10.8.5 Supplemental unhiding /mach_kernel

hkim
Contributor II

And that's annoying, and could provoke your users to do something bad since the file is now clear in view (i.e. try to delete / mess with it)

Here's a quick and dirty script to check, and then hide the flag. Also an EA to make a smart group to check for the issue.

#!/bin/sh hiddenflagstatus=stat -r /mach_kernel | awk '{print $15}' if [ "$hiddenflagstatus" = "0" ] then chflags hidden /mach_kernel else exit 1 fi exit 0
#!/bin/sh hiddenflagstatus=stat -r /mach_kernel | awk '{print $15}' if [ "$hiddenflagstatus" = "32768" ] then echo "<result>Hidden</result>" else echo "<result>Not Hidden</result>" fi exit 0
17 REPLIES 17

nessts
Valued Contributor II

anybody else see the /-verbose file ?

golbiga
Contributor III
Contributor III

I would hold off on making this available on your SUS if you have one. I know a bunch of people (including myself) have filed a Bug Report with Apple. I'm hoping they pull the supplemental update soon.

Also, the combo updater and regular 10.8.5 update (updated version) do not unhide mach_kernel.

mm2270
Legendary Contributor III

Just updated a test Mac here with the Supplemental and I'm seeing mach_kernel at the root of the drive, plain as the nose on my face. Nice one Apple!
Wasn't this the update that was first released internally to all Apple employees from a report I read? How did this not get caught?? Sloppy.

jhbush
Valued Contributor II

hkim, should have checked closer. $15 is correct.

#!/bin/sh

hiddenflagstatus=`stat -r /mach_kernel | awk '{print $15}'`

if [ "$hiddenflagstatus" = "0" ]

then chflags hidden /mach_kernel

else echo "mach_kernel is hidden"

fi

exit 0

hkim
Contributor II

$15 seems to point to the hidden flag from what I gather, doing a stat -s the st_flags value is the one I was looking for.

mm2270
Legendary Contributor III

Another way is to check for the com.apple.FinderInfo Extended Attribute like this-

xattr -x /mach_kernel

In the script.

#!/bin/sh

hiddenflagstatus=`xattr -x /mach_kernel`

if [ "$hiddenflagstatus" != "com.apple.FinderInfo" ]

then chflags hidden /mach_kernel

else echo "mach_kernel is hidden"

fi

exit 0

jhbush
Valued Contributor II

Ok I see what you are saying it flips from 0 to 32768 at position 15.

gregneagle
Valued Contributor

"I would hold off on making this available on your SUS if you have one."

Since the Supplemental Update fixes actual bugs, and the visibility of mach_kernel is a cosmetic issue, I think orgs might want to consider deploying it anyway, especially if they've encountered any of the bugs the Supplemental Update fixes.

mm2270
Legendary Contributor III
Since the Supplemental Update fixes actual bugs, and the visibility of mach_kernel is a cosmetic issue, I think orgs might want to consider deploying it anyway

Generally speaking I would agree, but only after some careful testing. My concern here is that if something simple like making sure mach_kernel is invisible was overlooked, I have to wonder what else didn't get caught. My understanding on this update is that it wasn't really distributed to folks in Apple's developer program. I could have that wrong, but if that is the case, it may not have been tested thoroughly outside of Apple. therefore the need for some caution in deploying it.
Its also not impossible that Apple may pull it at any moment and re-issue it. Its happened before as we all know.

damienbarrett
Valued Contributor

Apple may have just pulled this supplemental update from their servers. I can't get my 10.8.5 12F37 build machines to see it in Software Update anymore.

mm2270
Legendary Contributor III

@damienbarrett, sure you don't just have it blocked on an internal SUS? The update is still on Apple's site, downloadable, so I assume its still active-
http://support.apple.com/kb/DL1686?viewlocale=en_US&locale=en_US
Modification dates are the same, so it doesn't look like it was updated at all.

JPDyson
Valued Contributor

The update is still very much live for me.

damienbarrett
Valued Contributor

Weird. Some of my machines running 12F37 simply refuse to see the update.

I took another machine running 10.8.3 and ran all updates in Software Update (using Apple's, not a local SUS) and when done it came out running 12F45. Maybe Apple has bundled the 10.8.5 and 10.8.5 supplemental updates together on their SUS servers?

Also, this machine I just updated from 10.8.3 to 10.8.5 12F45 is *not* showing mach_kernel in the Finder. Yet on several machines I updated over the weekend and earlier this morning are definitely showing mach_kernel in the Finder. I've already had an EA in place to detect OS build number, so I just had to use the script above to execute on machines running build 12F45.

But now I'm thinking that might produce some false positives. Perhaps my EA should look for the presence of:

/var/db/receipts/com.apple.pkg.update.os.10.8.5.supplemental

And then execute a script to hide mach_kernel based a group scoped to to this. Maybe I've over thinking this...but my users are mostly all admins and I can certainly see some of them trying to delete this "mysterious" file from their systems, as they've been taught to leave the root of their HD with only /Applications, /Library, /System, and /Users.

So, I'm not sure what's going on.

mm2270
Legendary Contributor III

Why not use the EA that @hkim posted for detecting if the mach_kernel file is visible instead of detecting OS build number? Not that there would be any harm I can think of in running the chflags hidden command on an already hidden file.

JPDyson
Valued Contributor

@damienbarrett When Apple release the supplemental, they also released updated 10.8.5 Delta/Combo updaters. If you had 10.8.5 12F37, and you ran the Supplemental, you receive build 12F45 and a visible mach_kernel. If you had less-than-10.8.5, and ran the Delta/Combo, you got 12F45 and an invisible mach_kernel. So, it only affects computers updated with the Supplemental.

jwojda
Valued Contributor II

whenever I run it, I get the following output, tried on 10.8.5supplemental update and 10.9

Running script MachKernel.sh... Script exit code: 2 Script result: /Library/Application Support/JAMF/tmp/MachKernel.sh: line 12: syntax error: unexpected end of file Submitting log Finished.

Using text wrangler I don't see anything wrong, I tried changing the ` to ' and tried to " the whole thing (removing the `), nothing seemed to work...

hkim
Contributor II

what's wrong is I forgot to close the if with a fi statement