Hello. Recently I've been worried about the integrity of my version of MacOS and whether my laptop's file structure is setup correctly. There seem to be extra volumes and I don't know how they got there. I just would like some feedback to know if this is the correct configuration. If it's correct, great. If not, I'd like to know how to fix it.
MacBook Pro 16″
Your screenshots look normal. My MacBook Pro on Ventura also has a small unmounted partition (mine is 1.35 GB).
I suggest that you not continue to delve into your usr/bin folder and other protected folders. Users who try to modify these things usually end up posting here, reporting that their Macs no longer boot!
As for sshd-keygen-wrapperx, that's part of the MacOS. See this article for more details
Ventura is extremely secure, especially if you keep it up to date. With the secure, sealed, read-only OS volume (actually a snapshot), only an Apple certified installer accessed from Apple's servers can make OS changes.
The main security threat would be someone finding out your passwords so they can connect to your machine. There are multiple ways you can make this very unlikely. First, use good passwords. Another is to disable remote access. Others are to use FileVault and even a firmware lock on your machine. My employer makes us utilize PIV badges with pins which introduces a type of two factor security.
Use your own router and make it secure (good passwords). Make sure your Firewall and also the router security is active.
Your screenshots look normal. My MacBook Pro on Ventura also has a small unmounted partition (mine is 1.35 GB).
I suggest that you not continue to delve into your usr/bin folder and other protected folders. Users who try to modify these things usually end up posting here, reporting that their Macs no longer boot!
As for sshd-keygen-wrapperx, that's part of the MacOS. See this article for more details
Ventura is extremely secure, especially if you keep it up to date. With the secure, sealed, read-only OS volume (actually a snapshot), only an Apple certified installer accessed from Apple's servers can make OS changes.
The main security threat would be someone finding out your passwords so they can connect to your machine. There are multiple ways you can make this very unlikely. First, use good passwords. Another is to disable remote access. Others are to use FileVault and even a firmware lock on your machine. My employer makes us utilize PIV badges with pins which introduces a type of two factor security.
Use your own router and make it secure (good passwords). Make sure your Firewall and also the router security is active.
arprestidge wrote:
Bob, thanks for that info. That was all stuff I did not know. So, let me ask you, how is a snapshot implemented in the first place? And what are it's practical uses?
APFS Implementation details are something I have not studied. Again in the very high level, a file system snapshot saves some file system metadata (metadata being information used to keep track of files on the storage). And a file system snapshot will set flags in the file system kernel code such that when files are created, modified, deleted, the kernel code knows that original storage should be given exclusively to the snapshot and new storage should be allocated for the new file or modification. Again actual APFS implementation details are not something I have any first hand information about.
The most common use for a file system snapshot is to perform a backup. Take a file system snapshot, point the backup utility at the snapshot, backup utility copies the snapshot to external storage, backup deletes the snapshot after backup is complete.
In my industry, I've seen snapshots used when a customer is experimenting with their application, and do not want to risk the experiment corrupting their data. After the experiment, the customer may ask the file system to rollback all the changes to the snapshot (details of how this is done are a bit complex).
I've also worked on file systems that allow read/write snapshots, and in that case, a read/write snapshot is taken for the experiment, and when the experiment is finished, they just deleted the snapshot.
Do you have any idea what the 1.45 GB of unmounted partition might be?
If I had to guess, I would say that is the recovery partition. When you boot holding the Command-R keys, it boots from the recovery partition, which should be approx the size you are reporting.
This Article should provide some insights to your question
Looks fine. Rest assured though, it is more complicated than your screenshots show.
Can you suggest a good resource if I wanted to delve into those complexities? What is a System Snapshot and what does it do/how does it get there? Do you know why there would be space taken up by a VM on the container level?
arprestidge wrote:
Can you suggest a good resource if I wanted to delve into those complexities?
You don't.
What is a System Snapshot and what does it do/how does it get there? Do you know why there would be space taken up by a VM on the container level?
That's the way Apple designed it. Apple doesn't explain system design at this level. It is considered an internal implementation detail. Sometimes Apple may inadvertently describe some information as part of an effort to fight internet disinformation. Here is one example: Role of Apple File System - Apple Support
But to be honest, that's really superficial. The idea is merely to give people some simple, but correct, answers in hopes that they won't go off and follow some anti-Apple social media influencer on the internet.
10,000 foot view of a snapshot.
A snapshot gives the appearance of a frozen copy of the file system. The snapshot is ideal for making a backup, because no files are added, deleted, renamed, nor modified in the snapshot. So the backup will be an accurate copy of what the file system looked like at the time of the snapshot.
I said the “appearance of a frozen copy”. In reality the snapshot and the live file system are sharing all the files. But if the live file system creates a new file, it does not appear in the snapshot. If the live file system modifies a file, the snapshot keeps the original unmodified storage, and the live system allocates new storage for the modifications. If the live file system deletes a file, the snapshot keeps the file and all of its original storage and data.
But if a file is unchanged, the snapshot and the live file system are sharing the same file and storage.
so when a snapshot is first created, the snapshot uses very little storage. As time goes on, and the live file system creates, modifies, deletes files, the storage used exclusively by the snapshot grows. If the snapshot lives long enough, it my use considerable amounts of storage, maintaining the appearance of the file system at the time the snapshot was created.
Again, this is a very high level snapshot description. Actual details may defer from my description. And multiple snapshots over time implementation details is even more fun.
NOTE: I do NOT work on Apple’s APFS. But I have been working on several different Unix based file systems since the mid-90’s. Some of them implemented snapshots. My explanation is based on my work experience.
Bob, thanks for that info. That was all stuff I did not know. So, let me ask you, how is a snapshot implemented in the first place? And what are it's practical uses? Living in an apartment building, I've been worried about someone possibly tampering with my filesystem remotely- I've actually had sshd-keygen-wrapperx in my login items when I've never remotely connected to this machine and never set that up before. Does that come on a fresh install of MacOS? The screenshots I attached are just after a fresh reinstall of MacOS. Do you have any idea what the 1.45 GB of unmounted partition might be?
arprestidge wrote:
Living in an apartment building, I've been worried about someone possibly tampering with my filesystem remotely
That's why I make those comments about social media influencers.
Most people couldn't care less how the disk structure or APFS is organized. The only people who come to this forum asking about such things are people who've been told on the internet that they are at risk for hacking and that they need to either:
1) Dive into the internals of Apple's implementation and correct blatant errors that Apple has made,
2) Install 3rd party "security" tools to add "extra protection", or
3) Install 3rd party apps to monitor when Apple sneakily installs updates, tracks your information and activity, fails to perform some low-level operation. After all, how would you know that Apple's incompetence has denied you the latest critical firmware patch unless you monitor Apple's activity 24/7?
I don't know which is worse. People who believe that junk or me for thinking I can stop it.
Macbook Pro File Structure
