   #6
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,459
Quote:
Originally Posted by scottw
I think this is some HFS+ wierdness to do with the resource fork (do Macs still have them?)

Yes, many apps and document files have resource forks. These tend to be the older apps or ones programmed with "Carbon".
You can check for a resource fork on a file named "foo" with the command:
ls -l foo/..namedfork/rsrc
(Yes, I know it's more like a magic incantation)

Quote:
My thinking is that a memory error or anything that low level would tend to cause errors (crashes perhaps) in running applications, but not have the very specific and repeated effect of making files zero-length.

Yes, I agree that RAM problems tend to lead to random crashes rather than file corruption.

Quote:
For a while I thought malware would not be possible because of the privileges required to act on a system file, but this turns out not to be the case. The TextEdit executable has privileges -rwxrwxr-x and is of group admin. My user id is in group admin, so it turns out that I can do stuff like erasing the executable without using sudo. Scary! I knew that the Finder could do this, but I rather assumed it was running suid to give it root privileges. This discovery means that any of the third-party sw I installed could have mangled the files. This is deeply disappointing - it means that apparently MacOS doesn't offer the security of Windows with respect to the integrity of its own system files.

Umm, TextEdit is merely an application, not what I would call a system file.
And by the way, if an application like Finder was setuid, then malware could just use that app to do whatever it wanted - e.g. by scripting Finder with AppleScript. I note that although the default setup is for your user account to be an admin, most people who are concerned about security don't use their admin account for everyday work - they create a non-admin account for everyday work and only use the admin account as needed.

Quote:
Basically I'm now fairly sure that this is either an OS problem (but nothing's showing up on Google) or malware, probably a Trojan. An argument against it being a Trojan is that I have no unexpected zero-length files in my Document, Music or Pictures directories - i.e. no evidence of an attack on my data.

If you suspect malware, you probably want not only to turn on the builtin firewall, but perhaps also to install something like "Little Snitch" to look for outgoing transmissions. But I don't think it is likely to be malware - most malware tries to keep quiet and not be noticed, and deleting important apps is usually rather noticeable.

Last edited by hayne; 02-10-2005 at 09:58 PM.
hayne is offline   Reply With Quote
Old 02-11-2005, 01:54 AM   #7
scottw
Prospect
 
Join Date: Feb 2005
Posts: 5
Quote:
Originally Posted by hayne
If you suspect malware, you probably want not only to turn on the builtin firewall, but perhaps also to install something like "Little Snitch" to look for outgoing transmissions. But I don't think it is likely to be malware - most malware tries to keep quiet and not be noticed, and deleting important apps is usually rather noticeable.

Done both, and I've got a Cisco firewall as well. I wasn't thinking of spyware though - some PC viruses do slowly corrupt files, the idea being that you don't notice until too late.

Quote:
Originally Posted by hayne
Umm, TextEdit is merely an application, not what I would call a system file.

Sorry, I forgot that this had a specific meaning on the Mac. I just meant part of the OS rather than of a third party application.


Quote:
Originally Posted by hayne
And by the way, if an application like Finder was setuid, then malware could just use that app to do whatever it wanted - e.g. by scripting Finder with AppleScript. I note that although the default setup is for your user account to be an admin, most people who are concerned about security don't use their admin account for everyday work - they create a non-admin account for everyday work and only use the admin account as needed.

You're right, of course, and if I'd looked into this in detail I'd have done that. I'm afraid I was misled by running a non-root user id and having to provide a password or sudo to do many maintenance activities. Actually I can't see why this is necessary given the way groups are used.

Anyway, thanks for your help on this one. I'm going to try to set up a script to check for changes in the list of zero-length files to see if it recurs under 10.3.8 - if nothing else, it would show me what to repair.
scottw is offline   Reply With Quote
Old 02-11-2005, 08:16 AM   #8
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,459
1) You might find a useful clue by searching for other threads here where people have reported zero-length files.

2) Is suspect the problem might be related to your RAID (not only because this is somewhat unusual but also because the problem is about disk files disappearing).
hayne is offline   Reply With Quote
Reply

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 12:30 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.