Re: postgresql83-server - Further Woes

2019-11-04 Thread Bill Cole

On 4 Nov 2019, at 17:22, Michael Newman via macports-users wrote:

The only solution offered by the developer of DetectX was to tell 
DetectX to ignore changes to macports plist files.


That seems to defeat the purpose of DetectX.

DetectX is supposed to warn you of possible nefarious changes to your 
system. Choosing to ignore a possible problem is no solution.


There is no rational explanation for the DetectX claim that the 
postgresql83-server launchd plist is changing repeatedly. That file is 
gone: you removed the port. Unless you are repeatedly installing and 
uninstalling the postgresql83-server port, that file IS NOT flashing in 
and out of existence.


I don't use DetectX so I can't say for sure, but it seems to me that 
this behavior is consistent with it having a saved state of some sort 
against which it is comparing the current state. In other words: DetectX 
remembers that the postgresql83-server plist was there before, and sees 
that it isn't there now.


If that is a correct guess about how DetectX works, then there should be 
some way to update the saved state to accommodate the disappearance of a 
file without permanently ignoring a whole class of similarly situated 
files.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)


Re: postgresql83-server - Further Woes

2019-11-04 Thread Michael Newman via macports-users
The only solution offered by the developer of DetectX was to tell DetectX to 
ignore changes to macports plist files. 

That seems to defeat the purpose of DetectX. 

DetectX is supposed to warn you of possible nefarious changes to your system. 
Choosing to ignore a possible problem is no solution.

> On Nov 4, 2019, at 21:29, Ryan Schmidt  wrote:
> 
> Well MacPorts isn't the program that's complaining, DetectX is. So I'd ask 
> the developer of DetectX.



Re: postgresql83-server - Further Woes

2019-11-03 Thread Bill Cole

On 3 Nov 2019, at 5:46, Michael Newman via macports-users wrote:


Perhaps this is a bug in DetectX,


It very much sounds like that. Stating that a file which no longer 
exists has "changed" might be technically correct, but it certainly is 
not clear. Perhaps the developer of DetectX can illuminate this for you?


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)


Re: postgresql83-server - Further Woes

2019-11-03 Thread Michael Newman via macports-users
I have uninstalled the port, but DetectX keeps telling me that the plist has 
been changed. If it only happened once when I still had the port installed I’d 
say, yeah, problem solved. But when the plist keeps getting changed after the 
port has been uninstalled I have to wonder what’s happening.

DetectX doesn’t tell me where the plist is located or what process changed it; 
just that it has been changed. Over and over again.

Perhaps this is a bug in DetectX, but I have no way of knowing that.

> On Nov 3, 2019, at 17:28, Al Varnell  wrote:
> 
> 
> At this point, you have solved the mystery and should simply go back to work 
> and forget about it. DetectX did it's job and so have you.
> 
> -Al-



Re: postgresql83-server - Further Woes

2019-11-03 Thread Al Varnell via macports-users
I'm not sure what solution you are seeking here. DetectX will record each and 
every time a key file is added or removed to/from selected locations, which 
includes all LaunchAgents, LaunchDaemons, Applications and a few other places 
where malware is often installed. When you see such a notice, if it's something 
you recall having allowed, then no further action is required. If it's a file 
that you cannot associated with an action on your part, then check the latest 
DetectX scan to see if that file or files are detected as malware. If not, then 
you should spend some time as you have here determining where it came from. 

At this point, you have solved the mystery and should simply go back to work 
and forget about it. DetectX did it's job and so have you.

-Al-

On Nov 3, 2019, at 02:19, Michael Newman via macports-users 
mailto:macports-users@lists.macports.org>> 
wrote:
> 
> Thank you.
> 
> Locate did not find this plist on the boot volume. It did find it in a Carbon 
> Copy Cloner SafetyNet directory on a backup drive.
> 
> MrMuscle:home mnewman$ locate org.macports.postgresql83-server.plist
> /Volumes/Clorox2/_CCC SafetyNet/2019-10-30 (October 30) 
> 01-00-52/Library/LaunchDaemons/org.macports.postgresql83-server.plist
> /Volumes/Clorox2/_CCC SafetyNet/2019-10-30 (October 30) 
> 01-00-52/opt/local/etc/LaunchDaemons/org.macports.postgresql83-server/org.macports.postgresql83-server.plist
> 
> I think the first one is a symbolic link to the second.
> 
> So, I’m stuck. I can tell DetectX to ignore this, but that seems more like a 
> coverup than a solution.
> 
>> On Nov 3, 2019, at 16:51, Ryan Schmidt > > wrote:
>> 
>> MacPorts creates plists for ports that are meant to act as servers when you 
>> install those ports. The plists are removed, along with all of the port's 
>> other files, when the port is uninstalled.
>> 
>> You can use find or locate to try to determine whether a 
>> org.macports.postgresql83-server.plist file still exists even after you have 
>> uninstalled the port.
> 
> 
> 
> 


smime.p7s
Description: S/MIME cryptographic signature


Re: postgresql83-server - Further Woes

2019-11-03 Thread Ryan Schmidt



On Nov 3, 2019, at 04:19, Michael Newman wrote:

> Locate did not find this plist on the boot volume. It did find it in a Carbon 
> Copy Cloner SafetyNet directory on a backup drive.
> 
> MrMuscle:home mnewman$ locate org.macports.postgresql83-server.plist
> /Volumes/Clorox2/_CCC SafetyNet/2019-10-30 (October 30) 
> 01-00-52/Library/LaunchDaemons/org.macports.postgresql83-server.plist
> /Volumes/Clorox2/_CCC SafetyNet/2019-10-30 (October 30) 
> 01-00-52/opt/local/etc/LaunchDaemons/org.macports.postgresql83-server/org.macports.postgresql83-server.plist
> 
> I think the first one is a symbolic link to the second.

Yes, that's how MacPorts sets those up. The real file is in /opt/local, but for 
the OS to see it, it has to be in /Library so we symlink it there.


> So, I’m stuck. I can tell DetectX to ignore this, but that seems more like a 
> coverup than a solution.

I am not familiar with DetectX. Are you saying it is repeatedly complaining 
about "org.macports.postgresql83-server.plist"? If so, does it give any more 
details about where it thinks that is?



Re: postgresql83-server - Further Woes

2019-11-03 Thread Michael Newman via macports-users
Thank you.

Locate did not find this plist on the boot volume. It did find it in a Carbon 
Copy Cloner SafetyNet directory on a backup drive.

MrMuscle:home mnewman$ locate org.macports.postgresql83-server.plist
/Volumes/Clorox2/_CCC SafetyNet/2019-10-30 (October 30) 
01-00-52/Library/LaunchDaemons/org.macports.postgresql83-server.plist
/Volumes/Clorox2/_CCC SafetyNet/2019-10-30 (October 30) 
01-00-52/opt/local/etc/LaunchDaemons/org.macports.postgresql83-server/org.macports.postgresql83-server.plist

I think the first one is a symbolic link to the second.

So, I’m stuck. I can tell DetectX to ignore this, but that seems more like a 
coverup than a solution.

> On Nov 3, 2019, at 16:51, Ryan Schmidt  wrote:
> 
> MacPorts creates plists for ports that are meant to act as servers when you 
> install those ports. The plists are removed, along with all of the port's 
> other files, when the port is uninstalled.
> 
> You can use find or locate to try to determine whether a 
> org.macports.postgresql83-server.plist file still exists even after you have 
> uninstalled the port.



Re: postgresql83-server - Further Woes

2019-11-03 Thread Ryan Schmidt



On Nov 3, 2019, at 02:10, Michael Newman wrote:

> Periodically DetectX generates the following message:
> 
> =
> Items:  org.macports.postgresql83-server.plist
> Some background launch items have just been changed on your mac which can 
> affect its security
> =
> 
> I had previously uninstalled postgresql83-server and can’t find 
> org.macports.postgresql83-server.plist in any of the following directories:
> 
> ~/Library/LaunchAgents
> /Library/LaunchAgents
> /Library/LaunchDaemons
> 
> DetectX support suggested:
> 
> "... it's likely that macports is writing the file there as a temporary item 
> and then deleting it."
> 
> Is that a reasonable explanation? If so, how do I stop MacPorts from creating 
> this plist?
> 
> If it’s not a reasonable explanation, is there something I should do?

MacPorts creates plists for ports that are meant to act as servers when you 
install those ports. The plists are removed, along with all of the port's other 
files, when the port is uninstalled.

You can use find or locate to try to determine whether a 
org.macports.postgresql83-server.plist file still exists even after you have 
uninstalled the port.



postgresql83-server - Further Woes

2019-11-03 Thread Michael Newman via macports-users
Periodically DetectX generates the following message:

=
Items:  org.macports.postgresql83-server.plist
Some background launch items have just been changed on your mac which can 
affect its security
=

I had previously uninstalled postgresql83-server and can’t find 
org.macports.postgresql83-server.plist in any of the following directories:

~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons

DetectX support suggested:

"... it's likely that macports is writing the file there as a temporary item 
and then deleting it."

Is that a reasonable explanation? If so, how do I stop MacPorts from creating 
this plist?

If it’s not a reasonable explanation, is there something I should do?

Mike Newman
Korat, Thailand