Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Level 1

0 points

what are the extra 13 paritions? root user security concerns?

I [was] running Yosemite 10.10.3 on a Late 2014 iMac Fusion Drive SSD and HDD

This might be a bit confusing, and I need assistance from someone who really knows what they're talking about here.

When messing around trying to secure my system, I enabled the root user to view certain files, and accidentally did not disable it when I was finished. After this, I unknowingly ran my computer for probably a month as the administrator with the root user enabled, and made number of downloads in the process (which used the same password as root). After recently realizing this, I noticed in my activity monitor that some of my downloaded application were running as root user, not as administrator, as I thought they should be, and I also found malware after running ClamXav.

Because of all this and my compromised root, I wanted to ensure there was no third party code was deeply embedded in my drive, so I backed my important data, and actually proceeded to (very carefully) separate my fusion drive using 'diskutil' commands, wiping and reformatting everything but the base system. Then, I booted into safe mode to check the "diskutil cs list" and "diskutil list" through the terminal, and was surprised to still find 17 partitions in total, including those in my Logical Volume Group. Command "diskutil cs list" reveals partitions /dev/disk0 as my SSD, /dev/disk1 as my HDD with .efi and recovery, and /dev/disk2 as the apple base system, and ALSO /dev/disk3 as my HDD again (which is an unusual addition to what I have seen as typical LVG diskutil cs list outputs, though I assume it is just be related to booting from recovery mode with no OS on my disk any longer)

Command "diskutil list" reveals these disks (/dev/disk0-3), along with small partitions, dev/disk4, /dev/disk5....all the way up to /dev/disk16. All these unknown disk partitions 4-16 range from 0-4mb in size. One of my main questions is simply what all of these extra partitions are.... are they just required hidden partitions only visible through the recovery mode boot?

Even if so, is there a possibility that my actions explained in the first paragraph have compromised the integrity of ANY of the disks on my drive(s)? I do not want any installs to have access to my root, or to have embedded anything into my core system, regardless of whether they are malicious or not. I did not do a full zero secure wipe, as I figured that would be overkill and wear on my drives, but am also curious if it is even possible that the base system or other core components could have been injected with any 3rd part code. I know I may seem overly paranoid but I want to ensure that my system does not have any security holes from the start, before I go about re-installing all my software again, some of which opens up security holes, but I am required to have it for my work.

I want to note that I have already downloaded a new OS through internet recovery mode onto my reconfigured fusion drive, and do not see these extra partitions when I am logged in as a user, however they still appear in recovery mode, re-affirming my assumption that they are simply hidden partitions only seen through the recovery boot menu. I still have not loaded any of my data however, and regardless of whether or not the extra /dev/disk partitions I noticed are simply hidden apple boot partitions, any advice on whether I should zero-pass wipe any drives and reinstall the OS again to absolutely ensure there are not security holes after having my root user compromised would be greatly appreciated. I could even resort to a full dban and use a snow leapord install disc I still have, but do not want to put extra wear on my drive it there is no chance these core drives were compromised. Sorry for not posting a picture of my terminal output as well; I was unable to setup an ssh connection to do a screen shot from the recovery partition. And thank you ahead of time to anyone who takes the time to read this and give me any advice.

Posted on Apr 30, 2015 9:39 PM

24 replies

PRiSTiQUE Author

Level 1

0 points

May 1, 2015 11:26 PM in response to MadMacs0

OK. Now this makes NO SENSE WHATSOEVER. Every-time I tried ejecting particular partitions from the recovery mode boot, they would cause my the Disk Utility App to freeze. The partitions /dev/disk4 and /dev/disk9. Very strange if these are not core components of the boot menu.

Ok, here is where it gets WAY weirder. I just decided to check the boot menu on my laptop, where I am running OS X 10.10.3 also (although I have never messed with the root user or anything on this computer), and it doesn't EVEN HAVE a fusion drive or Core Storage, and I found the exact same paritions listed in the recovery mode terminal, after typing "diskutil list". So either there a form of malware that has emdedded itself through my network or possibly an application I am using in BOTH my desktop and my older laptop, or everyone here is completely mistaken and has not actually checked the "diskutil list" from the recovery mode boot menu, and looked for these extra /dev/disk paritions I am seeing. What are all these partitions?! This is getting so odd I don't even know what to say anymore

PRiSTiQUE Author

Level 1

0 points

May 1, 2015 11:43 PM in response to PRiSTiQUE

This was the info from command diskutil info /dev/disk4 and /dev/disk9, which were the two that prevented me from accessing the Disk Utility Menu if I forcibly ejected them. However I ejected others as well and left these, and when I eject the others I get an error in red from Disk Utility repairs saying that my newly fused drives "cannot create a temporary folder, [and] might prevent the drive from booting" How are these not core components if they will not even allow me to re-fuse the drive (which I could do when these disks were not ejected)

PRiSTiQUE Author

Level 1

0 points

May 1, 2015 11:47 PM in response to PRiSTiQUE

I can pretty easily just reboot and leave all these extra paritions intact, and it will allow me to re-fuse my drive and boot from my time machine, but they are still embedded in BOTH my computers I now realize, and if noone has any idea what they even are this is FAR from the secure secure system I am trying to setup.

MadMacs0

Level 5

5,221 points

May 1, 2015 11:59 PM in response to PRiSTiQUE

PRiSTiQUE wrote:

I just decided to check the boot menu on my laptop, where I am running OS X 10.10.3 also (although I have never messed with the root user or anything on this computer), and it doesn't EVEN HAVE a fusion drive or Core Storage

If your laptop meets the following criteria, it should have been converted to Core Storage by the 10.10.x installer:

The installer converts to Core Storage when:

the machine is a portable
the CPU has the AES instructions set (Core i5 or i7)
the target is an internal disk with no Boot Camp volume present

PRiSTiQUE Author

Level 1

0 points

May 2, 2015 12:10 AM in response to MadMacs0

diskutil cs list displays that there is no core storage volumes present. I have all of the criteria above. I think I need to take both my machines in and get this figured out asap this doesnt make any sense.I have never downloaded any form of bootcamp on my laptop so that is clearly not the issue, and I have recurring problems where I reset my permissions via disk utility on both my computers, but "private/var/db/displaypolicyd" always has user 244 instead of 0, no matter how many times I verify and repair permissions. It never fixes these permissions from the boot menu, nor once I am logged in.

MadMacs0

Level 5

5,221 points

May 2, 2015 12:13 AM in response to PRiSTiQUE

PRiSTiQUE wrote:

I have recurring problems where I reset my permissions via disk utility on both my computers, but "private/var/db/displaypolicyd" always has user 244 instead of 0, along with a couple other ones, every-time I restart either computer.

That's perfectly normal and not a problem. You can ignore that along with the ones concerning /Library/Printers/InstalledPrinters.plist which will revert back every time you run Software Update. We all have been seeing these two for a long time now. There is another one for a Safari help file that some see and others not. Again, it can always be ignored.

MadMacs0

Level 5

5,221 points

May 2, 2015 12:19 AM in response to PRiSTiQUE

Those both appear to be disk images (.dmg) which are probably long gone. Do these show up in Disk Utility? If they are still listed after having been ejected, just drag them to the left of the column where they appear and they should vanish in a cloud of dust.

cdhw

Level 4

3,588 points

May 2, 2015 9:23 AM in response to PRiSTiQUE

Those extra disks are RAM-disks created by recovery mode to provide the standard directories needed by OS X. I'd leave them alone if I were you.

See http://apple.stackexchange.com/questions/22941/what-is-the-mac-os-x-base-system- disk-image-on-my-2011-macbook-air

PRiSTiQUE Author

Level 1

0 points

May 2, 2015 3:28 PM in response to cdhw

HAHAHa god. welllll. After spending almost three days trying to forcibly eject these partitions and separating and re-fusing my drive and installing new OS's multiple times it turns out they WERE just required boot paritions. I sure have become family with diskutil commands in the process at least, I just wish my guinea pig wasnt my almost brand new desktop with expensive drives. I'm sure I've aged them quite a bit through all this. Thanks for finally figuring out what the issue was tho!

what are the extra 13 paritions? root user security concerns?