removing/editing read only file system

even after disabling SIP , i still can't remove ARDAgent.app

is there a way to remove this

rm: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support: Read-only file system

rm: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info.plist: Read-only file system

rm: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/PkgInfo: Read-only file system

rm: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/version.plist: Read-only file system

rm: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents: Read-only file system

MacBook Air 13″, macOS 12.6

Posted on Jun 8, 2023 11:32 PM

Reply
Question marked as Best answer

A good thing for Apple , Ok Here a lesson For you, so only answer questions in maybe more respectful way or if you don't know then maybe learn:


these are used for RemoteManagement services are used by apple and Whoever can escalate permissions("privileges") from either locally or remotely, i have been noticing that that ARD agent and SSMenu Agent running while i'm not running them or even using it, and when i kill and stop it .


later in few days, start working then discovered that there's SSH connection ("hacked")masked into a DNS Tunnel running on UDP , which makes traffic not only hidden from firewall but also very hard to trace.


this's why i want to delete following from CoreServices , so even if someone has ssh connection into my osx can't use these service to view and manage remotely

ARDAgent.app       

AppleVNCServer.bundle   

SSMenuAgent.app      

ScreensharingAgent.bundle

screensharingd.bundle


So if anyone facing same issue :

  1. recovery mode
  2. Turn off SIP (csrutil) and Restart
  3. turn off SIP root-auth (csrutil Auth-root) and restart ( file-vault must be off)
  4. check your os volumes usingdiskutil
  5. remount OS and OS data apfs (volumes ) as writeable
  6. check mount is writable (mount)
  7. delete files and turn on sip and root auth restart into your os

Posted on Jun 9, 2023 1:51 AM

Similar questions

19 replies

Aug 13, 2023 5:46 PM in response to laith188

Well, here is a knotty problem. Python3.9 is installed in /usr/bin/. It is no longer the current version - it is now 3.11.

If I run python3 --version is says Python 3.11.4

If I run python is says Python 3.9.6.


To my mind, for consistency sake, both commands should give the same result. Windows and Linux can easily be configured to symlink python3 to python but that doesn't work on Mac because even if you create a symlink to the up-to-date python 3 in /Library/Frameworks/Python.framework/Versions/3.11/bin (which is the first entry in my path), that symlink is ignored. If you enter python you still get 3.9 from /usr/bin.


And since there is no way to delete that it remains a permanent irritant.


Perhaps it was a mistake to hard-code a version of python into the OS, because it is updated so frequently.

Some will say, MacOS "depends" on python so it must be this way. Apple support will say "Why are you trying to work with python on your computer? We don't support that"


You would think that after all the years that Apple has been working on the OS and the billions they have in the bank, they could figure out some way to keep python current so that it wouldn't be necessary to get updates directly from python.org.


anyway, IMHO, restrictions like this always have undesirable consequences, as would not having the restrictions. I'd rather be able to clone my drives frequently and be free to do whatever I think necessary. Of course, with APFS it's no longer really possible to clone your disk either.


I'm never comfortable or happy when I run into this kind of paternalism. Every time I encounter it I seriously consider just dumping mac completely, it's that frustrating.


Unfortunately ,the only solution if for Apple to change it's ways.

Sep 22, 2023 10:52 AM in response to laith188

FINALLY!!! I have had the same issue. I have been using macs for over 30 years and the last few months have been **** dealing with something or someone getting into my machine. The processes you listed are the exact same ones that I have noticed being the common denominator. It's not a bug or a corrupted plist file. The damage is too deliberate and targeted to a specific project I am working on.


I am going to try what you suggested

Sep 22, 2023 11:34 AM in response to AlexGreggs2

AlexGreggs2 wrote:

FINALLY!!! I have had the same issue. I have been using macs for over 30 years and the last few months have been **** dealing with something or someone getting into my machine. The processes you listed are the exact same ones that I have noticed being the common denominator. It's not a bug or a corrupted plist file. The damage is too deliberate and targeted to a specific project I am working on.

I am going to try what you suggested


Do whatever you like, it is your mac, but if you start messing around with files that Apple includes as part of the OS you may risk making your mac unbootable. There are thousands of processes running at any time in macOS (or any other OS, for that matter). Most users have no idea what they are. Deleting files left and right is unlikely to fix the issues you are facing, and could have devastating effects. At the very least, make a full backup of your data because embarking on this adventure. Just saying.

removing/editing read only file system

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.