Tracked!

It's just a bit.

We've updated our code to the splendid Keymaster. More specifically, we've updated the code to its embedded Seahaven Engine.

The Seahaven Engine is the code, shared across several applications, that does the digging, the 'search and destroy', once a target is found. Seahaven works at a very low level to perform directory enumerations recursively. Seahaven picks up everything.

There are several initial steps that must be taken before attempting to clean a file or directory. The actual user access privileges must be loosened and, before that, the so-called 'file flags' have to - at least temporarily - be reset.

These changes to standard file attributes (user access privileges) and file flags are of course restored once the cleansing operation is complete.

Files on a download will normally not have file flags and will have user access according to the 'umask'. But those files aren't the only affected files. Apple's Preview.app is notorious for dropping all kinds of gunk on files it edits and saves.

One file flag in particular caught our eye.

0x00000040

Here's the pertinent documentation, buried deep in the Xcode hierarchy today, a hierarchy with half a million files (yes you read that right). The very name should send shivers up your spine. Here's what the Apple doc says about it.

/* UF_TRACKED is used for dealing with document IDs. We no longer issue notifications for deletes or renames for files which have UF_TRACKED set. */
#define UF_TRACKED        0x00000040

(Document IDs?)

So that's what they admit to doing. But, given the sinister aspects of their Gatekeeper system, all bets are off and should stay off. As this is not vanilla Unix, it must always be suspect.

Here is the full section about file flags.

/*
 * Definitions of flags stored in file flags word.
 * Super-user and owner changeable flags.
 */
#define UF_SETTABLE   0x0000ffff    /* mask owner changeable */
#define UF_NODUMP     0x00000001    /* do not dump file */
#define UF_IMMUTABLE  0x00000002    /* may not be changed */
#define UF_APPEND     0x00000004    /* writes only append */
#define UF_OPAQUE     0x00000008    /* dir opaque on union */
/*
 * The following bit is reserved for FreeBSD.
 * It is not implemented in Mac OS X.
 */
/* #define UF_NOUNLINK   0x00000010 */ /* not unlinked */

#define UF_COMPRESSED 0x00000020 /* compressed (for some) */
/* UF_TRACKED is used for dealing with document IDs. We no longer issue notifications for deletes or renames for files which have UF_TRACKED set. */
#define UF_TRACKED    0x00000040

#define UF_DATAVAULT  0x00000080 /* entitlement for r/w */
/* Bits 0x0100 through 0x4000 are currently undefined. */

#define UF_HIDDEN     0x00008000 /* GUI hide hint */
/*
 * Super-user changeable flags.
 */
#define SF_SUPPORTED  0x001f0000 /* root supported flags */
#define SF_SETTABLE   0xffff0000 /* root changeable flags */
#define SF_ARCHIVED   0x00010000 /* archived */
#define SF_IMMUTABLE  0x00020000 /* may not be changed */
#define SF_APPEND     0x00040000 /* writes only append */
#define SF_RESTRICTED 0x00080000 /* entitlement to write */
#define SF_NOUNLINK   0x00100000 /* may not be unlinked */
/*
 * The following two bits are reserved for FreeBSD.
 * They are not implemented in Mac OS X.
 */
/* #define SF_SNAPSHOT   0x00200000 */ /* snapshot inode */
/* NOTE: There is no SF_HIDDEN bit. */

The flags are divided into two categories: those with the prefix 'UF' are user flags and those with the prefix 'SF' are system flags. User flags are in the lower sixteen bits, system flags in the upper sixteen.

The system flags may most often only be reset in 'SUM' or single user mode, meaning you need to reboot in that mode to reset them.

(All our utilities actually warn about this. You might need root access to change a system flag, but you still can't change it back without SUM.)

So, back on track. How does one go about allowing for some file flags when performing a cleanse with the Seahaven Engine? First off, you have to make it variable in some way. We've done this by introducing the global ACP setting 'Kmfmask' (Keymaster flag mask). This setting must be declared in the global com.rixstep.ACP.plist found in /Library/Preferences.

(We've done this for you on the next release: the file is found in etc/plists in your download. You simply authenticate and then copy it in.)

The two lines of the plist that are of interest here:

<key>Kmfmask</key>
<string>40</string>

That value '40' need not be prefixed by '0x' as it's assumed to be hexadecimal.

MC.app

As these file flag values can be a burden even for admins, MC.app comes to the rescue.

MC.app lets you play around with file types, access, and user and system flags, either by ticking the boxes or by inputting the values you want in the uppermost row. It's fully interactive!

As you can see from the graphic, ticking the 'Tracked' box nets you a value of 40 in the upper right.

As time goes on, there might be reason to zap other file flags. Or to just let the Seahaven Engine remove them all.* But, given the possibility you might on occasion want to save some file flags for your own reasons, that option is now built in.

This enhancement cost the binary 56 bytes and cost us a few days of work before finally agreeing on how to do it right.

*Not all file flags, as used by Apple, are yet defined. (Thank goodness, some innocent soul may say.) But you don't have to input the magical '1F80FF' to make it work. A good old 'FFFFFFFF' will do nicely.