What else prevents file deletion on OS X beside permissions, ACL, flags or being in use?

Question

As root (OS X 10.9.5), I cannot delete a file with no flags or ACL entry (at least seemingly), despite having the correct permissions:

/Library/LaunchAgents$ whoami
root
/Library/LaunchAgents$ ls -alOe
total 32
drwxr-xr-x   6 root  admin  -  204 Jan 12 22:56 .
drwxr-xr-x+ 66 root  admin  - 2244 May  9 15:26 ..
 0: group:everyone deny delete
-rw-r--r--   1 root  wheel  -  690 May  4  2016 com.bitdefender.antivirusformac.plist
/Library/LaunchAgents$ chmod -N com.bitdefender.antivirusformac.plist
/Library/LaunchAgents$ chflags 0 com.bitdefender.antivirusformac.plist
/Library/LaunchAgents$ rm com.bitdefender.antivirusformac.plist
rm: com.bitdefender.antivirusformac.plist: Permission denied
/Library/LaunchAgents$

The ACL entry above pertains to the /Library folder and shouldn't affect /Library/LaunchAgents. I have successfully moved other items in LaunchAgents while the bitdefender item fails. Have tried doing the above in single user mode as well with the same result.

What am I missing?

The purpose was to remove all traces of BitDefender. Having deleted its main folder where the files referenced in the plist resided, no daemons are running. I am however puzzled as to how this is possible.

The file is owned by root - how about just a simple `sudo rm`? — Joe McMahon, May 09 '17 at 23:19
Permission denied. The commands I posted were run as root (see whoami) — Andrei P, May 09 '17 at 23:38
Despite the runnable files not being there, if `launchctl` thought it should start the BitDefender daemon, it may not let you `rm` the file. Try `launchctl list`; if BitDefender shows up, `launchctl unload com.bitdefender.antivirusformac.plist` and then an `rm` should probably get it. — Joe McMahon, May 10 '17 at 00:24
I have tried unloading from launchctl before deleting to no avail. Subsequently did `launchctl list` and there was nothing there that I recognized. Also I believe in single user mode the daemons are not launched. — Andrei P, May 10 '17 at 00:39
Strangely enough a `.plist~` file that got created when I opened the file with `emacs` cannot be deleted either, which points toward it having inherited something that prevents deletion. — Andrei P, May 10 '17 at 00:51
Maybe try `chmod -I ...` (capital i), which removes inherited ACL's, and/or `chmod -i ...`, which would also remove the inherited bit. — l'L'l, May 10 '17 at 05:23
Did not work: `/Library/LaunchAgents$ chmod -I com.bitdefender.antivirusformac.plist chmod: No ACL currently associated with file 'com.bitdefender.antivirusformac.plist' chmod: Failed to set ACL on file 'com.bitdefender.antivirusformac.plist': Operation not permitted` Same answer for `-i`. — Andrei P, May 10 '17 at 17:09

score 1 · Answer 1 · answered Oct 05 '18 at 11:17

There might be a kext that protects the file (the antivirus trying to "defend" itself), but sudo kextunload <name> (see the kexts with kextstat | grep -v apple) should work... Or, even better, first eliminate the daemon (vs agent) that controls it with sudo launchctl remove <name> (see the daemons with sudo launchctl list | grep -v apple).

score 0 · Answer 2 · answered Jun 13 '17 at 18:28

0

I think it's taking advantage of OSX's System Integrity Protection model, but you don't need to worry about that.

They ship an uninstaller, it's just not very well documented. Here's how you get to it:

Open finder -> Utilities -> BitDefender Uninstaller.

answered Jun 13 '17 at 18:28

loginx

1,112
9
9

I did try to run the uninstaller first, but it failed. The problem above occurred when I subsequently removed the files manually. I am running OS X Mavericks which it seems does not have system integrity protection. Checking the FreeBSD _securelevel_ with `sysctl -n kern.securelevel` returns 0. – Andrei P Jun 15 '17 at 00:01

What else prevents file deletion on OS X beside permissions, ACL, flags or being in use?

2 Answers2