UPDATE: 10/03/19
Google has posted an update that they found the issue in the Keystone Update and fixed it. They are are pushing the updated version now. The push started last night and the new version should be 1.2.13.79 or 1.2.13.80.
Google has been able to reproduce the bug. Chromium bug – bugs.chromium.org/p/chromium/issues/detail?id=1007358
Google now is recommending that you reinstall macOS to fix the issue. support.google.com/chrome/thread/15235262
Statement From AVID 9/25- avid.com/92419issue
See Index #7 for the Updated Fix from Google Support
#Varsectomy FAQ- Index
- 1. What is going on here? – #Varsectomy
- 2. Which macOS Versions are affected ?
- 3. Specific Mac Hardware ?
- 4. SIP – System Integrity Protection
- 5. AVID or Google Chrome Keystone Update causing this issue ?
- 6. How can I check my /var symlink?
- 7. How can I fix the issue = 2 ways to fix.
- 8. What about Hackintosh users? A fix for you!
- 9. Should I disable Chrome Auto Updates
- 10. Jamf Pro Extension Atribute
- 11. Links
- 12. Credit – Investigation by #MacAdmins & Apple
1. What is going on here ? – #Varsectomy
The purpose of this article is to gather all known information and data around the current issues some AVID and NON SIP protected Macs are experiencing. The issue first started on Monday 9/23/19.
Late Yesterday some #MacAdmins started to report that a few of their systems would not boot properly. They would have the following issues.
- 1. After rebooting the affected system it would Kernel Panic. The system will reboot only to KP again
- 2. User Logs out and the system shows the Setup Assistant.
- 3. The System Kernel Panics into a boot Loop.
AVID users were some of the first to report the issue. AVID.com says
Sometimes AVID Media Creators use 3rd Party Graphics cards connected to their Mac Pro. When the issue hit yesterday, it was thought that AVID was the main cause of the problems since all the users experiencing the issue had AVID software.
Only later after a MacAdmins deep dive investigation was it found that AVID was NOT the cause of the problem. It was Google Chrome Keystone Updater!
Join the #Varsectomy channel in MacAdmins Chat for the latest info!
2. Which macOS Versions are affected ?
MacOS 10.9 – 10.14 Mojave
NOTE: macOS 10.9 & 10.10 so not have SIP. System Integrity Protection was introduced in macOS 10.11 El Capitan.
3. Specific Mac Hardware ?
At first it was first reported that the 2013 Mac Pro was affected, this is not true.
Now it seems the issue affects all Macs that have SIP (System Integrity Protection) Disabled or turned OFF
Check if SIP is enabled by running csrutil status
System Integrity Protection status: enabled.System Integrity Protection status: disabled
4. SIP – System Integrity Protection
All Reports so far look to be from Macs that have SIP Disabled!
Please do not disable SIP, it was created to protect macOS from this very issue.
5. AVID or Google Chrome Keystone Update causing this issue ?
At first the issue seemed to be caused by Avid Media Composer. After further investigation it was found that AVID was not the problem! Some AVID users may need to DISABLE SIP for 3rd party Video Card support.
After investigation from some of the top minds in the MacAmins Slack Chat #varsectomy channel it was found that the Google Keystone Updater was at the heart of the issue.
The Google Chrome Keystone updater lives here (if set to only update for the user who installed Chrome) – ~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/
If set to install for ALL users. (This also prompts for admin access for install) Thanks Jeff Johnson /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/
You can run the Google Chrome Keystone Updater Manually to kick off an update check. (NOTE: Google has disabled the updater for now!) see bugs.chromium.org/p/chromium/issues/detail?id=1007358
~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent -runmode oneshot
Thank you eholtam for the VM investigation and Screenshots!
After kicking off the update you can see the problem below.
Found and deleted symlink at path /var
6. How do I check my /var symlink?
Check to see if your /var symlink was modified by running the following command.
ls -ldO /var
You should get one of the following outputs. The first one below means that your /var volder is SIP protected (notice the restricted flag) and the proper sym link /var -> private/var
lrwxr-xr-x@ 1 root wheel restricted,hidden 11 Apr 1 2018 /var -> private/var
The next one means that your symlink is broken and the folder is NOT SIP Protected.
drwxr-xr-x 5 503 wheel - 170 Sep 24 14:37 /var
If you find /var in this condition you are affected! If you LOGOUT, SHUTDOWN OR RESTART your Mac will NOT Boot! You will need to boot into recovery, repair the /var symlink and reset the restricted flags. Fix below.
7. How can I fix the issue? 2 ways to fix.
UPDATE: 9/25 – Rich Trouton posted a great article showing you step by step how to fix both 10.9-10.10 & 10.11-10.14 systems – derflounder.wordpress.com/2019/09/25/google-keystone-update-breaks-macs-ability-to-boot-if-system-integrity-protection-is-disabled/
1st Fix from MacAdmins User Juest
First you have to fix the /var symlink so it shows /var -> private/var
Then you can remove the affected LaunchAgents
Boot to macOS Recovery by holding down Command R
Steps for 10.11 -10.14 SIP Supported Systems
1. Boot into Recovery
2. Launch Terminal
(only if you're on 10.11+ with SIP)
# chroot /Volumes/[affected install]
# mv var vv
# ln -s private/var var
# chflags -h restricted /var
# chflags -h hidden /var
# xattr -sw com.apple.rootless "" /var
Steps for 10.9-10.10 NON SIP Systems
10.10 or older:
only do symblink and the hidden chflag and
remove launch agents from
/Users/[affected user]/Library/LaunchAgents/
OR
/Library/LaunchAgents/
- com.google.keystone.agent.plist
- com.google.keystone.xpcservice.plist
# exit
(recommended) # csrutil enable (10.11+)
8. Reboot
UPDATE: 9/28 – 2nd Fix is from Google Support
Google is now recommending that you reinstall macOS if you had this issue.
https://support.google.com/chrome/thread/15235262
NOTE: The information below is from Google. Link Below.
chroot /Volumes/Macintosh\ HD #(Macintosh HD is the default) rm -rf /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle mv var var_back #(Var may not exist, but this is fine) ln -sh private/var /var chflags -h restricted /var chflags -h hidden /var xattr -sw com.apple.rootless "" /var
NOTE: Commenter stockmind has noted that the GoogleSoftwareUpdate.Bundle could reside in the USERS folder. In that case you need to run this string instead. Change USERNAME to your Username. Thanks for the tip!
rm -rf /Users/USERNAME/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
Official Fix from Google support.google.com/chrome/thread/15235262
news.ycombinator.com/item?id=21066472 & 9to5google.com/2019/09/24/avid-mac-crashing-google/
8. What about Hackintosh users? A fix for you!
I had a few Hackintosh users reach out for a fix. Good News! u/Fargo_Newb on Reddit has a fix for you. – reddit.com/r/hackintosh/comments/d8tm8z/psa_google_chrome_updaterkeystone_rendering/
9. Should I disable Chrome Auto Updates ?
You shouldn’t need to disable Chrome Auto updates at this time. From the Chromium bug report – bugs.chromium.org/p/chromium/issues/detail?id=1007358 Google has disabled Keystone updates for now until the issue is found and resolved.
If you would like to disable Google Chrome Keystone automatic updates, the article below will show you. applehelpwriter.com/2014/07/13/how-to-remove-googles-secret-update-software-from-your-mac/
10. Jamf Pro Extension Attribute
This will help you find machines that are in a state where the /var sys link is broken. Thanks @neilmartin83 & @rmanly
#!/bin/bash
if [[ -h /var ]]; then
echo "<result>symlink</result>"
elif [[ -d /var ]]; then
echo "<result>directory</result>"
fi
exit 0
symlink = System OK!
11. Links
Below are a few of of the reports. It first started out as “AVID Hollywood Mac Pro boot problem“.
Chromium Bug Report 9/25 – https://bugs.chromium.org/p/chromium/issues/detail?id=1007358
Google Official Response 9/25 & 9/27 – support.google.com/chrome/thread/15235262
Official AVID Statement 9/25 – avid.com/92419issue
Rich Trouton step by step fix guide 9/25 –derflounder.wordpress.com/2019/09/25/google-keystone-update-breaks-macs-ability-to-boot-if-system-integrity-protection-is-disabled/
Scott Simmons 9/24 – provideocoalition.com/avid-editors-editors-in-general-be-on-alert-about-this-potential-rebooting-issue/
SlashDot Report 9/26 – https://it.slashdot.org/story/19/09/25/2152236/mysterious-mac-pro-shutdowns-likely-caused-by-chrome-update
Ars Technica Report 9/26 – arstechnica.com/information-technology/2019/09/no-it-wasnt-a-virus-it-was-chrome-that-stopped-macs-from-booting/
Daring FireBall by John Gruber 9/26 – daringfireball.net/linked/2019/09/25/mr-macintosh-chrome-updater
Forbes Report 9/26 – forbes.com/sites/kateoflahertyuk/2019/09/26/google-confirms-buggy-chrome-update-is-breaking-apple-macs/#5aad7747391c
Hacker News Discussion Thread 9/25- news.ycombinator.com/item?id=21064663
Gizmodo.com Report 9/25 – gizmodo.com/whoops-google-says-mysterious-wave-of-unbootable-macs-1838430057
Hackintosh Fix 9/25 – reddit.com/r/hackintosh/comments/d8tm8z/psa_google_chrome_updaterkeystone_rendering/
Updated Report from 9to5google.com 9/25 – 9to5google.com/2019/09/24/avid-mac-crashing-google/
Variety Updated Report 9/25 – variety.com/2019/digital/news/mac-pro-avid-shutdowns-chrome-update-keystone-1203348549/
Variety Report 9/24- variety.com/2019/digital/news/avid-mac-pro-corrupted-hollywood-1203347033/
MacRumors Report 9/24 – macrumors.com/2019/09/24/hollywood-mac-pros-hit-by-avid-issue/
Bleeping Computer Report 9/24 –bleepingcomputer.com/news/software/avid-users-are-suddenly-finding-that-their-macs-won-t-boot/
Some of the first reports on the AVID FaceBook Group 9/24 – https://www.facebook.com/photo.php?fbid=10156759822188022&set=p.10156759822188022&type=3&theater
Disable Google Chrome Keystone Automatic Updates – applehelpwriter.com/2014/07/13/how-to-remove-googles-secret-update-software-from-your-mac/
12. Credit! – Further investigation by #MacAdmins & Apple
It needs to be stated that many MacAdmins and Apple Engineers worked together and after investigating with users who had the issue. Great work guys!!!
- @rtrouton for the cool /var Logo!
- @bradtchapman for #Varsectomy
- @eholtam for investigation and screen shots.
- @Juest for investigation and fix commands
- All active users in MacAdmins Chat #varsectomy
Just an update, I really didn’t have too much to sweat as I did have a very recent bootable backup, so I just restored that without having to reinstall. Another reminder that we should all religiously maintain bootable backups of our internal drive with life-saving utilities such as CarbonCopyCloner.
I can’t even imagine how long it would have taken me to get two machines back by reinstalling the OS.
Hi guys,
I have a MacBook 12″ that died during my vacation …it gave me a Google Chrome crash after Chrome update this Tuesday, then I had few moments unstable system and then MacOS crash, the one with press any key to restart. After the restart I saw apple logo then the forbidden logo …it barely boot twice, one boot Tuesday and one boot Wednesday but the MacBook crashed after few minutes of usage …now no sign of boot or startup at all. The MacBook has the latest MacOS update.
Any ideas? Thanks!
Hello Valif,
It is recommended that you reinstall macOS over the top of your old OS. This will preserve the data yet repair the /var symlink that is causing problems.
Thanks
Hello,
I did the step by step instruction on a 10.10.5 machine. But here what happen.
-It rebooted fine but if you restart the Mac the issue comes back.
-All the admin account is gone from the Users and Group. But the standard user account are still there.
-The Mac cannot access the internet or any network resource. Looking at the network the IP, gateway and DNS is correct, but it needed an admin username and password to make some changes. The problem is there are no admin account listed.
Any further help would be greatly appreciated.
https://derflounder.wordpress.com/2019/09/25/google-keystone-update-breaks-macs-ability-to-boot-if-system-integrity-protection-is-disabled/#more-10541
Hello all,
10.10 or older:
only do symblink and the hidden chflag and
remove launch agents from
/Users/[affected user]/Library/LaunchAgents/
OR
/Library/LaunchAgents/
– com.google.keystone.agent.plist
– com.google.keystone.xpcservice.plist
# exit
(recommended) # csrutil enable (10.11+)
8. Reboot
Could someone please help translate this into what command are need. Like the fix for 10.11 and later
Thank you in advance!!!
Two of my Macs were affected by this, a 5,1 Mac Pro running High Sierra and a Mac Mini running El Capitan and Server.app. Strangely enough, while the Mac Pro had that issue, it wasn’t even showing all my boot disks. Thank God, I had plenty of different date backups, the one from September 21 saved my posterior.
This didn’t work on my infected machines.
`/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle` doesn’t exists because is in `~/Library/Google/` (under the home/user directory, not disk root)
so `/Users//Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle`
Because of that, what worked instead was:
“`
chroot /Volumes/Macintosh\ HD # “Macintosh HD” is the default
rm -rf /Users//Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
mv var var_back # var may not exist, but this is fine
ln -sh private/var var
chflags -h restricted /var
chflags -h hidden /var
xattr -sw com.apple.rootless “” /var
“`
Where username is the user with the Google services installed
/Users/USERNAME/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
“`
chroot /Volumes/Macintosh\ HD # “Macintosh HD” is the default
rm -rf /Users/USERNAME/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
mv var var_back # var may not exist, but this is fine
ln -sh private/var var
chflags -h restricted /var
chflags -h hidden /var
xattr -sw com.apple.rootless “” /var
“`
The text validator has stripped “USERNAME” tags from the pathss
Stockmind, thanks for the tip! I added it to the fix section.
@admin —
I suggest that anywhere `/Users/USERNAME/` is in the path, it be changed to `/Users/*/` because this really should be done for all users on all affected Macs.
I also add my voice to the wish that the instructions for 10.9 and 10.10 were an explicit action sequence with explicit commands, just like the instructions for 10.11+.
TallTed,
Take a peek at Rich Trouton’s Post. He has step by step instructions for 10.9 and 10.10! https://derflounder.wordpress.com/2019/09/25/google-keystone-update-breaks-macs-ability-to-boot-if-system-integrity-protection-is-disabled/#more-10541
Hi guys can you please help me to fix this problem in my mac os 10.10.5
I’ve already try this one but nothing work for me
1. Boot into Recovery
2. Launch Terminal
(only if you’re on 10.11+ with SIP)
# chroot /Volumes/[affected install]
# mv var vv
# ln -s private/var var
# chflags -h restricted /var
# chflags -h hidden /var
# xattr -sw com.apple.rootless “” /var
Hello Sam,
You are on 10.10 The instructions you tried are for 10.11 and above Macs. I have a section at the bottom of #7 For 10.9 and 10.10 systems. Thanks!
Hi admin
Did you talk about this one in 10.10.5
10.10 or older:
only do symblink and the hidden chflag and
remove launch agents from
/Users/[affected user]/Library/LaunchAgents/
OR
/Library/LaunchAgents/
– com.google.keystone.agent.plist
– com.google.keystone.xpcservice.plist
# exit
(recommended) # csrutil enable (10.11+)
8. Reboot
Can you please give me the commands that should I use because i didn’t know what i write in terminal
Reinstalled 10.10.5 yesterday from recovery mode after crashing during reboot and haven’t turned off my MacBook Pro since. I am completely lost with issues like this, will just upgrading to a newer OSX from where I am now fix it?
Hello Johan,
If you upgrade to at least 10.11 El Capitan you should be protected because it includes SIP. MacOS (SIP) System Integrity Protection would have prevented Google Chrome Keystone Updater from modifying the /var Directory.
So is there a fix to networking and DNS being disabled, or is it implied that we have to do a complete OS re-install in order to remedy this?
Zuki: networking and DNS are not affected, unless your Mac is managed by an IT department eg using Jamf. Contact them if so.
Hey! I ran the commands in the Hot To Fix section, was able to access all my data, but not connect to the internet. I tried to open Safari (avoiding Chrome), and the internet wouldn’t connect. I thought hmm, might just to a restart. After the restart, the same crash happened.
Ran the recovery mode once more thinking it would fix again. Input the cmds, and the following:
Input: chroot /Volumes/Macintosh\ HD
O: #nothing
I: -rm -rf /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
O: #nothing
I: mv var var_back
O: mv: rename var to va_back/var: Directory not empty
I: ln -sh private/var var
O: #nothing
I: chflags -h restricted /var
O: #nothing
I: chflags -h hidden /var
O: #nothing
I: xattr -sw com.apple.rootless “” /var
I: reboot
Upon rebooting, crash at roughly ~25% of the loading bar.
Rebooting (again) with SHIFT; CMD + V, I see the following (final few lines):
BootCacheControl: Unable to open /var/db/BootCache.playlist: 2 No such file or directory
BootCacheControl: Unable to open /var/db/BootCaches/PreheatedUser/Merged.playlist: 2 No such file or directory
BootCache Control: Unable to open /var/db/BootCaches/PreheatedUser/Login.playlist: 2 No such file or directory
BootCacheControl: Added 32-bit shared cache to the low priority batch
bash: /etc/rc.server : No such file or directory
OSX FIPS Integrity Test: The /var/db/FIPS/fips_data file does not exist (2)
FIPS USER Space POST: Integrity test failed!
FIPS_POST failed!
And then the shutting down jargon. For reference, I’m on 10.10.5, Macbook Pro 2011. Any insight?
Martt,
I updated the article to more clearly separate the 10.9-10.10 and the 10.11-10.14 fix.
If you are still having problems you can reinstall 10.10 over your current installation. All data will be preserved and that should get you up and running.
Thanks. Will try to run the cmds once more. If no avail, will re-install.
On a side note, I imagine this must affecting thousands (hundreds of thousands?) of users. Why is there not more mainstream traction of the issue? I can’t imagine the number of calls the genius bar is getting.
Martt, after it was found that the issue was directly related to non or disabled SIP (System Integrity Protection) systems the answer became clear. Most Macs used today have SIP enabled so they were not affected by this issue. The /var file was protected and could not be modified. So it ended up that 10.9 and 10.10 systems were affected and anyone who had a newer mac but disabled SIP. The number of users in this situation was not a big % of the total Mac population, but ended up being thousands of users! I am glad Apple implemented SIP as it protects critical system files from being modified.
Thanks for the info! There’s a typo in the commands listed as the Google provided fix: “choot” should be “chroot”.
Kimmo, Great catch! Fixed.
Thanks
Ran the fix posted by Google on several machines running 10.10.5 that were all disabled, managed to get them to boot again – also reporting that the ‘users’ and ‘sharing’ preferences all seem to have been disabled in the System Preferences/Sharing panel. No DNS or browsing Internet, however ssh does work through the command line.
Hoping that fixes will be posted soon to acknowledge this fairly major screw-up.
Oh man !
My Hackintosh crashed yesterday morning with all this symptômes : some apps could not reach DNS, I restarted and was in infinite boot loop.
I recovered from a version from last Saturday and I will remove Chrome completely to be sure…hoping he has not already updated to the faulty version again.
Good to have all the infos on your page… I was about to buy a new motherboard thinking it may had a hardware problem…
thanks a lot !
We have had this happen to two of our Mac Pro’s in the last hour, one a laptop that we had fixed just hours previously – the article says the update had been disabled, so how was it still able to do this? We do not have SIP on either computer, the only real fix we know for now is to not use Chrome.
I’ve had the issue under 10.10.5 yesterday, had to reinstall “manually” Yosemite (using another Mac in Target mode) ’cause recovery mode gives “service unavailable” message….
I’ve just the “ls -ldO /var” command in terminal and I get this (the Mac is on since the reinstallation, thus the login date):
Last login: Tue Sep 24 17:48:03 on console
mac-pro-de-user:~ user$ ls -ldO /var
lrwxr-xr-x@ 1 root wheel hidden 11 24 sep 17:30 /var -> private/var
mac-pro-de-user:~ user$
Is it normal?
I’ve deleted both Launch Agent which, indeed, showed the exact date and hour of the crash…
Thanks a lot for all your work!
Mathieu
I don’t see the “retsricted” thing as described in the article.
Mathieu, I added an extra note in the fix part to mention 10.10 does not support SIP. You have to run a different set of commands.
Thanks!
FYI – from Hacker News
https://news.ycombinator.com/item?id=21065504
—–
Hey. Google Keystone tech lead here. We are aware of the issue, and we’ve stopped the release. We’re building a replacement that fixes the problem. In the meantime, to fix affected machines:
sudo rm -rf /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
sudo ln -F /private/var /var
This deletes the affected version of Keystone and reinstates the damaged /var symlink.
The version of Keystone packaged with Chrome is not affected by this bug, so allowing it to reinstall Keystone will not recreate the issue.
After using this fix, the computer booted normally, but nothing has network access except chrome.
Also the administrator account doesn’t work, after rebooting, once again the computer fails to boot.
What could I have done wrong, what else would I need to do after booting into the OS normally?
I’m having the same problem. Mac os 10.10.5. I followed google terminal commands for fix and afterwards noticed this article and the difference fixes based on OS version. Did we screw up the filesystem by entering the 10.11+ commands into terminal instead of 10.10 or below?
Bizz_gg,
What happened after you ran those commands? Did you get an error? Is the system ok now?
I have no problem with calling Google’s software a Virus ;-P.
Trying to run the fix code that starts with xattr -sw com.apple.rootless and thereafter doesn’t work.
Derek,
What error are you getting? Are you booted to recovery? What OS version are you trying this on?
how can you fix this if you can’t boot into recovery or single user mode? Using a Hackintosh.
Tim,
I updated the post and added #8 for you! Let me know if it works.
may want to note that if you are on OS 10.9 or 10.10 then the output would be
lrwxr-xr-x@ 1 root wheel hidden 11 Apr 1 2018 /var -> private/var
Thanks Steve! I will add that in.
How to disable Google Chrome auto updates, preventatively:
launchctl unload ~/Library/LaunchAgents/com.google.keystone.agent.plist
launchctl unload ~/Library/LaunchAgents/com.google.keystone.xpcservice.plist
launchctl remove com.google.keystone.xpcservice.plist
launchctl remove com.google.keystone.agent.plist
Are all affected Macs managed by Jamf? We went through a similar nightmare a year ago that affected Macs across our organization. We tracked it down to a faulty Mac OS install policy.
Concerned Mac, this issue happened to some machines that were not managed by Jamf.
just to verify. the fix can also be done booting into single user mode?
Bbunn,
Yes, you should be able use the fix in single user mode. The fix was only tested in recovery mode though. If you try it and it works can you report back ?
Thanks!
yes it works. you only need to “mount -uw /” to make the file system writable.
Thank you for the good work!
There is a lot of technical jargon in the crucial part of this post that tells people how to check and/or fix the issue. Could you translate for the layman?
Alex,
Agreed. I will make a section that explains the issue better so more people can understand it now!
Thank you.
So I’ve checked my systems by following Step 6 of the article. All appears to be well despite having SIP disabled on one of the machines. I’m still afraid to reboot the computers! Is there anything we should be doing in order to actually prevent the issue from occurring at all? Without taking action I feel like a sitting duck!
Should I follow step 7 as a preventative measure? Should I disable auto-updates to Chrome?
Would you mind if I linked to your explanation and solution on my Avid-based blog?
Approved!!!
Thanks
Thanks. Here’s the blog if you’re at all interested:
https://avidhatesyou.blogspot.com/2019/09/avid-behaving-exceptionally-badly-macs.html
Man, your article crucified Avid. I get that the site is meant to do that, but Avid really isn’t at fault here.
Michael, are you talking about my article or someone else’s? Mine was one of the first to say it was NOT AVID.
No, Judd’s. Yours is spot on.
(And I cant seem to reply directly to your comment)
Got you Michael! I agree the Reply system is not the best.
I ran the script, and get “symlink” as the output. Does that mean I’m safe?
Stevens,
You can run ls -ldO /var to see. It should say “restricted” and point to private/var like below
lrwxr-xr-x@ 1 root wheel restricted,hidden 11 Apr 1 2018 /var -> private/var
If the link is broken it will show something like this
drwxr-xr-x 5 503 wheel – 170 Sep 24 14:37 /var
I confirmed that “symlink” means you’re ok.
The Jamf extension attribute won’t work if you are using a FQDN to connect your macs to your JAMF Pro server. /var/resolv.conf is needed for DNS to work properly and since the system is creating a bogus /var folder, and the file in /private/var is inaccessible, DNS breaks. Macs with this problem can’t check in, get policy, or update inventory with extension attribute data. We are reverting to Apple Remote Desktop to send UNIX commands to determine which machines have broken symlinks.
Strange thing is… We are affected by this and all our Mac’s have SIP enabled…. Which is even more strange…
Yes, me too – 2018 MacBook Pro 13″ macOS 10.14.6 up to date, SIP enabled. Got stuck in a Boot screen asking to choose a language, looked a lot like the Recovery Boot screen… Force rebooting with Command-Option-P-R a few times worked for me (so maybe a different issue?)
me too (Mac Pro late 2013, latest OSX)
Me too. 10.13.6 with SIP enabled. Multiple MacBook Pro models. Frustrating as hell since none of the crash reports were helpful.
Forgot to mention that all was fixed with Google’s instructions (as posted in the article above).
chroot /Volumes/Macintosh HD
rm -rf /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
mv var var_back
ln -sh private/var
chflags -h restricted /var
chflags -h hidden /var
xattr -sw com.apple.rootless “” /var
Looks like Google has found a reproducible case of this when SIP is enabled. It’s mentioned on the following page:
https://bugs.chromium.org/p/chromium/issues/detail?id=1007358