Hacker News new | past | comments | ask | show | jobs | submit login
Google Chrome Keystone is modifying /var symlink on non SIP Macs causing k-panic (mrmacintosh.com)
462 points by frandroid 29 days ago | hide | past | web | favorite | 300 comments

I've always hated that "service" (more like malware given this news) like everything else that installs itself into the autolaunch sequence without permission, and remove* it whenever I notice/remember it, but it keeps coming back whenever I touch Google Chrome, which I prefer not to use in favor of Safari/FireFox because of reasons like this.

Things like these (including secretly signing you into Search when you sign into YouTube† or refusing to support PiP on iPadOS/macOS) just solidify Google's image in my mind as a forever scummy, intrusive company that I wish I could leave behind like I did Microsoft, but sadly Google Search and YouTube still don't have good enough alternatives yet.

* (startup items usually reside in the LaunchAgents/ and LaunchDaemons/ folders in your user ~/Library/, the root /Library/ and /System/Library/)

† (you can fix this by deleting all Google cookies after signing into YouTube, on any OS)

The trends that Google has spearheaded have had a real effect on me over the years.

I feel alienated from my computer. Subtle things will just change. If I really dig I might be able to find out why, but I don't have the time, so I just accept it.

Usually very small things that are barely noticeable. My Chromecast extension disappeared and was integrated into the browser. My brain could not help but notice this benign change, which caused a hard to place sense of unease.

Or when Google decided to remove rotation from the home screen on Android 2.3 -- it wasn't a huge problem, but I could have sworn that something changed. Users were conflicted, many convincing themselves that the homescreen never rotated at all.

It has made me not trust my computer. I second guess myself much more. If some option no longer exists, I wonder if it was just my imagination or if it was quietly deprecated while I wasn't looking. Does it even matter?

I think that we are being trained to see devices as ephemeral, and not to get too attached to them.

You feel alienated from your computer because there has been a conscious decision to take away options and user control in modern software. And I get why that decision has been made, even if I hate it as much as you and every other computer enthusiast.

For 90% of people, they have always "felt alienated" from their computers. They didn't understand what was happening or why things changed either, and it was easy to get yourself into trouble if you didn't know what you were doing and were trying to figure out how to fix something.

So companies decided to make their software have fewer options, and do more things automatically, without asking the user to have to make a choice. They don't give the users an option to customize, so they don't have to worry about those customizations causing breakage.

For advanced users this is crippling, but there are a lot more of them than there are of us, so they are going to be catered to.

> For 90% of people, they have always "felt alienated" from their computers. They didn't understand what was happening or why things changed either, and it was easy to get yourself into trouble if you didn't know what you were doing and were trying to figure out how to fix something.

I have stubbornly resisted it, but I think I will go the way of all of my friends and just accept it soon.

I now spend more time doing personal system administration than at any time in my life as a computer user. If you want to have control of your computing devices, you need to spend more time than in the age of five in floppy disks.

Most updates are a one way trip now, and they aren't keep on publishing exactly what features they have removed, so a lot of time is spent disabling updates, firewalling, researching, jailbreaking, imaging, and backing up.

My biggest liability now is not malware, but updates! I have to put all of my development toolchains in virtual machines, because they will break and I can not rely on being able to re-create them. Re-creating my modest workflow is a bi-annual affair, when it really shouldn't be.

And there has been a cultural change in software development as well. Software like Firefox will clobber your data during an update, and when you file a bug report, it will be WONTFIX, and they will say that it is your fault for not using Time Machine and rolling back their changes. They did this awhile back with bookmarks, and they certainly do it with extensions. I had to spend an entire afternoon recovering annotations and citations that were destroyed by a Firefox update, and I was told it was essentially my fault for trusting Firefox and not having hourly backups.

I hate to sound like a broken record, but there was a time when you could reasonably assume that if an update was making major changes, that it would give you the option to go back, or at least export your data if it didn't support it. I really wish the open source community would step up and be different, instead of embracing this.

Ironically despite there being less choices in an effort to make it easier for that "90%", the amount of tech support friends and family request from me has only increased in the past years.

Personally I don't buy the whole "removing choices to stop users from hurting themselves" excuse. To me it seems like over zealous designers trimming far more than necessary to make things look nicer at the cost of usability. But what do I know?

People are using tech to do a lot more. 20 years ago tech was a thing you sat down at, turned on, and used to check your email, update a spreadsheet, or type up a document.

Now we're using computers and software every waking hour and using software with millions of distributed users that we expect to always show us the latest updates.

We're using phones for banking and payments, to turn our lights on and off, to keep a lifetime of family photos backed up and synced across multiple devices.

It has made things more complex, but I don't think a world of 1997 style configure-it-yourself software would necessarily help with that.

Regarding the increase, I would argue that is less about increased device complexity but more about the increase in the amount of people who are using these devices on a daily basis. More they use, the more problems they encounter; I think the intersection between complexity and usage is determined moreso by the latter.

I doubt the number of people using smartphones and computers has increased significantly in developed/first-world countries, especially when it comes to one’s family and friends.

As anecdotal as it may be, my friends and family have used computers and smartphones for years, but I’ve experienced the same increase in requests for tech support as the parent comment.

Further, no one said there’s increased complexity. The argument is that the oversimplification, the removal of features, and overzealous design assumptions have made UX go in the wrong direction. It’s also an argument I agree with.

A lot of UX design today fails to recognize the spectrum of “tech literacy” and it should, ideally, accommodate all within that spectrum, rather than pander to the least “tech literate” end. It’s not always possible, but it should be strived towards. Instead, we have UX trending towards attempting to be so “intuitive” that it becomes counterproductive.

I had an interesting incident recently, where I was with some relatives and we were trying to plan the next leg of our trip; what restaurants to go to and what directions to take, etc.

Anyway, we had to start using a paper notepad and pens to keep track of the information! Even for people who just want to paste an address from a text message to look up in maps, and especially if you want to do anything with the calendar.

I just remember 15 years ago on my Treo 650 never needing to do that, and having no problem copying text between different apps seamlessly, between calendar, email, text, maps, and other apps. Same with Blackberry. Using modern Android is as awkward as driving a car with a mouse.

But I think there was an intentional push to minimize options for users, to make fewer pathways for things to go wrong. Forcing people to use pen and paper when they have a smartphone next to them is a UX success for them, because they don't have to improve handling text.

I'm afraid that's Agile development for you; teams contemplating the emptiness of their backlog and rushing to invent an endless stream of small t-shirts to fill it and keep the velocity within the desired KPIs.


I think these "lower the ceiling rather than raise the floor" rationales are cop-outs.

Yes, I get it, this reasoning does technically provide a justification for the design decisions made that will shut some people up. But that doesn't make the product or design decisions anything to be proud of.

And, to take it a step further, I don't think UX is putting in honest effort to improve things for unskilled users. All the low barrier to entry stuff is superficially pleasant, but the number of common UI paradigms end users have to learn how to intuit their way around has exploded, while affordances and discoverability have plummeted. People who've spent their dayjobs in front of computers for years - if not decades - are assumed to categorically have bad, less-than-worthless, ideas about what might make interacting with those devices easier. All because "shut up, nerds. Nobody would ever like the things you like" was easier than listening and figuring out the how to separate the wheat from the chaff.

> You feel alienated from your computer because there has been a conscious decision to take away options and user control in modern software. And I get why that decision has been made, even if I hate it as much as you and every other computer enthusiast.

This is a weird claim here because this issue only appears if you made a conscious decision to disable a critical security of the operating system, something only possible because you have "options and user control in modern software".

That this conversation arose within this context is somewhat ironic, but not particularly weird.

It’s great that Apple lets you disable SIP in macOS. It’s not great that Google frequently takes away user control. Different companies making different decisions in different situations is not contradictory, and outliers do not discount an overall trend.

My wife stopped using Android for that very reason. She’s not much into tech and complained that every time Android updates to a new major version, she needs to learn it from scratch, while iOS changes are noticeable but rarely touch user interaction fundamentals.

My mother had that exact same experience with her Nexus 5x. Things kept on shuffling every 6 months. Ever since I’ve got her on iOS, she’s been happy and I’ve been happy. I don’t even have to ask her to update to the latest iOS. She does it automatically and generally is able to find her way through. Never so on Android.

Apple wins in that regard - stability, consistency and reliability in daily use. It’s boring in a way for tech enthusiasts but wins in the eyes of people for whom their phone is just another tool which needs to work when they need it. They’ve no inclination to fiddle around with things nor a desire for a changing UI.

I am into tech and I stopped using Android for the same reason. UX is what keeps or alienates users.

History observers will know that Google started the forced auto-update and permanent beta culture. "We know better than users".

When all is said and done, Google can die off or fail as a business, but this and persistent data collection as a norm will remain its most lasting "contributions".

I absolutely hate auto-updates on anything. Of course this is always met with "but security issues..." YOU BROUGHT SECURITY ISSUES BY MAKING EVERYTHING NETWORKED AND IN A PERPETUALLY UNFINISHED STATE!!!

And of course since everything is in a constantly broken state, it is also in a need of constant auto-updates that both break and unnecessarily change stuff without my knowledge or permission.

> Or when Google decided to remove rotation from the home screen on Android 2.3 -- it wasn't a huge problem, but I could have sworn that something changed. Users were conflicted, many convincing themselves that the homescreen never rotated at all.

For this specific feature, on LineageOS, you can restore home screen rotation. I don't really understand why it's off by default though, it's confusing to have apps rotate but not the home screen.

I've always assumed they know what they are doing (Android UX seems quite good, despite what my three years younger self would think), but I don't get this. Is it because you can mess up your home screen by adding or moving icons when rotated?

> For this specific feature, on LineageOS, you can restore home screen rotation. I don't really understand why it's off by default though, it's confusing to have apps rotate but not the home screen.

I think it is either because iOS doesn't rotate the home screen on phones, or because they introduced this simplified car interface that did rotate, and they wanted to differentiate. But like so many design choices, it was not due to technical reasons, but marketing or political reasons.

It's funny, when I used Windows 10 for the first time recently, Ubuntu's unintuitive lock screen finally made sense, since they copied it. Whenever open source software starts doing something strange with their interface, I only have to look at proprietary software to see what interface they cargo-culted, going back to Pidgin copying iChat. I would love to see the discussions where they make these decisions. I imagine someone bursting into a meeting "You guys, Microsoft did a thing with their interface, we have to put everything else on hold to copy them!"

When I used versions of android with home screen roatation, I remember it would completely jack up most of my widgets. They were designed to be displayed at some aspect ratio and that aspect ratio would change after rotation. Maybe they got rid of the feature because it wasn't worth it to herd developers of widgets into fixing this issue.

I feel the same. That's why I appreciate a lot Free Software and I try to never have essential parts of my workflow depend on proprietary software; because it doesn't change condtantly, it doesn't run away from me, it is always available. It really takes a lot of stress away. If only I could replace every tool with a free alternative...

I share your pain.

Some time last week Youtube removed the publication date from videos. Apparently they restored it today.

For a while it was super strange and I had to rely on comments to guess when the video was posted.

This was way more than a week ago, I remember installing an extension for exactly this months ago. Then it came back, then it disappeared again [...] - this might be betatesting though.

I can’t speak authoritatively about this specific instance, but I use multiple unlinked google products across multiple devices and they absolutely split test UI changes. It can be fairly nefarious on the advertiser/publisher side of things if you actually understand what their attempting to do.

It’s really too bad, because Google traded their pristine reputation for possibly a slight boost in their near term earnings.

You have to make the window larger (than "mobile-sized") to see it.

> I feel alienated from my computer. Subtle things will just change.

I sometimes feel like companies have used the guise of "protecting novice users" as a means to take away our freedoms and increase their power (e.g. Google forcing updates on Chrome; Microsoft forcing updates and telemetry on Windows; Apple prohibiting non-app store applications and iOS downgrades). Of course, Linux and BSD exist, but many people don't want to deal with them.

The whole situation is just depressing to me.

That is one thing I really appreciate about running lineageOS on Android. You can see every single code change that makes it into a given update [0].

[0] for example https://download.lineageos.org/beryllium/changes/

> It has made me not trust my computer. I second guess myself much more. If some option no longer exists, I wonder if it was just my imagination or if it was quietly deprecated while I wasn't looking. Does it even matter?

Reminds me of 1984.

It's fascinating, because whatever thing was silently deprecated, there will be hoards of defenders in comments insisting that the thing never existed, and it was just your imagination. Even on sites like Stackoverflow!

Part of this is because release notes no longer most things removed (they are just covered under "other interface enhancements").

I did track down the home screen rotation change but it was very obscure. In one thread a user had to post actual video of two different Nexus One devices and prove that the update removed landscape homescreen mode. This is the world we live in, where this is a massive cloud of uncertainty over what our devices are even capable of doing!

A software changing some minor feature reminds you of a world-wide plunge into fascist dystopia?

Re: chromecast extension: https://support.google.com/chromecast/answer/7249696

This actually bugged me a lot (I cast into meetings quite a bit) and your comment made me go find a solution... Turns out it's super easy!

Yeah, I removed Chrome precisely because it kept re-adding its crap to the login sequence. It really drove home the notion that Google will not respect any boundary or privacy - your machine is their machine, your data is their data, and screw you if you don't agree.

Now I live in Firefox and it's just as good as Chrome, at least for my needs. I've dropped pretty much all Google stuff except for GMail, mostly out of laziness (I would have to update hundreds of accounts).

>> I've dropped pretty much all Google stuff except for GMail, mostly out of laziness (I would have to update hundreds of accounts).

I held off for two years moving away from GMail for this reason. A year ago I decided to pull the plug anyway, and it turned out to be much less annoying than expected. My strategy was as follows: first enable a forward from GMail to your new mail address, then directly migrate the ~10 vital/daily accounts, then just leave the rest pointing to the GMail account. After that, change each remaining account immediately (no exceptions) the moment I either log in to it, or receive an e-mail from it that refers to the GMail address.

It took me about two months migrating away from GMail, and as a bonus I was able to identify quite a few old login I didn't really have a use for anymore, so I closed them.

For regular mail I put an auto-reply in GMail that says I don't use it anymore and the address will be closed at some point in the future. But honestly, I don't think anyone ever saw it as nobody sends regular email anymore these days. All in all the process was pretty painless, and I feel very happy about ditching the last Google service I was still using (except the rare Google query of DDG fails to return useful results)

> ... nobody sends regular email anymore these days.

That seems strange to me, as email is my main form of communication.

What are the people you know using instead?

Not OP, but for personal email I've noticed the utility of email has gone down and down for me the past few years. I've got more spam/junk, 90% of my other traffic is automated bills and newsletters I get, etc, and an ever dwindling amount of friends keeping in touch via email. There seemed to be a progression from email->fb->whatsapp,snap,IG,etc-> .....?/i'm too old to keep up with the lastest communication these days. Most of my social convos have regressed 15 yrs and are again mostly just texting, even for photo sharing....

Now email in professional life is a different story, and is 100% mandatory, but that's all in the enterprisy outlook world...

WhatsApp or Facebook Messenger. The only personal emails I receive nowadays are from my parents, and people travelling abroad without reliable internet connections.

Work is mostly slack, personal life is mostly text messages

I've been thinking about migrating away from GMail for a while now. Are you self hosting your email now, or are you using a provider like ProtonMail? Just curious

not GP either, but I did the same and migrated to Fastmail. The transition was extremely smooth, and at least for now gmail allows you to set up integration (either forwarding rule or remote retrieval through IMAP) to forward you old e-mail to fastmail. I have it set up to auto tag all incoming gmail mail and move it into a folder that I check occasionally to see if anything interesting came through.

One amazing advantage to using fastmail (or really any real e-mail provider) is that it is trivial to set it up to use your own domain for e-mail, and to do catchall addresses for your domain. I use this feature heavily, using the general strategy of giving every service a different e-mail address. In this way I can sort by incoming to field, and block out anyone who sends spam using rules acting on the to field. This does an amazing job of sorting out things like mailing lists that keep re-adding you or that are worth monitoring but aren't worthy of showing up in my inbox.

Not GP but I did my migration with the same steps from Google Apps to Fastmail. They even have a nice importer that works well.

>> Are you self hosting your email now, or are you using a provider like ProtonMail?

I switched to FastMail, and and added an MX record for the domain I already had to alias the mail adres to that domain. So now I could easily switch to some other e-mail provider at any time in the future. But I’ve been totally happy with FastMail so far.

I did consider self-hosting but decided it’s just too much of a hassle to get decent spam filtering and security set up.

My 2 cents. Use your own domain. It’s really cheap and now you own your email address and can move it to another provider whenever you like.

Setting it up in Fastmail is super easy if your halfway computer literate. It literally says what DNS records you need to creat.

Importing your Gmail emails is even easier: log into Gmail from within the Fastmail options. Grant access. Now it’ll import all your mail in the background.

> Yeah, I removed Chrome precisely because it kept re-adding its crap to the login sequence.

This, and forced auto-updates were exactly what finally led me to entirely removing Chrome from all my systems.

> (I would have to update hundreds of accounts).

I actually have been doing this for the past couple months. It wasn't too bad, just time consuming. I took the opportunity to request account closures for every account that I don't expect to use in the future.

> Yeah, I removed Chrome precisely because it kept re-adding its crap to the login sequence. It really drove home the notion that Google will not respect any boundary or privacy - your machine is their machine, your data is their data, and screw you if you don't agree.

Exactly this. Chrome was never my main browser, but though it's useful for testing web dev I just nuked it from the system once I realised it kept trying to find new ways around my deactivation and / or removal of keystone. That was several years back.

First step for moving email from any provider is getting your own domain name. All decent providers allow it and it’s not hard to set up.

You will never have to update any accounts with new email addresses ever again.

iCloud mail + the default Apple Mail app has worked fine enough for me for a decade.

What does Gmail offer that you can't get on other services? (honest question)

Gmail's mandatory phone number requirement upon registration and inability to get unique aliases (iCloud allows 3, so you can have 4 addresses per account at a time, and without the "baseaddress+" prefix which self-defeats the point of an alias) turns me off right at the start.

> Gmail's mandatory phone number requirement upon registration

It's not always mandatory. I don't know what the heuristics are, but I've managed to create a couple new Google accounts (non-gmail, for dev purposes) during the past couple weeks without them being tied to a phone number.

What I can't seem to get elsewhere: tags.

Folders don't cut it.

Gmail doesn’t give me tags.

They are named "labels".

Thanks. Sorry, I was wrong. I got gmail and gdrive mixed up.

> What does Gmail offer that you can't get on other services?

whitespace. precious, precious whitespace

This is the one thing I wish Apple would solve in a new version of macOS. There are so many ways to automatically start software, and I would love a more built-in way to manage what can start with the system. They have login items, but that's an incomplete list. I recently _gave up_ trying to remove Dropbox because its auto-updater kept coming back after removing seemingly all possible places where it was stored.

Apple is willing to inundate users with permission prompts for microphone, location, and disk access. Why not the ability to start with the system?

Yes, it's one of the first things that befuddled/frustrated me on macOS after coming from Windows (not that that was much better).

Dropbox apparently also used to show you a fake system password dialog which saved your administrator password, and more:


It looks like Dropbox still tries [1] to abuse [2] Accessibility services in order to gain increased access to things on your computer that applications typically shouldn't need access to. Accessibility services are for helping blind people use your software, not for your software to run roughshod all over my system. Jeez!

1: https://help.dropbox.com/installs-integrations/desktop/mac-p...

2: https://applehelpwriter.com/2016/07/28/revealing-dropboxs-di...

This isn't entirely accurate. The hack that they used (writing creds directly into the TCC db instead of using the official dialog) was closed by Apple in High Sierra I believe (might've been Mojave? I can't remember atm). Regardless, now they use the official prompt. Of course, while Apple went to the trouble of SIP protecting the TCC db, they didn't actually fix the API for getting Ax permissions, and it's still a massive pain to get it even remotely right.

As for what they're using accessibility for, I believe the official primary use case is tighter integration with the Office suite (e.g. showing users if anyone else has the doc open). So nothing exactly malicious.

This isn't anything new. Keep in mind that Dropbox was offering sync status icons for years before Apple finally created an official API for doing so. IIRC that was using an even dirtier hack, involving monkey patching Finder at runtime. I'd definitely count that as a useful feature as well, and one that Apple had no interest in supporting until it became a user expectation.

I've got no affiliation with Dropbox, and I can definitely see the concern over the TCC hack. But once you try to do any meaningful integration with macOS, you do begin to sympathize. The official APIs are limited, flaky, and prone to deprecation at a moment's notice (see Quicklook plugins in Catalina for a fresh example). And Apple, despite making it impossible for third parties to innovate in their ecosystem, gets to paint themselves as saints.

Security is paramount, of course, but needlessly restricting how users and developers can use the OS will either lead to even dirtier hacks, or only Apple apps being allowed to do new, interesting things. And I don't particularly like either option.

A number of respectable apps uses Accessibilty features, for instance Alfred.

> not that that was much better

At least on Windows, I could with confidence say that Sysinternals Autoruns + Process Hacker would get you 99.9% of the way. I too went from Windows to macOS, and I tried countless tools (Lingon X, CleanMyMac, App Cleaner, App Cleaner & Uninstaller Pro, etc.) to no avail in my quest to kill Dropbox.

Agreed! The Macs are still a crazy mess. Not that much different from the old days with chains of Inits.

At least with Dropbox, they needed that access to modify menus and make changes to benefit the user. And they also made it clear that this is what they needed it for.

When Google does it, they are just elbowing their way into your computer.

I really wish there was a way I could revoke an App's ability to request access.

Which I don’t want or need. They gave no respect for your system.

Back then it turned out the password dialog wasn't fake but was the standard OS dialog apps can request sudo access with. The text in the dialog is app-customizable.

A lot of these things are hacks to streamline user experience.

I remember a few months ago when Google Cloud was offline and people made a room on Zoom to discuss it. Just clicking on a link opened the Zoom app, because it had installed a daemon behind my back. Considering it's an app with microphone access, I was VERY concerned when it happened.

I might be saying that to the wrong audience, but I think Apple is being overly cautious not to bother developers and power users at the expense of security on the desktop. Not as if other OSs are better – just this week my flash drive came back with a Windows virus after I sent it to a print shop –, but still.

In this specific case it shouldn't be possible to run without SIP outside of safe mode IMO, but it's still possible because some people need to run unsigned kexts and other hacks.

It's the same thing with the sandbox. I've seen a lot of developers making excuses not to publish on the App Store because they need things like unlimited access to home directory for whatever reason and the sandbox restricts them. Last excuse I saw was "we need to scan for subtitles". Yeah, right.

> Last excuse I saw was "we need to scan for subtitles". Yeah, right.

Yeah, that's not even a valid excuse! Once a user manually selects a file, the macOS sandbox also gives an app access to any "associated" files like subtitles, automatically:


(search for "subtitle" on that page)

Note that the file name has to match exactly for this to kick in.

That was discovered a short time after I noticed the rogue daemon myself!

Let me try to explain better: There was a thread here in HN about a Google Cloud outage and someone posted a link to a Zoom conference. I noticed that their app was still installed after clicking the given link. This happened to other people too:


I wonder if it's a coincidence!

In a limited way, Windows is better about this sort of thing. System integrity checks (checksums of critical files) can't be disabled, only defeated. All drivers must be signed or you have to enable test signing mode, which requires a reboot and puts annoying text permanently in the corner of the screen.

...but you can still delete whatever you want out of System32 (though it may grow back), and you can add your own things, and dll hijacking is an issue etc. Just when it comes to kernel code are the protections better.

I vaguely remember Microsoft pissing off a lot of device makers and users with Vista because it started requiring signed drivers.

I might be remembering it wrong, but I thought it was definitely a good thing and definitely a step forward.

I wish that would happen more often. With so many things moving to the web there's not that many excuses left to sacrifice security and stability for backwards compatibility.

Are you referring to the same Apple that pushed a silent update to REMOVE the hidden Zoom server?


Well, I'd expect the "Malware Removal Tool" to remove malware/backdoors in the first place.

But my point is that Zoom shouldn't even have been able to install that server on my system in the first place. It's my computer, so I should have been asked before. Same for Google Keystone Updater.

Dropbox is my next war on this front. The difference with Dropbox is it pretty much has to be running all the time to be useful, which means it has much more power than Chrome to be an unkillable auto-updater.

Considering that Dropbox appears to be a CIA tool to enable snooping on people’s computers masquerading as a file sharing service, I would be surprised if there is anyway to completely safely remove it at all.

Citation? Please/thanks

I'm not even quite sure why Google does it. Can't they just check and fetch updates while Chrome is open? What's it matter if Chrome is out of date if it isn't running? Are they trying to push off updates to the middle of the night or something? That doesn't really make sense, since people probably mostly leave their browser open anyways.

I had Chrome installed "just in case" (mainly for the dev tools for the rare occasion I do web dev) and I just uninstalled it and the updater. It's not worth the surface area...

Now to get around to nuke all this junk that Citrix Receiver installs. Ugh.

It's a better way to mitigate against zero days in the browser, where you might get exploited even before you find out the browser is out of date.

While that is true, I do not believe that is why they are doing it that way. There's nothing stopping them from giving some minimal feedback that an update happened. It would actually be better that they did.

It is also suspicious how set they are so against users using an older version of their browser. Security is not a good enough justification. It is actually easier to use an older Operating System than an older version of Chrome.

This is clearly just to protect the integrity of their platform.

What kind of zero-day does this protect against that wouldn't be blocked by an at-launch-time update check like most regular software uses? If anything, at-launch-time is better because Keystone's last update check might have been 2 hours before the 0day patch came out, but at-launch-time would check immediately and notice.

at-launch check would obviously delay launch. Users do not want chrome to start slower I thought this would be obvious.

Agreed with you 100% - I also hate the nonstandard window GUI interface elements (tabs in the title bar, fuck outta here!) and the really horrific preferences pane. Chrome is a dumpster fire.

I like Chrome for Javascript development/debugging, but I don't use it for anything else.

Use Vivaldi instead.

Why not Firefox?

or Brave (for debugging only)

I use iridium.

my #1 UI hate is single click in omnibar selects all. WTF

I hate how they have this "Hold Command-Q to quit.' FUCK that.

>but sadly Google Search and YouTube still don't have good enough alternatives yet.

I thought that, too, but then I held my breath and just switched to DuckDuckGo as my main search engine and... there's no difference, really. Maybe some niche cases where google spits out more specific results and handles exact quotes better. But for 99% of "type a word, get results" kind of uses, it works great. I did not expect that, maybe still burnt from when Google was so far ahead of the competition in search it wasn't even a question.

Youtube is a different story but I don't really miss anything not logging in, so there's that.

If duckduckgo doesn't do a good search you can always type "g! <search>" and it will search using google. I usually search duckduckgo first and then fall back to Google. The thing that made me quit google was the "controversial twiddler"[1] and their delisting of non corporate health sites[2].


[2] https://news.ycombinator.com/item?id=20676755

I've been using DDG for literal years now, and whenever (rarely) I use Google for a search, I'm completely befuddled by Google Search's user experience. There's stuff everywhere: vertical lists, horizontal lists, thumbnails, chevrons, cards, blocks, drop shadows. DDG is just no-nonsense: a list of web results, like Google was then. For that alone, it wins my heart. Though, privacy is the main reason I use DDG.

Yeah, the Google autoupdater’s insistence on reinstalling itself to maintain RCE on my machine even after being explicitly removed is really irksome.

interesting that apple brought the hammer out for zoom but doesn’t do that for chrome

You should check out BlockBlock[1] by the cool dudes at Objective-See..

"Malware installs itself persistently, to ensure it's automatically re-executed at reboot. BlockBlock continually monitors common persistence locations and displays an alert whenever a persistent component is added to the OS."

[1] https://www.objective-see.com/products/blockblock.html

Google's update service was the cause of my Mac not waking up from sleep. :(

Any details? My Mac sometimes won't wake (eventually k-panics). Curious if I'm falling prey to the same thing...

Do your logs mention it (open the Mac console app)?

In fairness, having a less-than-up-to-date web browser or OS is quite dangerous from a security perspective. I'm extremely glad that today's browsers patch themselves in the background.

You hate software with a big more than malware?

Hey. Google Keystone tech lead here. We are aware of the issue, and we've stopped the release. We're building a replacement that fixes the problem. In the meantime, to fix affected machines:

  sudo rm -rf /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
  sudo ln -F /private/var /var
This deletes the affected version of Keystone and reinstates the damaged /var symlink.

The version of Keystone packaged with Chrome is not affected by this bug, so allowing it to reinstall Keystone will not recreate the issue.

@norberg or any other Google Chrome/Keystone engineers:

WHY can you not make Chrome update like every other sane, well-behaved app?

Update notification -> User confirmation (or an OPTION for auto-updating) -> Download status.

Why do you insist on installing things into our startup sequence without our permission? If your intent is to "protect" users, increase the nagging. I'd be fine with Chrome refusing to load any website until Chrome is updated to the latest version.

Even Apple, who is notorious for making users' decisions for them, lets us choose when to update apps and operating systems.

Obviously they could have a consensual and transparent updating mechanism. This was not some sort of oversight.

Google's software is a cascade of lies and deceptions.

Think about this: when you start to tamper with Keystone agent, it never says anything to you, it just silently reinstalls itself somewhere else like spyware.

It will keep asking over and over for root access, without explaining why. They make it seem like your installation is incomplete without root access, but that is a lie. It will function fine running out of ~/Library/ as /Library. But there is no way to make it stop asking.

Google Earth, Google Drive, or many other Google products will re-install Keystone agent.

If I try deleting it, then that means I probably want it gone. They should prompt me to repair it or leave it alone.

You would think that Google would want to show off their updater. Even just a growl notification that an update has occurred.

But it makes sense why they don't want users thinking about it. If they were more transparent, they would say: We've installed this software that will monitor your filesystem and make irreversible changes whenever we feel like it. Sometimes we will break things, but most of the time we won't and if we do break something, we will fix it. It is possible to disable, but you will have to search for it, because you will never discover it yourself. Oh, we could just have a checkbox in Preferences, but we want to make you work for it. And all you are doing is requesting that we stop updating, but we'll still be running.

Most accurate summation of Google I've seen. It boggles the mind how many users on HN defend google out of some sort of Stockholm Syndrome.

I guess because many of them deep down would like to be a Googler.

They also used to shit on IE and WP, now everyone gets to enjoy Google's hegemony.

it's telling that you're still willing to put up with all of this despite what appears to be several really, really angry posts about it.

you have tons of complaints in this thread about google's "bad behavior" but you continue to put up with it to by patronizing the company and their tools, without even apparently asking the question, "do i really need chrome?" or whatever. have you asked yourself why you keep their software on your computer if it's such a headache?

i'm sure i'll get the typical "but there's nothing better!!" response and there may not be, but it's telling of you personally that you are willing to get so upset with all of this and then... keep on keeping on.

Are the issues I've brought up not worth being frustrated about? Do you think I'm a hypocrite for complaining about the thing that I use?

What would you suggest I do?

I use Chrome sometimes. Firefox is bad in its own way, often emulating the worst of Chrome. Like, at least the Keystone agent is unobtrusive and you don't even know it is there. Last time I checked, Firefox's Updater.app is just as disrespectful to the user, but it is horribly inefficient and clumsy.

> WHY can you not make Chrome update like every other sane, well-behaved app?

Because someone at the Chrome team has setup an OKR of newest version rollout rate. His/Her salary and promotion are at stake.

> WHY can you not make Chrome update like every other sane, well-behaved app?

Because that's how you end up with software that isn't updated, running old insecure versions.

As a user, I like it when my apps automatically update without me having to worry about it. The frustrating part about the Mac App Store is how it still makes you worry about updating apps.

Most Mac apps use Sparkle [1] or the App Store to auto update, neither of which requires admin access or modifies the OS.

[1]: https://sparkle-project.org/

While Sparkle is nice to have a standard way of updating apps, it makes the user worry about updating apps because it pops up dialogs and prompts you to download and install. I would much prefer it just update things for me automatically. If at all necessary, the Chrome approach of "hey, Chrome's been updated. next time you open the app you'll get the new version".

You can do this with sparkle! Our app that uses sparkle runs silent automatic background updates. No prompt for install needed! We could pop a changelog after update, to let the user know there has been one, but most often we don't.

The Mac App Store updates automatically.

You see a download bar on app icons in the Dock and Finder while they are updating, then a badge (blue dot prefix before the name) on recently updated apps.

Rarely (i.e. on new user accounts) it may ask you for the iCloud account (if it was a purchased app, I think) or administrator password (after some major OS installations).

How is that frustrating and "making you worry" about updating?

It seems like you haven't used the Mac App Store or have changed the default to manual updates.

MAS will download updates automatically, but it whinges and demands you tend to it if the app is open. Contrast to App Store on iOS, or Chrome, which just does everything in the background.

Obviously the model here is different, but its still a minor frustration to me.

> The frustrating part about the Mac App Store is how it still makes you worry about updating apps.

Wait, what? The Mac App Store updates your apps automatically in background (I know bc sometimes it tells me it can’t update a particular app until I exit it)

> I know bc sometimes it tells me it can’t update a particular app until I exit it

that's the part I find annoying. Contrast to iOS which doesn't have this problem. Obviously the model on iOS is a lot different (more restrictive backgrounding, apps are build to handle shutdown at any time), but its still a minor frustration I have with MAS.

This honestly. I've considered getting my parents a Chromebook because they're not technically literate (by their choice) enough to manage a Windows install. Non-automated updates is part of how we got into supporting IE7 forever. If updates were optional, they'd be on the same version I originally installed for them. This non-technically literate demographic is much larger than any of the vocal minority on HackerNews.

Those of us who are fine with running slightly outdated software are probably safe from whatever minor vulnerabilities we might be exposing ourselves to. Regardless, the choice should always be left up to the user. It doesn't have to be one way or the other to make you and me both happy—there can be an "auto-update" setting and a "never check for updates" setting.

100% agree. I shouldn't have to go to war with Google to use their product on my update terms. It's my machine, not Google's. They can ask that I update but they cannot demand.

I deal with this problem by using Firefox.

Unfortunately there is no Fireearth.

There is the web version of Earth, but surprise surprise, it’s Chrome-only.

The WASM beta[1] works fine on Debian/Firefox 60.9.0esr

[1] https://earth.google.com/web?beta=1

> Hey. Google Keystone tech lead here. We are aware of the issue, and we've stopped the release.

There is no legitimate reason for any install other than an OS upgrade to modify /var or any other system-related directory.


> We're building a replacement that fixes the problem.

The fact that your team would allow any code which modifies a machine at the OS-level only reifies the concerns regarding Google's products.

We have a revised set of commands that fix the symlink more correctly. These can only be run from macOS Recovery Console:

  rm -rf /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
  ln -shf /private/var /var
  chflags -h restricted /var
  chflags -h hidden /var
  xattr -sw com.apple.rootless "" /var

> We have a revised set of commands that fix the symlink more correctly.

Tell your team and your supervisors this:

My computer is not your playground.

I’m sure most engineers on the team feel awful. They’re clearly trying, and maybe in a day or so we should figure out the nags ember breakdown. But for the time being, let’s let engineers do their job?

> I’m sure most engineers on the team feel awful.

There is no legitimate reason for a user-space install to manipulate system directories. So for an install to do so, there must have been an conscious decision made and code written to make real.

Therefore, for this system manipulation to have both been introduced and released, "most engineers on the team" either raised no problems with it or did not consider the implications of this decision.

> But for the time being, let’s let engineers do their job?

They did their job, which resulted in the release of this system destabilizing product.

Perhaps the job they should have done was to consider their work product be one which did not assume complete control of the machine onto which it runs?

Ok, but with newer macOS releases, SIP is enabled. I'm assuming the Google developers working on this are doing their developer work on newer SIP enabled releases....

No. They bear some responsibility for their abusive updating mechanism. They did bad and they should feel bad.

Users have no choice but to take whatever updates they throw at us, and have no recourse but to sit around and wait for another update to be pushed.

There is no way to roll updates back, and disabling updates is obfuscated and hidden away behind an obscure terminal command that nobody would discover on their own.

Google invited themselves into the guts of our computer on the pretense of updating their browser, and then they made a mess.

If Google explicitly laid out what they were doing and asked permission, many users would not grant it, which is why they are so covert about it. It isn't that it is being unobtrusive, it is that it is hiding.

I swear, only Google can get away with this. Nobody was this defensive when Microsoft pushed Windows 10 on people.

Is there a cohort of malware developers in Mountain View who hate their jobs but have no other opportunity for employment? I kinda doubt it.

These devs know what they are doing and in the current economic environment are clearly happy to be doing it.

2 days ago keystone and the updater was pumping 100% cpu

Killing it resulted in a relaunch and 100% cpu. There is no way to stop this except for unloading the launch agent, AND launchdaemon. Removing the application and killing the instance.

The os platform providers updates.. use that instead of crafting your own malware.

How would you like it if your car suddenly has a top speed of 15mph, and no power steering, because someone wanted to update the number of radio presets.

Huh. My wife uses Chrome (won't switch to Safari, even as she constantly complains about her battery life—go figure) and the last couple days she'd been saying that her battery life on her Macbook Air had suddenly dropped to like 25% of what it had been, leaving her seeking wall power every hour or so. Wonder if it was that.

Of course then it stopped booting at all yesterday so if it was that then it must have pushed the 4.5yr old battery over the edge and killed it. Or overheated something until it died. I don't think those fans have ever been cleaned.

Why did your team deem it appropriate to mess with core system components like /var?

Especially since the OS will prevent the attempt from succeeding on most Mac installations. Presumably it is a sloppy mistake, but one in an attempt to do … something … that is probably nefarious.

I suppose that's how it happened; some code to tamper with `/var` was accidentally (most likely - I doubt this was intentional/malicious) added into the update script. When this was tested and run through QA, everything looked OK because everyone is running Mac OS with SIP enabled

Makes me wonder if other software might be attempting to damage the system (totally by mistake) but SIP is preventing it, making it quite deadly to use said good software if you happen to turn off SIP for stuff like debugging

What's the bet Google disclaim any and all liability for this? eg the time taken to fix this, loss of income, etc.

Seems an awful lot of work related computers (eg Avid systems, and more) have been rendered inoperatable until someone manually boots and fixes each one.

After that, you can also do what I do to prevent Google from reinstalling Keystone ever again:

  touch ~/Library/Google/GoogleSoftwareUpdate
  touch /Library/Google/GoogleSoftwareUpdate
  chmod 000 ~/Library/Google/GoogleSoftwareUpdate
  chmod 000 /Library/Google/GoogleSoftwareUpdate

Honestly, if you're going to go this far, why not switch to Firefox or another Chromium/Blink-based browser, like Brave?

It seems kind of counter productive to kill off the auto update system when you can just as easily switch to a browser that just doesn't do what Keystone does.

Yes indeed but FF bogs down quicker than Chrome with lots of tabs, so I use both.

More important, I like Google Earth and it tries to install Keystone too.

The next release of FF looks to be a game changer in that regard.

Unfortunately I think we've heard this so many separate times that it's beginning to be the boy who cried wolf.

I've heard "Firefox is better than it was" only for me to reinstall the latest and find it's still way cludgier than chrome.

Sure. I hear that, but there have been some specific MacOS issues that have lead to it performing worse on MacOS than on other platforms, and they seem to be getting addressed in the Nightly builds.

In general, I've found it to be much better than Chrome, but as always YMMV.

I stopped using firefox years ago when chrome got good, and was happy. I wasn't happy with chrome recently (especially memory and CPU usage), and tried switching back to firefox shortly after the quantum release. I've been happily using it since, and have found comparable or lower resource usage. It actually does fine for me, even with tons of tabs (or as fine as any web browser does).

I've had the same feeling many times with both Firefox and Chrome in the past.

I think in the end that's something that you have to test out for yourself periodically, as it seems to be great differences of which is the best performer across OSs and devices. As a rule of thumb I try to do a short evaluation of each of them every ~5 releases.

It is much better (using v70 beta 8), but still has areas where performance lags behind Chrome. On a large board in https://miro.com/, for example, Firefox is laggy and jittery, whereas Chrome is buttery smooth.

You can report a performance problem -- I have had good luck with fixes: https://developer.mozilla.org/en-US/docs/Mozilla/Performance...

We shall see. So far using some "tab discard" plugin is essential to reasonable performance. Somehow having many tabs/windows open slows down firefox a lot, event though they aren't wasting CPU (I have most javascript disabled).

Weird... the tab discard stuff no longer helps with Firefox for me. It seems to handle background tabs on its own.

Its a bit like throwing the baby out with the bathwater isn't it? Chrome is a fine browser, botnet "features" aside.

It’s so easy to switch browsers so why even bother trying to fix some big ad company’s browser that is not acting in your interest?

I usually do chflags schg instead of chmod 000. I know it might seem like overkill, but Google is very sneaky, and I would not put it past Keystone to just change the permissions for itself.

> I would not put it past Keystone to just change the permissions for itself.

From experience, they absolutely do it.

They would call it "repairing permissions". OK, so I didn't break into someone's house, I just "repaired" their door that had locked me out.

> I usually do chflags schg instead of chmod 000.

Thank you. This was the best tip to come out of this whole discussion.

I'll identify every location Google apps write to, and lock them out with this.

That's very hardcore, but I agree with your logic.

Thank you! Because of Keystone, I have decided to treat Google Chrome as malware. I won't install it unless I really have to. One reason is that I have to test websites on Chrome. I can either run it on a virtual machine or disable the updater as you suggest.

I certainly understand the desire to rage kill google software update because they messed up, but people shouldn't actually do this because they'll be vulnerable to all future malware that targets chrome. And this varsectomany bug will never happen again.

This is not rage-killing. I've been doing this for several years because Keystone is a ridiculous resource hog and I fundamentally disagree with the notion that any software should be allowed to run (much less change the configuration of) my machine without my explicit permission. I'm willing to stay on top of the malware situation and update Chrome manually. I wish I didn't have to, but Google leaves me no other option.

I think the probability of Google freaking out and pushing ads to my system is higher than the probability of me a chrome zero day that I give a shit.

They are both very low, but I’d rather programs not change my stuff against my will, even if they are trying to protect me.

Only if you continue using Chrome.

Apple needs to provide the user with the ability to ban software from google and other malign companies.

Problem partly solved.

I would change that to just /Library/Google/ to prevent Google from putting ANYthing outside its .app bundle or the normal user preferences folders.

TIL that Google puts a "brand" code in that folder to identify how you downloaded Chrome.

Why does Keystone exist? Everyone else can do updates without having a launch agent, so why does Google insist on doing it this way? Given it deleted such a vital link, security looks to be compromised with this method.

Can we get a straight answer why these files are being changed in the first place?

Why did this happen in the first place? Why are you modifying system directories to the point where you can make an oopsie and brick entire machines? In what world is this okay?

My mom says she does not use sudo, please advise.

“allowing it”. lol

You're missing the word "sorry" from your response.

My wife's a primary school headteacher (or K-12 as you say in the States). Her MacBook was disabled by this. Yes, she takes weekly backups, but schools don't have free money to spend on spare laptops for a few days' work, nor on unnecessary technician time to fix it. Fortunately I spotted this posting (thanks, HN poster!) on blearily checking HN this morning and instantly recognised this was what's happening.

Have some decency for the people whose lives you've just affected and apologise to them.

I understand the frustration, but please don't attack someone like this when they come to HN to supply information. It creates a hostile environment and disincentivizes people who have inside knowledge about a situation from showing up here. That makes HN a strictly worse place. It also breaks the site guidelines, which ask us all to Be kind, regardless of how strong and justified one's feelings are.


Not intended personally to @norberg, but corporately to Google.

OK, but norberg is the person you blasted, and intent unfortunately doesn't express itself on the internet.

Understood. Difficult to get the tone right when a poster is clearly posting as a corporate spokesperson (esp. a first-time poster as here), but I'll consider that next time... though I'm rather hoping not for an omg-my-mac-won't-boot next time!

A truth stated passionately doesn't become false. A falsehood stated calmly doesn't become true. This is at the heart of why appeals to emotion are almost always logical fallacies.

I don't think dang is saying that the commenter was making false claims or anything. Just that it's very unlikely an upset comment will cause an overhaul in the google auto-update system. But it is very likely an upset comment will scare developers away from commenting on future situations like these. It just affects the health of HN negatively while not affecting Google. There's probably a reason norberg chose to register and comment on HN and not somewhere else like Reddit.

Content is wrong or it isn't. Tone is a logical fallacy.

Your true statement that tone will often matter is an interesting discusson on society and education. That it is also relevent on a site otherwise dedicated to intelligent discourse was the nugget I was hoping people would think about.

> You're missing the word "sorry" from your response.

Couldn't help but notice most of the posts from the Chrome team lacked any sort of apology. Including this support post https://support.google.com/chrome/thread/15235262

Bit disappointing when this bug has bricked multiple machines.

It's not even right:

> If you have not taken steps to disable System Integrity Protection and your computer is on OS X 10.9 or later, this issue cannot affect you.

SIP came in with 10.11. Any machine on 10.9 or 10.10 is vulnerable.

You're getting immediate tech support about a very specific issue in one for the first places you'd look. Don't be a dickhead.

Do you want only PR people on HN trying to talk to you? Because this is how that happens.

I'm addressing Google corporately. I presume @norberg is posting on behalf of his employers given that he states his job title immediately.

One of the first places "I'd" look? It's not my Mac. I'm not sure how many primary headteachers read Hacker News or have a spouse who does. I'm guessing <1%.

When the world's biggest software company actually bricks people's Macs with a software update, then "sorry" is the least I expect, frankly. But if you want to dismiss this with "dickhead", you do you.

> I presume @norberg is posting on behalf of his employers given that he states his job title immediately.

I'm torn on that one. I want direct communication to be possible without running it though PR or people with PR training, to improve response times especially in such "busy" situation. This requires us on the receiving end to be somewhat lenient. But on the other hand, I also don't find something better elsewhere, including the more official announcement[0] linked to. Thus this style seems like company policy and certainly deserves criticism.

[0] https://support.google.com/chrome/thread/15235262

I'm curious, why did she disable SIP?

In the comments section of the linked article people are reporting that even on their SIP enabled machines they are still being bricked.

You're missing the word "thanks" from yours.

Thanks for making my computer KP?

To be fair why does she have SIP disabled?

Pre-SIP OS (10.10).

Ok, why hasn't she updated to a supported macOS version then? Support ended for 10.10 in August 2017....

eh? this is a mac bug. any software could trigger it. just happens that keystone is maybe the only one to be so dumb as to modify a system dir. that doesn’t excuse the root cause which lies in mac os.

How is this a Mac bug? /var has been a symlink on OS X for nearly 20 years now. What business does a web browser have modifying /var?

The keystone team accepted this as a p0 bug.

yeah i see the details now. i thought it was a permissions change from earlier description but now i see it is removal.

/ also shouldn’t be writable so it’s understandable how this wouldn’t have been caught. writable / is not sane and it’s unlikely you’d test that case.

why is this a keystone bug? (besides that you shouldn’t be touching /var. WTF dude)

i’m having a hard time understanding why this isn’t a mac bug. trivial kernel panic.

Reminds me of the Steam bug back in 2015 [1] where on Linux, if you tried to move where Steam stored downloaded games, it would wipe your hard drive by running "rm -rf "$STEAMROOT/"*" with $STEAMROOT being null.

[1] https://github.com/valvesoftware/steam-for-linux/issues/3671...

I start bash scripts, by setting the holy trinity: set -eou

That prevents end-of-the-world scenario like the one above, if the script derails.

Maybe also add "pipefail" to the end of that?

Haha right, I feel like these should always be popularized as `set -eu` and `set -o pipefail` rather than making it look like you an `set pipefail`. I wonder if that chap has been uselessly printing options at the beginning of scripts for a while now.

alias rm='rm --no-preserve-root'

There was a similar issue with EVE Online deleting boot.ini


Did they remove this from the git history? I cannot find the original code or the commit that fixed it.

Of course, Linux could do what Solaris did decades ago and define the directory order in which `rm -rf /` works to start with `pwd` - and thus fail immediately. That would fix that problem completely.

How did they fix that, in the rm binary?

In the example above, the command would be `rm -rf /` without the variable present, and the shell would expand / to all the folders in /. So it's not a direct call to `rm -rf /`, you would need to handle the shell expansion of /* as well?

I missed the * on the end.

you can rmdir $PWD no problem. as long as there are no files in it. i guess it catches almost all cases though.

come to think of it, when would you ever want to rm -rf/? even in a chroot it doesn’t seem like a thing you’d want to do.

When working in chroot jails on embedded distributions, I have needed to run `rm -rf /`. It's admittedly really edge-casey, but it's happened.

I've been wary of Gatekeeper and SIP as moving Macs towards an iOS-style walled garden, but this is a perfect case of SIP protecting the user from bad software.

On the contrary, I think that sort of protection just hides problems --- like this one. As a general rule, bugs with the highest impact are also the ones which are most likely to be fixed quickly. If you tested with SIP on, it'd try to remove /var but wouldn't succeed, and you'd think everything is OK when the application's logic is actually faulty.

That's a great philosophy if your job is QA for the system or application in question.

As a consumer? No. I'm not interested in QAing buggy software. I want it to not break my machine.

I find that logic faulty. SIP is justified by these incidents. It is not the user’s job to isolate application faults. That is on the part of the app developer’s.

Shouldn’t Google also be able to run their tests against a machine with SIP disabled before deploying?

Yeah. Pre-SIP OSes were affected too, so they literally just did not test this on any non-SIP version of OS X... or if they did they didn't notice that it was nuking /var. Fresh mac VM wiped after every test run and no 'did we just destroy the OS' smoke test?

To be fair, none of the Pre-SIP macOS releases are supported by Apple anymore...

No, it's not fair. SIP can be disabled by the user in modern macOS releases.

If SIP blocks program from accessing system files, shouldn't it alert or something?

"If the kernel emits a message but no one is around to read it, did it warn?"

More seriously, SIP messages do show up in the system logs, which next to no one ever reads unless it's to find out that SIP is preventing something that the user really intended to occur.

There’s plenty of bad code that fails to check for errors so the OS may well have flagged something here and the program just didn’t know/care.

It seems even more likely that the result of unlink() would be ignored (right up there with ignoring printf()), not because it’s the right thing to do but because lazy programmers will assume that failures are incredibly unlikely or unimportant. For example, if the code is a cleanup phase that just wants to remove a list of files, what are the odds that the program dutifully checks that the files actually went away?

For example, if the code is a cleanup phase that just wants to remove a list of files, what are the odds that the program dutifully checks that the files actually went away?

Or, as the reason for the omission of such checks is more likely to be, what to do if something that shouldn't fail, fails? And if whatever you decide to do to handle the error itself also fails? Repeat ad infinitum. To even try to go down that rabbithole is simply a waste of effort and does nothing but introduce unnecessary complexity, to put it bluntly.

I'm happy with Gatekeeper and SIP so far. I don't believe Apple will ever totally wall off macOS like iOS. If I ever truly want to mess around with the OS I'll install Linux. My computing platforms present far more risk to me these days than they did years ago. I need the system integrity protected, I don't want untrusted code running on my Mac.

These aren't like the days back when I could self install Linux and expose it to the internet while I configured it.

Catalina requires all apps to be notorized, for the time being it is still possible to explicitly allow it on case by cases base, as root.

Which is a very good thing on my book.

Today it is Google's Keystone, tomorrow it is some scummy app downloaded by a grandpa thinking it was a link actually sent by one of his grandsons about their birthday party.

If anything, iOS is moving in the direction of being less walled off.

It’s not. It’s just providing some hooks.

I’m looking forward to iPadOS. All the heaven from iOS in terms of sandboxing and no background tasks (except very well defined).

Also Catalina afaik will make an os partition which cannot be tampered with.

So this caused me to have to reinstall the OS yesterday. Glad to know what the issue was.

And if anyone wants to know, I have to disable SIP because Apple won't let me use an eGPU on my Macbook with TB2.

Have you tried going into System Preferences, Security, Advanced (I think it's "advanced", it's at the bottom right of the screen.) There you'll find a list of drivers, or something, that you can enable. I can't be more specific than that since my mac here is under IT control, and the feature is disabled.

I believe those are the instructions for kernel extensions that are "approved" but distributed by third-parties.

Someone here suggested that you could do `csrutil enable --without kext` to load untrusted kernel extension without disabling SIP entirely.

I was in the same boat. I just happened to come across a years-old forum post mentioning the `/var` symlink right before I reinstalled the OS.

Historically I've kept SIP disabled to be able to use Dtrace, which was neutered by it. Sure won't be installing any Google software though...

As rgovostes already pointed out, you could use `csrutil enable --without dtrace` instead.

Interesting, why can't you do that with SIP? (not a Mac user)

From what I understand, Apple removed the ability for TB2. In order to use an eGPU, some system files need to be patched [0].

0. https://github.com/mayankk2308/purge-wrangler

Can't they be patched once, and then re-patched when system updates change make changes to system files?

Could, it's just a hassle.

I'm in a similar boat with a kext that enables unsupported Thunderbolt 3 docks.

Yep. I make some changes that SIP would catch, but I'm mostly comfortable with the boot into Recovery -> run a script -> boot back again. It's not kext stuff, though.

I might have to use PurgeWrangler for an older iMac. Apparently, can keep it mostly enabled, but you need to mind updates and be ready to recover if your modifications are invalidated https://github.com/mayankk2308/purge-wrangler/issues/2#issue...

Presumably the driver is not signed with a kext developer certificate, which means SIP must be disabled for macOS to load it.

This is also affecting Hackintosh users. A fix for them is listed here:


I wonder what role Apple’s aversion to working with Nvidia played in all those Avid users having SIP turned off.

Hackintosh or not isn't relevant because it's a macOS + Google update service issue.

PS: Written on a Hackintosh

Google, please tell me how to update Chrome without keystone.

Found non-functional system update engine. Please reinstall Google Software Update from https://dl.google.com/mac/install/googlesoftwareupdate.dmg KSUpdateEngine no ticket to update for the specified product ID.

I don't want a "System update engine"... This is baked into Apple's AppStore. It works very well. Use that. You don't need access to my system.

> Google, please tell me how to update Chrome without keystone.

That's easy, just regularly download a new Chrome. The difficulty is managing to stop keystone from reinstalling and re-enabling itself.

> This is baked into Apple's AppStore. It works very well. Use that.

I hate keystone with a passion, but TBF getting a modern browser into the appstore is not possible, even ignoring all the limitations the store puts upon its software, there's no way you can actually get a browser (as opposed to a shell UI around the platform webkit) in the appstore by its rules.

Can somebody explain in simple terms what Keystone is, what was it trying to do, which caused /var unlinking, and why does it cause MacOS to panic?

Keystone is Google's auto-updater program. It updates not only Chrome but also Earth and other Google programs. It's a notorious resource hog and it tries very hard not to let you ever turn it off. If you manage to uninstall it, it will try even harder to reinstall itself the next time you run a Google app.

Keystone is malware made by Google. The incident this week was the first time it contained an actual destructive payload, but it's been malware for years.

Where can I find a manual on how to uninstall Keystone, Chrome etc. on Mac properly? Has anyone done it?

Super short version: Keystone appears to be the Google auto updater service. It has a bug that causes it to unlink /var, and since that's sort of an important piece of the OS, its absence breaks stuff.

There are a few legitimate reasons to disable SIP, but too often I see people turning it entirely off, rather than just disabling the parts that are in the way:

    csrutil enable --without kext
    csrutil enable --without fs
    csrutil enable --without debug
    csrutil enable --without dtrace
    csrutil enable --without nvram
If you want to load some untrusted kernel extension, the first one will let you do so, but still keep all the other SIP protections on. If you want to use DTrace, use the corresponding flag. Etc. You can mix and match flags.

Thanks for sharing.

Is it documented anywhere? man page didn't help.

I do not think that they are documented officially. The only "supported" configurations are all on/all off.

Why do userland installers need root again?

In the case of Chrome it's because some of the sandboxing can't be done by a regular user.

Same with both Linux and windows.

Bit of a design flaw with the OS - in all cases a process should be allowed to restrict itself to have fewer permissions and access to fewer API's without being root, but sadly that isn't universally the case.

> In the case of Chrome it's because some of the sandboxing can't be done by a regular user.

> Same with both Linux and windows.

This isn't true anymore on Linux. Chrome switched to using an unprivileged user namespace sandbox instead of the old SUID sandbox is Chrome 43 in 2015. It depends on a Linux 3.8+ kernel for the user namespaces support.

You can't apply a sandbox profile against yourself if you're not root?

> Same with both Linux and windows.

Could you clarify how this is the case on Windows? I thought Google Chrome installs and runs just fine without admin privileges. I'm not aware of any security downsides for doing so.

Maybe it's possible but the current installer has windows pop up a UAC prompt before it continues.

That's just because it wants to install machine-wide if possible. You can just tell it to continue without admin permissions and it tells you explicitly that it can be installed without that.

Note that Windows doesn't work like Linux with setuid bits and whatnot. The permissions a file is installed with don't dictate what permissions the program that executes it has. That's entirely a function of the program's security context. Hence, for a machine-wide installation to actually make a difference security-wise, Google would actually have to install e.g. a high-privilege service that would run when you try to start Chrome. I don't think it does such a thing.

So I think Windows is already designed correctly in this regard and hence I don't think this is an issue on Windows as claimed.

> Same with both Linux and windows.

That doesn't seem right, unless you mean some specific version of sandboxing? Changing selinux/apparmor hats, setting up seccomp, creating namespaces, and others can be done just fine by regular users. They're all sandboxes.

On windows and linux most installers are intended for system-wide instead of per-user installation. You can get most of the sandboxing functionality without admin/root.

Didn’t BSD implement something like that? The program says: these are the features I need, disable all the others?

OpenBSD and the Chrome port has both unveil and pledge enabled.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact