Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

sh33p

macrumors newbie
Original poster
Aug 3, 2012
5
0
Hey guys,

I downloaded a freeware file from macrumors which had a command line script to fix my iMac fan which was continuously running. I tried the program but decided it wasn't any good for me so I used the command line script included to uninstall...

Right before my eyes I seen my desktop files and folders disappear one by one.

I lost my files from my documents and downloads folders as well as my desktop.

Firefox and other programs have reset themselves, I have lost all settings and bookmarks for firefox and some programs which I have a license for (e.g. BetterTouchTool) now wants me to re enter my license info.

I've lost a lot but I'm not sure if these files have been deleted?

I'm still using my same account on the mac, it's just that everything has disappeared.

I downloaded the file from here...
https://forums.macrumors.com/threads/fan-noise-on-startup-and-wake-from-sleep.1638399/#post-19125759

Here is the code from the uninstall script included in the link that ended up wiping all my files and settings.

Code:
#! /bin/sh

echo "***** SOS WakeUp fan loud for early MacPro 2006-2007 *****"

sleep 2

echo "***** Now uninstall in progress *****"
echo "***** Please enter your administrator password *****"

pid=$(ps -fe | grep 'sleepwatcher' | awk '{print $2}')
sudo kill $pid

sleep 1

echo "***** Uninstall -> Sleepwatcher with config *****"

sudo rm -rf /usr/local/sbin/sleepwatcher

sudo rm -rf /usr/local/share/man/man8/sleepwatcher.8

sudo rm -rf /Library/LaunchDaemons/de.bernhard-baehr.sleepwatcher-20compatibility.plist

echo "***** Uninstall -> SmcFanControl with config *****"

# Set Mac Pro default fan speed :
/Applications/smcFanControl.app/Contents/Resources/smc -k F0Mx -w 2d50
/Applications/smcFanControl.app/Contents/Resources/smc -k 'FS! ' -w 0000

sleep 1

pid=$(ps -fe | grep 'smcFanControl' | awk '{print $2}')
sudo kill $pid

sleep 1

localUser=$( dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}' | grep -v admin )

sudo rm -rf /Users/$localUser/Library/Preferences/com.eidac.smcFanControl2.plist

sudo rm -rf /Users/$localUser/Library/Application\ Support/smcFanControl

sleep 1

osascript -e 'tell application "System Events" to delete login item "smcFanControl"'

sudo rm -rf /Applications/smcFanControl.app

echo "*****  Uninstall OK ! *****"

exit 0

Please help :(
 
Last edited:

chown33

Moderator
Staff member
Aug 9, 2009
9,144
5,711
Hellanback
I don't see anything that would intentionally delete a user's Desktop, Documents, etc.

However, I do see some latent problems that might accidentally do so. Lack of knowledge (ignorance), lack of skill (incompetence), or lack of planning (myopia) could all be contributing causes on the part of the shell script's author.


Here's the start of the potential problem I see:
Code:
localUser=$( dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}' | grep -v admin )
The potential problem here is that multiple usernames can be output. These are stored in the variable 'localUser', with newlines between them. If there's only one username output, everything should be fine. It's the multi-name case that's perilous.

The variable 'localUser' then gets used in 2 places:
Code:
sudo rm -rf /Users/$localUser/Library/Preferences/com.eidac.smcFanControl2.plist

sudo rm -rf /Users/$localUser/Library/Application\ Support/smcFanControl
This is where the latent problem of multiple names leads to disaster.

Because $localUser isn't quoted, it gets expanded with the newlines treated as whitespace between words. The result is that the first username in the list will have their entire home directory deleted recursively. That is, everything in that user's home directory is deleted. Kaboom, all gone.

If $localUser had been quoted like this:
Code:
sudo rm -rf /Users/"$localUser"/Library/Preferences/com.eidac.smcFanControl2.plist
it would still be expanded to multiple names, but the newlines between the names would have been treated as if they were part of an actual filename, rather than being treated as line endings or whitespace between words. Furthermore, since no such directory exists, nothing would have happened.

SUMMARY:
Improper or missing quoting can cause serious problems.


Although I'm fairly good with shell scripting, some of the commands in the script are opaque, and aren't obvious what their intent is, nor why they do something in that way.

For example, this:
Code:
pid=$(ps -fe | grep 'smcFanControl' | awk '{print $2}')
sudo kill $pid
might be replaceable with the single command 'killall smcFanControl'.

As another example, I'm not clear what the author expects this to do:
Code:
localUser=$( dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}' | grep -v admin )
I understand what this does, I'm just not clear on why it's being done this way.

If the goal is to get the current user name, then there's an environment variable for that: LOGNAME.

If the goal is to get the user's home directory, there are two ways to do that:
Code:
  ~/
  "$HOME/"

If the goal is to get what may be a list of usernames separated by whitespace, then that command makes sense. Unfortunately, the result isn't being properly handled as a list of names, which then leads to disaster.

Other commands are more plainly reckless, such as the recursive option (-r) to remove (rm) things that should only be single files. One of the rules of good system admin is to stop if something unexpected happens. If a file isn't deleted because it's actually a directory, the right thing to do is stop, not pretend it doesn't matter and recursively delete.


I wish I knew of a way to restore what was deleted, but I can't think of one.

I think this shell script is sufficiently dangerous that its link should be removed.
 
Last edited:
  • Like
Reactions: sh33p and Weaselboy
Comment

casperes1996

macrumors 603
Jan 26, 2014
5,989
3,859
Horsens, Denmark
I don't see anything that would intentionally delete a user's Desktop, Documents, etc.

However, I do see some latent problems that might accidentally do so. Lack of knowledge (ignorance), lack of skill (incompetence), or lack of planning (myopia) could all be contributing causes on the part of the shell script's author.


Here's the start of the potential problem I see:
Code:
localUser=$( dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}' | grep -v admin )
The potential problem here is that multiple usernames can be output. These are stored in the variable 'localUser', with newlines between them. If there's only one username output, everything should be fine. It's the multi-name case that's perilous.

The variable 'localUser' then gets used in 2 places:
Code:
sudo rm -rf /Users/$localUser/Library/Preferences/com.eidac.smcFanControl2.plist

sudo rm -rf /Users/$localUser/Library/Application\ Support/smcFanControl
This is where the latent problem of multiple names leads to disaster.

Because $localUser isn't quoted, it gets expanded with the newlines treated as whitespace between words. The result is that the first username in the list will have their entire home directory deleted recursively. That is, everything in that user's home directory is deleted. Kaboom, all gone.

If $localUser had been quoted like this:
Code:
sudo rm -rf /Users/"$localUser"/Library/Preferences/com.eidac.smcFanControl2.plist
it would still be expanded to multiple names, but the newlines between the names would have been treated as if they were part of an actual filename, rather than being treated as line endings or whitespace between words. Furthermore, since no such directory exists, nothing would have happened.

SUMMARY:
Improper or missing quoting can cause serious problems.


Although I'm fairly good with shell scripting, some of the commands in the script are opaque, and aren't obvious what their intent is, nor why they do something in that way.

For example, this:
Code:
pid=$(ps -fe | grep 'smcFanControl' | awk '{print $2}')
sudo kill $pid
might be replaceable with the single command 'killall smcFanControl'.

As another example, I'm not clear what the author expects this to do:
Code:
localUser=$( dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}' | grep -v admin )
I understand what this does, I'm just not clear on why it's being done this way.

If the goal is to get the current user name, then there's an environment variable for that: LOGNAME.

If the goal is to get the user's home directory, there are two ways to do that:
Code:
  ~/
  "$HOME/"

If the goal is to get what may be a list of usernames separated by whitespace, then that command makes sense. Unfortunately, the result isn't being properly handled as a list of names, which then leads to disaster.

Other commands are more plainly reckless, such as the recursive option (-r) to remove (rm) things that should only be single files. One of the rules of good system admin is to stop if something unexpected happens. If a file isn't deleted because it's actually a directory, the right thing to do is stop, not pretend it doesn't matter and recursively delete.


I wish I knew of a way to restore what was deleted, but I can't think of one.

I think this shell script is sufficiently dangerous that its link should be removed.

Hadn't thought of those problems when I read through it. Seemed innocuous to me at first, but damn, you're right.
I think the "kill 'PID'" instead of "killall SMCFanControl" is just the scriptwriter now knowing of killall, cause I thought the same when i read through it - "Why isn't killall just being used?".
Also wondered why even single .plist files were being removed with the recursive flag.

Since none of the files were removed with the "srm" command, and only rm, depending on what drive you have in your computer, data recovery software may be able to get some of your data back, but it is highly unlikely you'll get all. Depends if it's been written over. If it's an SSD, it's probably already gone as a result of garbage collecting and TRIM.
 
  • Like
Reactions: sh33p and Weaselboy
Comment

sh33p

macrumors newbie
Original poster
Aug 3, 2012
5
0
Thanks for the reply guys. Like I said, I had 95% of stuff backed up. There's just some PSD's, bookmarks and other documents which I'm trying to recover now. Thank you chown33 for chiming in, it is very much appreciated. I will report back.
 
Comment

casperes1996

macrumors 603
Jan 26, 2014
5,989
3,859
Horsens, Denmark
Thanks for the reply guys. Like I said, I had 95% of stuff backed up. There's just some PSD's, bookmarks and other documents which I'm trying to recover now. Thank you chown33 for chiming in, it is very much appreciated. I will report back.

Hope you have success in recovering what you've lost
 
  • Like
Reactions: sh33p
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.