How I discovered that OneDrive has become a very risky app
Note that this has laready been updated 2-3 times, so god only knows if it will ever be “done”
So first, this has little to do with security (except for the root thing). I’m sure OneDrive:Mac is as secure as it is on any other platform. What I’m talking about are a series of things that would be comical if they weren’t so awful.
As some background, my main rig is a 2019 16″ MacBook Pro, 64Gb of RAM, running the current drop of Monterey.
One fine day, I realize, as I have before, that I’ve hit the limits of Pages. Over the years, I’ve learned that once you hit around 130 pages, Pages starts becoming unusable. Simply can’t handle it. Which is sad for a word processing app, but Apple only cares about Pages and the rest of iWork in how well they round-tip with iOS. Kind of like any of their “cross-platform” apps. How well they work is less important than they work exactly the same for macOS and i(Pad)OS.
So I do what I always do in that sitch: export to docx to keep working in Word. I then go to copy that export to my OneDrive folder and there, reader, therein begins an adventure that starts with the immediate discovery of two sins, one venial, one mortal.
The venial sin is that where I had my OneDrive folder is now an alias pointing at ~/Library/CloudStorage/OneDrive-Home/ This is annoying, primarily because OneDrive has severe issues with path lengths. But okay, as long as it keeps working. My guess is that this is a Monterey thing, as OneDrive now shows up like my iCloud folder in the Finder. This may be more convenient for some folks, so whatever.
20 Sept. Update: So it turns out that because the OneDrive folder has been relocated, you have to re-allow Office apps to work with the OneDrive folder. Thus far, it seems that only applies to Office apps, but really? Y’all do this and do an incomplete job of it?
21 Sept. Update: It’s not just Office apps, i got the same warning for Acrobat Pro. However, this is not the OS folder access warning, but one that is specific to OneDrive. It’s not available in the OneDrive app, so I’m sure it’s a goddamned plist file somewhere, but I’m too tired to look. But why is this setting not in the minimal UI OneDrive has, and why is it separate from the OS version?
But then, I discover that Files On-Demand, which I had turned off had been turned back on and applied to all my files. The explanation for File On-Demand, or FOD as I put it, is here. I don’t have a problem with FOD as a concept, but I had it turned off for specific reasons, one of which is that I regularly work disconnected, which makes FOD kind of useless. But not only is it turned on, I have no way in the UI to turn it off. This is what I see in the preferences now for FOD:
Goddamnit, this is not okay. You want to make it the default for new users? I guess, although I think that’s stupid. But when I have *turned it off* and not only do you turn it back on, but you don’t give me a way to turn it back off, like how I wanted it? That’s unacceptable.
A little bit of googling leads me to this page and the FilesOnDemandEnabled key, along with warnings that I should not use that, but rather the information on this page. Okay, so I try the /getpin on a single file. Blows up, doesn’t work. Sigh. I try /setpin on the same file. Cue endless lines of how OneDrive’s cache.db file is corrupt. Why OneDrive can’t fix this itself, dunno, but that’s an easy fix. Quit OneDrive, delete cache.* files in that folder, restart OneDrive.
OH! I almost forgot! So while you can use /getpin while OneDrive is running, you cannot, can. not. use /setpin while OneDrive is running. SIGH. Fine, quit OneDrive, run /setpin, which…starts OneDrive. Y’all, this is not the way to use the primary executable for OneDrive. This is why $DEITY created helper utilities. And UI options so I don’t have to mess around with this. So now, wait 2-3 minutes for OneDrive to start and log back in to my account, (MS365 business, and this is on Google Fiber, so I have a fast connection.) Cue the endless cache.db warning lines. Kill /setpin which…exits OneDrive.
So that means, since I think I’m reading this correctly, that even if /setpin worked, (which as we shall see, it does not), if you ran it five times on five different items, you would have to go through the launch/login/run/quit cycle once per item. At about 3-5 minutes for just a single small file, nevermind a larger folder tree. Which begs the question, why even bother? Because /setpin and related let you modify the FOD settings for files and folders recursively, which the Finder options do not. No, you didn’t misread that. Changing the sync settings in the finder don’t recurse through folders. Here, this is the folder tree for some stuff I got from a security class I took a while ago:
So you see the how there’s four folders on the left, then the highlighted folder has subfolders, which have subfolders which have subfolders and so on? Now, one would expect that if I click the “download” icon for the “CCD-Provided attack tools” that one of two things would happen:
- Everything in that folder would also be downloaded recursively
- OneDrive would point out there’s a lot of files and subfolders in that folder and do I really want to download all of those?
One would expect either of those two behaviors, because they are both fine behaviors, but one would be quite wrong. If one clicks download on “CCD-Provided attack tools” the only thing downloaded is the one single “document.docx” file in that folder and nothing else. You have to manually do every folder and subfolder separately.
I say this and mean this with my whole chest: WAT? Or more accurately:
IT GETS BETTER. After posting this, I had a thought. In terminal, I went to one of the directories with subdirectories, and before I opened it in the Finder, I did an ls -al. Then I did it again. This is what I got:
jwelch@Blackbird VMware Workstation 15.5 Player % ls -al
drwx——@ 2 jwelch staff 64 Dec 18 2019 .
drwx—— 33 jwelch staff 1056 Dec 18 2019 ..
jwelch@Blackbird VMware Workstation 15.5 Player % ls -al
drwx——@ 4 jwelch staff 128 Dec 18 2019 .
drwx—— 33 jwelch staff 1056 Dec 18 2019 ..
drwx—— 65535 jwelch staff 45798222336 Dec 18 2019 Prerequisites
-rwx—— 1 jwelch staff 144754512 Oct 1 2019 VMware-player-15.5.0-14665864.exe
jwelch@Blackbird VMware Workstation 15.5 Player %
Wait, what? Oh this can’t mean what I think it does…let me try something a few levels up. So I go up a level, and run ls -alR, and see that every folder save the ones I’ve already looked in is empty? That cannot be correct. So I run it again and see the directories are suddenly filling in.
Goddamnit, OneDrive and FOD are at this point lying to me. It’s not even completely downloading the file placeholders for folders until you click on them. So if you weren’t aware of this, and were offline and clicked on a FOD’d folder, you’d think it was empty, that you had lost data. There’s not enough letters in “unacceptable” to show how unacceptable this is. But it explains why recursion fails in the Finder when you click download: There’s literally nothing in the subfolders TO download. Jesus wept, this is bush-leage stuff. This will cause people to freak out. This has to be changed.
So yeah, FOD failures left and right, but we aren’t done yet. You know bundle files? Like minor things like .rtfd files, .xcodeproj files, .scriptd files, .app files? You know, files no one would ever use? Yeah, so if OneDrive has uploaded and FOD’d them (I love calling it FOD because I used to work aircraft maintenance and that use of FOD? IT APPLIES HERE TOO!) and you go to click the download icon? Fails. You get a finder dialog:
Which means the only way to deal with that, to get to your files is to download them via the web interface (after you turn FOD off, because otherwise, you’ll have this problem again, then copy them to where they should go, and let OneDrive resync them. Oh, and if you do this on a lot of files, OneDrive will temporarily halt until you tell it “yes, delete all those files so I can replace them with the exact same files.” Oh, it fails on Swift Playground files as well, so basically, if you want to use OneDrive with any form of Xcode development, you have to make sure FOD is disabled or it will prevent you from doing any work at all. Good job MS.
So back to /setpin et al. Once the cache.db issue was taken care of, I tried /getpin. Got some useful info:
2021-09-19 12:28:46.442 OneDrive[3106:104456] MSEnvironment: returning 0
2021-09-19 12:28:46.607 OneDrive[3106:104456] invalid mode 'kCFRunLoopCommonModes' provided to CFRunLoopRunSpecific - break on _CFRunLoopError_RunCalledWithInvalidMode to debug. This message will only appear once per execution.
2021-09-19 12:28:46.693 OneDrive[3106:104456] pin state=None
Okay, cool, so let’s try setpin. On a single file. Even allowing for the OneDrive relaunch shit, it can recurse, so that will save me some time, right? LOL. No. Failed. I started it on a single, small Word file at 1148. By 1228, enough time for me to kill Potema in Skyrim including travel and NPC dialog, still hadn’t finished. Last message in the terminal window was:
11:51:21.951 OneDrive[2781:91209] Warning: +[NSStream getStreamsToHost:port:inputStream:outputStream:] is deprecated since OS X 10.10. Please use +[NSStream getStreamsToHostWithName:port:inputStream:outputStream] instead.
So let’s be clear: OneDrive moved from where I’d put it (annoying, but not huge, changed a setting I’d explicitly set to the thing I didn’t want because the new default state for OneDrive is Files On-Demand is on unless you change it in the plist file, told me about command line utilities that don’t work, showed that downloading via Finder integration doesn’t work for a very common file format on the Mac, (and before someone brings it up, it’s not about executables. .exe and .msi files, onedrive has no problem with. It’s the bundle format, not the content of the bundle format), and since it doesn’t recurse if you use the Finder integration to download, requires you do do a lot of work.
What the hell?
Look I know, or used to know people on the OneDrive team. They aren’t stupid. They aren’t malicious. But they literally built this, and I’ll be damned if I know why. Other than the /setpin issues, this isn’t about bugs or not enough unit/etc., tests. I’m sure they test the hell out of their code in their CI pipeline. But that’s not the problem. The problem or problems are:
- The OneDrive team has clearly decided their only use case, customer-wise either never involves someone using files in OneDrive without an internet connection, or they will know ahead of time every file they’ll need and download those prior to disconnecting. This is only valid if your prime disconnection case is light work/personl stuff on a vacation or something similar. If you’re, I dunno, working for extended periods of time in a disconnected state and you decide OneDrive is pretty cool before you’re disconnected, you’re screwed, because OneDrive doesn’t warn you that it’s about to empty all those files off your drive sans placeholders, nor does it give you an easy way to un-FOD your files. That is almost malware-esque behavior, the main difference being, you can at least get to your files without paying a specific ransom. Although i do wonder what happens if you don’t know about this, decide OneDrive/365 isn’t for you and kill your sub. Because I don’t think MS downloads all that back to your hard drive, so there is a very real, not too outré case where you could lose a lot of data if you didn’t have a separate backup system. That’s not okay.
- The OneDrive team has clearly not tested the current/new implementation of FOD outside of some carefully scripted, highly limited situations, and they aren’t testing for the right things. It reminds me of the one time I ethered some version of Lotus Notes (I was bored and Notes is an easy target) and both IBM and Notes Stans (They exist, I am as mystified by that as anyone) started lecturing me about all their UI testing and I responded with a screenshot of a menu wherein the key combo shortcut was displayed as the copyright symbol, asking if they could, pray tell, show me where on a standard computer keyboard, regardless of platform, the copyright symbol key was. To quote the amazing Chelsea Hart, THEY DID NOT LIKE THAT. I am quite positive the OneDrive team has an extensive test suite given how few “bugs” i’ve found, and I am equally positive none of that involves actually using OneDrive and FOD on a Mac with anything but the most simplistic of folder structure setups.
- The OneDrive team needs to get some people who aren’t the same as them, who don’t all live in one place, and all work and live the same into the room where UI/UX decisions are made. Because none of the idiocy I’ve been dealing with was snuck in. There have been deliberate decisions at multiple levels that created this, and that is a problem.
- FOD is actually lying to you, actively, with its “no placeholders until you click on the folder” nonsense. That’s inexcusable in the extreme. It means that if you look in your FOD’d OneDrive folder and you’re disconnected from the public internet, you are going to see…nothing. Not even placeholders. This is beyond unacceptable. There’s no justification for this. None. Miss me with the attempts.
- Oh, I just remembered one nigh-hilarious security issue: if you execute any of the OneDrive commands, like /setpin with sudo, OneDrive tries to set up /var/root as a OneDrive folder. I just can’t with that, how does that pass the laugh test? That’s like Oozinator-level “how did this get approved” stuff.
- WAIT, THERE’S MORE. You know how normally, if you hit cmd-delete on a folder or file in the Finder, it moves that thing to the trash? Well OneDrive decided that’s WAY too confusing for you, so if you do that on anything in the OneDrive folder, it’s a “permanently delete now” action. So basically, OneDrive makes finder items act like they’re not local at all. I can’t. Just stop. Make the pain stop..
Fortunately for MS, I use 365 for a lot more than OneDrive, else I’d be moving my shit over to any other service, even (ugh) Google. Okay not Google, even I have limits to my spite. But this is not a very “sticky” performance in terms of making me want to use OneDrive more. And I will bet I’m not the only person this stealth application of FOD has bit in the keister. I’m just louder than most.
OneDrive operates in the backup space. Regardless of whether or not it is a proper backup service, and it is not, that is how people use it, a lot. It does not have the luxury of silently removing data from someone’s computer and making it so stupidly difficult to get back. Fix your stuff y’all, this is inexcusable.
A list of file types OneDrive + FOD don’t seem to work correctly with (this will probably grow):
- .pages (the bundle version that shows as a directory in Terminal)
- .epub (the bundle version)