Transcript Wrestling with Alligators: putting OS X in an open access lab 2

Wrestling with Alligators: putting
OS X in an open access lab
(or “The Joy of X”)
Wrestling Alligators @ SIGUCCS 2003
2
What is OS X?UNIX
– Command line interface, something that was entirely
absent in all previous versions of the Macintosh OS.
– NEXTStep lineage.
– FreeBSD and System V (from Bell Labs) and Berkeley
Labs.
– Long historical root
– Open Source.
– Huge library of well-tested software available for use
– Accompanying security issues as they arise.
Wrestling Alligators @ SIGUCCS 2003
3
Major departure from pre- X
operating system (OS9)
– Command line interface a key distinguishing
characteristic
– “Aqua” design theme is very different
– Graphics a way to manage a command line
series of actions
– Start with Terminal program
(/Applications/Utilities).
– Try man –k netinfo
Wrestling Alligators @ SIGUCCS 2003
4
The Toolkit
• One machine as master
– FireWire strongly preferred
– Build your master image in layers
Wrestling Alligators @ SIGUCCS 2003
5
The Toolkit
• One machine as clone
– A second, identical piece of hardware is ideal
– “Crash and burn” insurance
– Your sandbox for experimentation
Wrestling Alligators @ SIGUCCS 2003
6
The Toolkit
– Carbon Copy Cloner
• From Mike Bombich (www.bombich.com).
• Interface to asr (Apple Software Restore) and ditto.
• Takes a complete “snapshot” of the hard drive to
back up
• Creates an image file (suffix .img).
• Tool of choice for the production of your master
image file.
Wrestling Alligators @ SIGUCCS 2003
7
The Toolkit
– NetRestore
• From Mike Bombich (www.bombich.com).
• Restoration of a complete hard drive image.
• Source image can be on a:
– local partition
– FireWire drive
– CD
– Network
• Really fast.
• Post-processing possible
Wrestling Alligators @ SIGUCCS 2003
8
The Toolkit
• FireWire drive
• Without any external drive options at all,
you are likely to face an uphill battle.
Wrestling Alligators @ SIGUCCS 2003
9
Security
• Different from the past
– Almost the centerpiece of the process
– Before OS X, the Macintosh was a low security
risk.
– UNIX has long been a domain for
experimentation
– It will only take one episode of serious abuse to
create the potential for major problems.
Wrestling Alligators @ SIGUCCS 2003
10
Security
• Why it matters
– It is easy to set up an Apache web server,
– It is easy to configure ssh and allow anyone in.
– It is easy to set up packet “sniffers”
– Instructions for doing these things are found on
the Wild, Wild Web!
– Setting up remote machines to launch a Denial
of Service attack possible
Wrestling Alligators @ SIGUCCS 2003
11
Security
• Open Firmware
– Not new with OS X.
– Access certain kinds of parameters at boot time.
– Similar to the older parameter ram.
– Platform independent.
– Developed by Sun Microsystems.
Wrestling Alligators @ SIGUCCS 2003
12
Security
• Open Firmware
– What can you do with Open Firmware?
– Boot from a CD.
– Set or reset the root password
– Easy to protect against this condition using the setenv and
security-mode commands.
– Interface is command-line.
– Get acquainted with the CLI
– Set the boot-device.
– Read files on the main disk, establish limited networking services
and change disk information.
Wrestling Alligators @ SIGUCCS 2003
13
Security
• Open Firmware
– Access: hold down the  OPTION O F keys.
The command line interface will appear.
– Set any options & the password
– One final note: once you have entered a
password, do not forget it!
Wrestling Alligators @ SIGUCCS 2003
14
Security
• Single User mode
– Allows a system administrator access to an ailing machine.
– Once booted into single user mode, the root account is
automatically logged in and does not require a password.
– Simple process to check the disk and mount the entire file
system as read-write.
– Hard to protect yourself once the user has booted to single
user mode.
– Prevent it from happening at all by enabling command
security and setting a password.
Wrestling Alligators @ SIGUCCS 2003
15
Security
• A brief detour…
• Let’s boot into single user mode…
– Reboot
– Hold down  S key
– Notice the instructions…
– Running SystemStarter enables netinfo
Wrestling Alligators @ SIGUCCS 2003
16
Security
• Root
– Superuser and root may be new
– The root user, or superuser is a special UNIX account.
– This user can do anything – absolutely anything – to a
system.
– By default, OS X ships with the root account disabled.
•
You might have to enable it.
•
There is a good alternative
Wrestling Alligators @ SIGUCCS 2003
17
Security
• Root
– Former advocate of enabling root with a good
password.
– Now: leave the root account disabled
• Use a combination of methods
• sudo
Wrestling Alligators @ SIGUCCS 2003
18
Security
• Root
– Sudo allows one to act as root (sudo translates
to Superuser do)
– Very configurable
• Allow only certain programs to be used by certain
users
– Any local administrative account can use sudo
– You can simply type sudo sh
– Single-user mode still works with Root disabled
Wrestling Alligators @ SIGUCCS 2003
19
Security
• Local accounts
– No more local accounts
– Ssh and sudo only
Wrestling Alligators @ SIGUCCS 2003
20
Security
• Local accounts
– Your users cannot be administrators
• Be certain that your regular users are never administrative
users,
• With network based authentication method you are all set
– No user that logs in via most properly configured methods will be
anything except a non-administrative user.
• Why does this whole administrative user thing even matter?
– Installation of software requires administrative username and
password.
Wrestling Alligators @ SIGUCCS 2003
21
Security
• Why Classic mode should go away
– Add-on to OS X
– Run older “legacy” applications
– If you offer this, you have extra work.
– Potentially serious security issues
• Boot into OS9, destroy OS X
• FWSucker
• crack /etc/passwd
– Adds a layer of complexity and instability for the user.
Wrestling Alligators @ SIGUCCS 2003
22
Configuration
• Open Firmware
– Boot the machine - hold down the  OPTION O F keys.
– The command line interface appears:
Wrestling Alligators @ SIGUCCS 2003
23
Configuration
• Open Firmware
– Now, set the password:
– Press enter after typing in a command. The
system response is usually the terse ‘ok’.
– Find a way to remember this password!
Wrestling Alligators @ SIGUCCS 2003
24
Configuration
• Open Firmware
– Finally, set the security mode level:
– Then reboot the machine:
• Open Firmware is now secure.
(At this point, you can leave it open as you
prepare the master image…
Wrestling Alligators @ SIGUCCS 2003
25
Configuration
• Next we tackle Authentication
Wrestling Alligators @ SIGUCCS 2003
26
Authentication
• Several methods available
• By default, OS X uses locally based
methods
Wrestling Alligators @ SIGUCCS 2003
27
Authentication
• Local or network?
– Always open for access to the password file
– If all local accounts are disabled, this is a moot
point.
– With all local accounts disabled, though, we
face an entirely different problem. How do we
log in as an administrator in order to install
software? There are several aspects to this
question.
Wrestling Alligators @ SIGUCCS 2003
28
Authentication
• Local or network?
– Software installations
– Application installations get complex.
– Use the sudo facility.
– Non-local user can become root.
– With enabled local accounts /etc/passwd looks like this:
root:DWa.RtYYiKLw:0:0::0:0:System
Administrator:/var/root:/bin/tcsh
– A “state change” can be done several different ways.
Wrestling Alligators @ SIGUCCS 2003
29
Authentication
• Local or network?
– Log in as the sudo user, become root
• Issue the password change – passwd root
– Now, you can perform many system-level tasks.
– Installations possible
– You have to change this back to a disabled state
Wrestling Alligators @ SIGUCCS 2003
30
Authentication
• Local or network?
– Use netinfo database to enable a disabled
account
– Not simple to disable it. You cannot use vi and
edit /etc/passwd.
– Reload using niload command.
Wrestling Alligators @ SIGUCCS 2003
31
Authentication
• Local or network?
– Create a text file of /etc/passwd:
nidump passwd . > /Users/apple/open_password_file
– Make a copy to edit:
cp open_password_file closed_password_file
vi closed_password_file
– Change all password fields to a simple asterisk
Wrestling Alligators @ SIGUCCS 2003
32
Authentication
• Local or network?
– Now it might look like this:
nobody:*:-2:-2::0:0:Unprivileged User:/dev/null:/dev/null
root:*:0:0::0:0:System Administrator:/var/root:/bin/tcsh
daemon:*:1:1::0:0:System Services:/var/root:/dev/null
unknown:*:99:99::0:0:Unknown User:/dev/null:/dev/null
smmsp:*:25:25::0:0:Sendmail User:/private/etc/mail:/dev/null
www:*:70:70::0:0:World Wide Web Server:/Library/WebServer:/dev/null
mysql:*:74:74::0:0:MySQL Server:/dev/null:/dev/null
sshd:*:75:75::0:0:sshd Privilege separation:/var/empty:/dev/null
admin:*:501:20::0:0:Administrator:/Users/admin:/bin/tcsh
customer:*:502:20::0:0:CIT Computer Lab User:/Users/customer:/bin/tcsh
Wrestling Alligators @ SIGUCCS 2003
33
Authentication
• Local or network?
– Now we have two password files – enabled &
disabled.
– Reload a file:
niload -d passwd . < /Users/admin/closed_password_file
– All the local accounts are disabled
– Move modified password files off of the local
drive!
Wrestling Alligators @ SIGUCCS 2003
34
Authentication
• Next we configure our remote authentication
method, LDAP
Wrestling Alligators @ SIGUCCS 2003
35
Authentication
• LDAP v3
– 10.2.x only
– Security is better
• Passes encrypted passwords
• Kerberos no longer required
– Do not install MIT Kerberos on 10.2.x systems!
• SSL support
– LDAP data may (still) need “massaging”
• This can be a critical concern
Wrestling Alligators @ SIGUCCS 2003
36
Authentication
• LDAP v3
– Steps to authentication using SSL:
• Configure Directory Access on the local machine
• Create the dummy account
• Add the certificate to the local machine
• Edit the ldap.conf file to make the local system aware
of the certificates
• Configure Authentication on the client
Wrestling Alligators @ SIGUCCS 2003
37
Authentication
• LDAP v3
– Required attributes (direct from the Apple systems
Engineer!):
• uniqid=User’s Short Name (for us this is netid)
• uid=UID Number (we made this the same for everyone)
• homeDirectory=Home Directory Path (we made this the same for
everyone too!)
– Useful attributes:
• cn=Common Name
• gid=GID Number (we made this the same for everyone too )
Wrestling Alligators @ SIGUCCS 2003
38
Authentication
• LDAP v3
– Configure
Directory
Access
Wrestling Alligators @ SIGUCCS 2003
39
Authentication
• LDAP v3
– Configure
Directory
Access
Wrestling Alligators @ SIGUCCS 2003
40
Authentication
• LDAP v3
– Configure
Directory
Access
• Default Attribute
Types contains only
RecordName which is
set to value cn as an
LDAP server attribute
• Users contains only
those record types
and attributes we use
Wrestling Alligators @ SIGUCCS 2003
41
Authentication
• LDAP v3
– Configure
Directory
Access
• RecordName is set
to netid for our
installation
Wrestling Alligators @ SIGUCCS 2003
42
Authentication
• LDAP v3
– Configure
Directory
Access
• RealName is the
actual name of the
user, a.k.a. Common
Name or cn
Wrestling Alligators @ SIGUCCS 2003
43
Authentication
• LDAP v3
– Configure
Directory
Access
• UniqueID was one of
our custom additions
and was the critical
part to get a valid
local UID
Wrestling Alligators @ SIGUCCS 2003
44
Authentication
• LDAP v3
– Configure
Directory
Access
• PrimaryGroupID was
another one of our
custom additions but
was not a critical part
(at this point!)
Wrestling Alligators @ SIGUCCS 2003
45
Authentication
• LDAP v3
– Configure
Directory
Access
• NFSHomeDirectory
was the third of our
custom additions and
was also a critical part
to get a valid local
home directory
Wrestling Alligators @ SIGUCCS 2003
46
Authentication
• LDAP v3
– Configure
Directory
Access
Setting connection variables:
Reducing default Time out
values improves performance
You can test without SSL to
get things going if you need to…
(in which case you do not need
the CA on the client)
Wrestling Alligators @ SIGUCCS 2003
47
Authentication
• LDAP v3
– Create the “dummy” account
• This provides the correct local home directory, group and/or
user id…
– Be careful here: the numbering has to match your LDAP data!
– Use the account manager:
• ‘Computer Lab User’ (Long name)
• ‘customer’ as short name
– Name can be anything
– This matches our specification for UID/GID
– Notice that in the /Users section, we now have:
drwxr-xr-x
13
502
20 442 Dec 30 16:14 customer
Wrestling Alligators @ SIGUCCS 2003
48
Authentication
• LDAP v3
– Update the client for ldap and ssl
– The certificates must be in the correct place on the local
systems: /System/Library/OpenSSL
mv ~/ca-bundle.crt /System/Library/OpenSSL/certs
• You can test this from the command line (terminal):
openssl s_client –connect ldap.uvm.edu:636 -showcerts
Wrestling Alligators @ SIGUCCS 2003
49
Authentication
• LDAP v3
– Edit /etc/openldap/openldap.conf to reflect the newly
created server & certificate locations:
HOST ldap.uvm.edu
BASE dc=uvm,dc=edu
TLS_CACERT /System/Library/OpenSSL/certs/ca-bundle.crt
Wrestling Alligators @ SIGUCCS 2003
50
Authentication
• LDAP v3:
– The final ldap.conf file looks about like this:
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt
# LDAP Defaults
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE
#URI
dc=example, dc=com
ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT
#TIMELIMIT
#DEREF
12
15
never
HOST ldap.uvm.edu
BASE dc=uvm,dc=edu
TLS_CACERT /System/Library/OpenSSL/certs/ca-bundle.crt
Wrestling Alligators @ SIGUCCS 2003
51
Authentication
• LDAP v3
– Configure
Custom
Path
Wrestling Alligators @ SIGUCCS 2003
52
Authentication
• LDAP v3
– Configure
Custom
Path
• Notice that our
configuration
is now available for use
Wrestling Alligators @ SIGUCCS 2003
53
Authentication
• LDAP v3
– Configure
custom
Path
• And here we are done
with authentication and
are ready to test!
Wrestling Alligators @ SIGUCCS 2003
54
Authentication
• LDAP v3
– The problem: without correct mapping of key
attributes (UID, GID & Home Directory), almost
nothing works for a non-local user!
– This is a permissions problem:
• Many applications – iTunes, Internet Explorer –
require write access to certain areas.
– Without these correct mappings, your non-local
users are not valid for the local client system
Wrestling Alligators @ SIGUCCS 2003
55
Authentication
• LDAP v3
– This is why we create the local machine data: default user (UID),
home directory (/Users/customer) and group ID (GID)
– User logging in is simply “remapped” to the local account by virtue
of other properties pulled in from the query – in our case, UID &
HomeDirectory
– Early tests also had a local group ‘customer’ with ID of 502…
– …but further testing suggested that we only needed UID to get the
required mapping
– We decided on user “customer” with the default UID of 502
Wrestling Alligators @ SIGUCCS 2003
56
Authentication
• LDAP v3
– The result?
– Users logging in with non-local accounts (those
authenticated against our ldap server) all have:
• UID = 502 (This is what makes everything work)
• GID = 502 (We don’t need this, but have it there
anyway)
• HomeDirectory = /Users/customer (so everyone
shares the same working space, just as they do with
current Macs and Windows machines…)
Wrestling Alligators @ SIGUCCS 2003
57
Authentication
• LDAP v3
– Decision time:
• What does your LDAP data look like?
• How much do you have to alter your data to get OS X
authentication to work?
• Can you alter your data? Will those managing this
service do this for you? (willingly???)
Wrestling Alligators @ SIGUCCS 2003
58
Authentication
• LDAP v3
– We massaged our LDAP data to provide a fixed
value for all users:
• uvmAltUID: 502
– 502 because for Lab Machines, the next default UID number
chosen by the system was 502
• uvmAltGID: 502
– Arbitrary…
• uvmAltHomeDir: /Users/Customer
– This matched the locally created account home directory
path
Wrestling Alligators @ SIGUCCS 2003
59
Authentication
• LDAP v3
– The result was that correct permissions are all
setup when the user logs in
• You could use GID instead of UID…
• …but there might be other lurking issues!
Wrestling Alligators @ SIGUCCS 2003
60
Installing the software
• Install software as the administrator
• Need to examine permissions and writeaccess in a few cases.
• Without Classic mode, many knotty issues
simply go away.
Wrestling Alligators @ SIGUCCS 2003
61
Configuring what your user sees
• Establish the “look and feel” of the local
user.
• Use the “dummy” account
• If need be, set this account to be an
administrator
• Do not forget to set the account back to a
regular, non-administrative type when you
are done.
Wrestling Alligators @ SIGUCCS 2003
62
Configuring what your user sees
• Include the following things in your generic user
configuration:
• Screen saver kick in (5 minutes) and also require a
password upon wake;
• Energy Saver - display sleep but not the machine
• Run every application.
• Play a DVD disc;
• Set home page default
Wrestling Alligators @ SIGUCCS 2003
63
Printing
• Particular and painful set of challenges
• Easier than OS9 & Desktop Printing.
• Print Center utility and be sure to test
thoroughly!
Wrestling Alligators @ SIGUCCS 2003
64
Login/logouthook
• Not the same as Login Items which are
managed by the user
• Scripts called through the login or logout
hook apply to the system
• Scripts run from login or logout hook run as
root and so are completely in control of the
entire system.
Wrestling Alligators @ SIGUCCS 2003
65
Login/logouthook
• Edit /etc/ttys.
• Make a copy first!
cd /etc
cp ttys ttys.ORG
• Setup the target directory
mkdir /Library/Admin
mv ~/cleanout_dummy.sh
/Library/Admin/cleanout.sh
Wrestling Alligators @ SIGUCCS 2003
66
Login/logouthook
• Use the right editor
• For vi:
cd /etc/
vi ttys
• For emacs:
cd /etc/
emacs ttys
• For pico:
cd /etc/
pico –w ttys
Wrestling Alligators @ SIGUCCS 2003
67
Login/logouthook
• Single line to edit. Here it is in it’s original
state:
console
"/System/Library/CoreServices/login
window.app/Contents/MacOS/loginwind
ow" vt100 on secure
window=/System/Library/CoreServices
/WindowServer
onoption="/usr/libexec/getty
std.9600"
Wrestling Alligators @ SIGUCCS 2003
68
Login/logouthook
• Edit to add a loginhook. The added section is in
red:
console
"/System/Library/CoreServices/loginwindow.app/C
ontents/MacOS/loginwindow -LoginHook
/Library/Admin/cleanout.sh" vt100 on secure
window=/System/Library/CoreServices/WindowServe
r onoption="/usr/libexec/getty std.9600"
• Loginhook points to: /Library/Admin/cleanout.sh.
We make that path and file before we reboot!
Wrestling Alligators @ SIGUCCS 2003
69
Login/logouthook
• Console login
– Enter >console as username at the login
window
– Plain console login.
– Not a security issue, a support issue
Wrestling Alligators @ SIGUCCS 2003
70
Login/logouthook
• Console login
– Edit /etc/ttys and remove the part shown in red:
– console
"/System/Library/CoreServices/loginwin
dow.app/Contents/MacOS/loginwindow LoginHook /Library/Admin/cleanout.sh"
vt100 on secure
window=/System/Library/CoreServices/Wi
ndowServer
onoption="/usr/libexec/getty std.9600"
Wrestling Alligators @ SIGUCCS 2003
71
Cron jobs
• Mechanism to allow specified jobs (scripts,
executables, etc.) to be executed according
to certain time criteria.
• Over and over again or simply a “one shot”
deal.
• Uses the crontab file for root.
Wrestling Alligators @ SIGUCCS 2003
72
Cron jobs
• Shutdown at 11:55 p.m.
– Can't use “Shut down” from the Apple Menu.
– UNIX tools: shutdown or halt.
– Use halt to avoid problems in unattended mode
– No provision for warning users that have open
files. Halt stops the system abruptly.
Wrestling Alligators @ SIGUCCS 2003
73
Cron jobs
• Shutdown at 11:55 p.m.
– How: become root, call the crontab editing mechanism:
crontab –e
– Tell cron what to do and when:
55 23 * * * /sbin/halt
– Exacting syntax
– 55 = minute of the hour.
– 23 = hour (11 pm)
– * = wildcard (anything)
– * * * = day of month, the month and the weekday.
– Finally, the command to run must include the full pathname.
Wrestling Alligators @ SIGUCCS 2003
74
Cron jobs
• Shutdown at 11:55 p.m.
– Put all together, our crontab line says “On any
day of the week, on any month, on any day of
the month, at exactly 23 hours (11 PM) and 55
minutes, run the halt command in /sbin/”.
55 23 * * * /sbin/halt
Wrestling Alligators @ SIGUCCS 2003
75
Cron jobs
• Shutdown at 11:55 p.m.
– Warning to users as an RTF file on the system
– Call it like this:
45 23 * * * /usr/bin/open -a
/Applications/TextEdit.app/
/Library/Admin/warn.rtf
Wrestling Alligators @ SIGUCCS 2003
76
Cron jobs
• Shutdown at 11:55 p.m.
– Review your entries using crontab -l flag (list):
crontab –l
55 23 * * * /sbin/halt
45 23 * * * /usr/bin/open -a
/Applications/TextEdit.app/
/Library/Admin/warn.rtf
Wrestling Alligators @ SIGUCCS 2003
77
Cron jobs
• System cleanup
– OS X has pre-wired cron jobs for maintenance
use.
– Designed to run at 3:00 a.m.
– Timing of log rotation
– Special system crontab files are managed and
edited differently and are located in a different
place on the system.
Wrestling Alligators @ SIGUCCS 2003
78
Cron jobs
• System cleanup
– Make a backup copy of the original file first:
cd /etc/
cp crontab crontab.ORG
– Decide on timing.
– File is set to read-only by default. We must change this
to edit the file:
ls –l crontab
-r--r--r-- 1 root
chmod u+w crontab
ls –l crontab
-rw-r--r-- 1 root
wheel
299 Jun 19 11:11 crontab
wheel
299 Jun 19 11:11 crontab
Wrestling Alligators @ SIGUCCS 2003
79
Cron jobs
• System cleanup
– Edit using either vi, emacs or pico –w:
– vi crontab
– Change to your timing:
#minute hour mday month wday who command
# Run
45 23
30 23
15 23
daily/weekly/monthly jobs.
* * * root periodic daily
* * 6 root periodic weekly
1 * * root periodic monthly
Wrestling Alligators @ SIGUCCS 2003
80
Cron jobs
• System Cleanup
– Change the permissions back to read-only:
ls –l crontab
-rw-r--r--
1 root
wheel
299 Jun 19 11:13 crontab
wheel
299 Jun 19 11:13 crontab
chmod u-w crontab
ls –l crontab
-r--r--r--
1 root
Wrestling Alligators @ SIGUCCS 2003
81
Cron jobs
• Logout after a set idle time
– Log the user out of the system after a set
amount of idle time.
– Count off a certain time interval beginning from
the time that the screensaver kicks in and after
that time is exceeded, log the user out.
Wrestling Alligators @ SIGUCCS 2003
82
Cron jobs
• Logout after a set idle time
– No built-in utility to do a command line logout.
– Modified ADC code to produce logout
executable
– Add to the root crontab file:
* * * * * /Library/Admin/idleScript.app
– This says “at any time, on any day, run the
script named ‘idleScript.app’ in the
‘/Library/Admin’ directory.
Wrestling Alligators @ SIGUCCS 2003
83
Duplicating the /Users/customer folder
• Past practice was a full refresh at some regular
interval.
• Increasingly, default OS configurations have
increasingly stringent security measures
• Less to worry about
• Restore the local user workspace and
configuration
• Just need a spare, clean copy of this directory
• Replace at login.
Wrestling Alligators @ SIGUCCS 2003
84
Duplicating the /Users/customer folder
• The ByHosts problem
– Hardware-linked set of preferences for a number
of applications.
– This is quite straightforward in how it is setup.
– Each home directory
has~/Library/Preferences/ByHosts
– Use a post-installation script.
Wrestling Alligators @ SIGUCCS 2003
85
Duplicating the /Users/customer folder
• The ByHosts problem
– Iterate through all of the files
– Replaces the master machine hardware address
with that of the machine being cloned.
Wrestling Alligators @ SIGUCCS 2003
86
Duplicating the /Users/customer folder
• Ditto versus cp
– Must use the built-in ditto utility and not the
standard UNIX cp (copy) command.
– Files are corrupted (damaged) otherwise
– Syntax:
ditto –rsrcFork /source/directory/
/target/directory/
– The –rsrcFork flag preserves resource forks and
HFS meta-data.
Wrestling Alligators @ SIGUCCS 2003
87
Duplicating the /Users/customer folder
• Making the backup copy
– Replicate a spare copy of the local home
directory.
– Set backup copy location, & make a target
directory
– My convention: /Users/admin/Restore
mkdir /Users/admin/Restore
Wrestling Alligators @ SIGUCCS 2003
88
Duplicating the /Users/customer folder
• Making the backup copy
– Now, ditto* the original source directory:
ditto –rsrcFork /Users/customer/
/Users/admin/Restore/
– Make sure it all got there:
ls –laR /Users/admin/Restore/
*Note that this must be done as root
Wrestling Alligators @ SIGUCCS 2003
89
Tweaking the user interface
• Goal is a smooth, easy to manage interface
for all users.
Wrestling Alligators @ SIGUCCS 2003
90
Tweaking the user interface
• Developer Tools & “nib”bling at parts
– Modifying the Apple menu.
– Use the tools in the Developer package.
– Find the correct file:
System -> Library -> Frameworks -> Carbon.framework ->
Versions -> A -> Frameworks -> HIToolbox.framework ->
Versions -> A -> Resources -> English.lproj
– Double-click StandardMenus.nib. It will open with
Interface Builder.
– Make any changes
– It is also possible to customize the Login screen.
Wrestling Alligators @ SIGUCCS 2003
91
Software Updates
• Be sure to uncheck all automatic updating
mechanisms for the generic user.
• Can be done at the command line:
man softwareupdate
Wrestling Alligators @ SIGUCCS 2003
92
Locking things down
• Start with the basics:
– Set the open firmware passwords
– Secure or eliminate local accounts
– Disable root access.
– Do not make general users administrative users.
Wrestling Alligators @ SIGUCCS 2003
93
Locking things down
• Changing executable permissions
– Run as many programs as the generic user
– Typically, I’ve been preventing access to these
programs:
•
•
•
•
•
•
•
•
Airport utilities
Console
Directory Access
Disk Utility
Installer
Keychain
NetInfo Manager
Network Utility
Wrestling Alligators @ SIGUCCS 2003
94
Locking things down
• Changing executable permissions
– Only change the permissions only for the ‘other’
category – leave ‘group’ and ‘user’ intact.
– Use the chmod command:
chmod o-rwx AirPort\ Admin\ Utility.app
– Advantage to leaving the admin group rwx
Wrestling Alligators @ SIGUCCS 2003
95
Locking things down
• Changing executable permissions
– Some programs facilitate access to sensitive
system data
– NetInfo is the critical example
– Change access for system files:
chmod go-rwx /var/backups/
chmod go-rwx /var/db/netinfo/local.nidb
Wrestling Alligators @ SIGUCCS 2003
96
Locking things down
• Changing executable permissions
– All utilities for netinfo use should be set to root use
only:
chmod go-rwx /usr/bin/nicl
chmod go-rwx /usr/bin/nireport
chmod go-rwx /usr/bin/niutil
chmod go-rwx /usr/bin/nigrep
chmod go-rwx /usr/bin/nifind
chmod go-rwx /usr/bin/nidump
chmod go-rwx /usr/bin/niload
– Change NetInfo Manager itself
chmod o-rwx NetInfo\ Manager.app
Wrestling Alligators @ SIGUCCS 2003
97
Locking things down
• Changing executable permissions
– Print Center is a special case
– Users cannot add or delete printers
– I use:
chmod o-rwx Print\ Center.app
– To get:
drwxrwx--- 3 root admin 102 Feb 11 2003 Print Center.app
– Others have used:
d-wx-wx-wx 3 root admin 102 Feb 11 2003 Print Center.app
Wrestling Alligators @ SIGUCCS 2003
98
Locking things down
• File access permissions
– Read-only
– No access at all
Wrestling Alligators @ SIGUCCS 2003
99
Locking things down
• SetUID and SetGID programs
– User running these programs or accessing
these files is granted system access: the actual
process UID is changed to that of the user
owner of the file.
– Find all files that are configured as setuid and
setgid using the UNIX find command and save
to a file:
find / -type f -perm +6000 –ls >
mysetuidgidfiles.txt
Wrestling Alligators @ SIGUCCS 2003
100
Locking things down
– These are commonly restricted using the chmod
command in absolute mode:
chmod 0700 /usr/bin/chfn
chmod 0700 /sbin/rdump
chmod 0700 /sbin/rrestore
chmod 0700 /usr/sbin/sliplogin
chmod 0700 /usr/bin/wall
chmod 0700 /usr/bin/write
Wrestling Alligators @ SIGUCCS 2003
101
Granting privileges
• A need to perform certain kinds of
privileged operations after you have
deployed all your machines. With local
accounts, the administrator works.
• With no local accounts, you have choices.
Wrestling Alligators @ SIGUCCS 2003
102
Granting privileges
• Designate a specific user or users as sudo users
• Edit /etc/sudoers.
• The last few lines in the default sudoers look like
this:
# User privilege specification
root
ALL=(ALL) ALL
%admin ALL=(ALL) ALL
• Add designated user (mdoe) like this:
mdoe
ALL=(ALL) ALL
Wrestling Alligators @ SIGUCCS 2003
103
Granting privileges
• Possible to use a network based backend
(typically an sql table)
• Allots privileges based on this table.
Wrestling Alligators @ SIGUCCS 2003
104
Granting privileges
• Gui-based installation of applications or the
altering of settings using the gui based tools
remains problematic.
• Can use the netinfo command line tools to add a
user to the admin group.
niutil -appendprop / /groups/admin users <user_name>
• To remove a user from the admin group, type:
niutil -destroyval / /groups/admin users <user_name>
Wrestling Alligators @ SIGUCCS 2003
105
Refresh & Lost and Found at login
• Use of a "mini-refresh”
• Replace and update the regular user home
directory and all the settings at login time.
• Simple to use and is a blessing for users.
• Complete the process of fine-tuning the
user interface
Wrestling Alligators @ SIGUCCS 2003
106
Refresh & Lost and Found at login
• Install utility scripts
– Much of the work is done from /Library/Admin.
– prep.sh
• Lives in /private/var/root
• Makes the process of incremental changes easy and
quick.
• Saves the typing of the ditto command used to build
the restore point.
Wrestling Alligators @ SIGUCCS 2003
107
Refresh & Lost and Found at login
• Install loginhook scripts
– Add scripts referenced in our edited /etc/ttys
– If you change the path here, make sure you
change it elsewhere or the loginhook scripts will
not work.
Wrestling Alligators @ SIGUCCS 2003
108
Refresh & Lost and Found at login
• Install loginhook scripts
– cleanout.sh
• Moves any user added files to a Lost and Found
directory
• Restores the entire /Users/customer/ directory from
the hidden spare.
• This is the script referred to in our modified /etc/ttys
file
Wrestling Alligators @ SIGUCCS 2003
109
Refresh & Lost and Found at login
• Install loginhook scripts
– cleanhdir.sh
• This script does all the work of the “mini-refresh”.
• The first thing I like to do is to timestamp the login:
date > /tmp/access.out
• Know who is logging in:
echo "$1 logged in." >> /tmp/access.out
if test $1 = "admin"
then
echo "Admin logged in for testing" > /tmp/test.out
else
Wrestling Alligators @ SIGUCCS 2003
110
Refresh & Lost and Found at login
• Install loginhook scripts
– cleanhdir.sh
• For a dynamically refreshed /etc/sudoers file, we
update that.
• Change privileges first:
/bin/chmod u+w /etc/sudoers
• Then recopy it:
/bin/cp /etc/sudoers.master /etc/sudoers
Wrestling Alligators @ SIGUCCS 2003
111
Refresh & Lost and Found at login
• Install loginhook scripts
– cleanhdir.sh
• Reset the permissions:
/bin/chmod u-w /etc/sudoers
• Recopy sshd_config if you use any sort of dynamic
changing from a remote source:
/bin/cp /etc/sshd_config.master
/etc/sshd_config
Wrestling Alligators @ SIGUCCS 2003
112
Refresh & Lost and Found at login
• Install loginhook scripts
– cleanhdir.sh
• Now update the home directory.
• First we do the documents folder:
/usr/bin/ditto -rsrcFork
/Users/customer/Documents/ /Lost\ and\
Found
• But not the alias of the lost and found:
/bin/rm -rf /Lost\ and\ Found/Lost\ and\
Found
Wrestling Alligators @ SIGUCCS 2003
113
Refresh & Lost and Found at login
• Install loginhook scripts
– cleanhdir.sh
• Now clean up the Desktop:
/usr/bin/ditto -rsrcFork
/Users/customer/Desktop/ /Lost\ and\ Found
• Do not save contents of the Library folder in the lost
and found, so this line is commented out:
#/usr/bin/ditto -rsrcFork
/Users/customer/Library/ /Lost\ and\ Found
Wrestling Alligators @ SIGUCCS 2003
114
Refresh & Lost and Found at login
• Install loginhook scripts
– cleanhdir.sh
• Now all the rest goes to the Lost and Found:
/usr/bin/ditto -rsrcFork /Users/customer/Movies/ /Lost\ and\ Found
/usr/bin/ditto -rsrcFork /Users/customer/Music/ /Lost\ and\ Found
/usr/bin/ditto -rsrcFork /Users/customer/Pictures/ /Lost\ and\ Found
/usr/bin/ditto -rsrcFork /Users/customer/Public/ /Lost\ and\ Found
/usr/bin/ditto -rsrcFork /Users/customer/Sites/ /Lost\ and\ Found
• Clean up the Lost and found directory: delete files older than 7
days:
/usr/bin/find /Lost\ and\ Found -mtime +7 -exec /bin/rm -rf {} \;
Wrestling Alligators @ SIGUCCS 2003
115
Refresh & Lost and Found at login
• Install loginhook scripts
– cleanhdir.sh
• Now we can delete the old:
/bin/rm -rf /Users/customer/
• And then replace everything from the master replacement in
/Users/admin/Restore.
/usr/bin/ditto -rsrcFork /Users/admin/Restore/
/Users/customer
• Unlock Normal.dot:
/usr/sbin/Setfile -a l
/Users/customer/Documents/Normal
Wrestling Alligators @ SIGUCCS 2003
116
Refresh & Lost and Found at login
• Install loginhook scripts
– cleanhdir.sh
• Now reset permissions and ownership. We do this
because we want to be certain that nothing here is
ever owned by root:
/usr/sbin/chown -R customer:staff
/Users/customer
• And then we can reset the lock of Normal.dot:
/usr/sbin/Setfile -a L
/Users/customer/Documents/Normal
Wrestling Alligators @ SIGUCCS 2003
117
Refresh & Lost and Found at login
• Install loginhook scripts
– cleanhdir.sh
• ‘fi’ “closes” the if clause found at the beginning:
fi
• We must add this exit signal to allow login to
complete:
exit 0
Wrestling Alligators @ SIGUCCS 2003
118
Refresh & Lost and Found at login
• Install loginhook scripts
– attrs.pl (for MySQL access only)
• Prerequisites for this:
• mysql client software. Available from
http://www.mysql.com/downloads/mysql-4.0.html - be sure to get the
package installer (it is a lot simpler).
• DBI software. This is the Database Independent interface for Perl.
Available from http://search.cpan.org/author/TIMB/DBI-1.38/DBI.pm and the version may change.
• DBD software. This is the driver for the MySQL Perl interface.
Available from http://search.cpan.org/author/RUDY/DBD-mysql2.9002/ - note that the versions may change quickly.
Wrestling Alligators @ SIGUCCS 2003
119
Refresh & Lost and Found at login
• Install management scripts
– idleScript.app
• How to determine idle time for the machine.
• Modified version
• Cron runs this script every minute
• We try to determine if ScreenSaver is running.
• If it is, then we increment a count in a file found in /tmp.
• After the threshold, the machine logs out the current user, no
matter what!
Wrestling Alligators @ SIGUCCS 2003
120
Refresh & Lost and Found at login
• Install management scripts
– idleScript.app
• Be sure to set maxtime
• Killing the screensaver process was trickier than we expected.
• Used killall
• Note the line that reads:
system "/sbin/logout" || die "Unable to call logout";
• This is a custom file, and the binary is available at
http://www.uvm.edu/~dlrh/osx/
Wrestling Alligators @ SIGUCCS 2003
121
Refresh & Lost and Found at login
• Configure common startup options
– Web page
• Deactivate local accounts
– Be sure you have those files accessible
somewhere.
Wrestling Alligators @ SIGUCCS 2003
122
Preparing the master img file
• Need a bootable device that is not the local
machine.
• We’ll boot to that, and run Carbon Copy
Cloner.
Wrestling Alligators @ SIGUCCS 2003
123
Preparing the master img file
• Prepare a master boot drive on your
FireWire drive
– Boot to your master
– Log in as the admin user
– Attach the external drive
– Download Carbon Copy Cloner
– Run it off of the mounted disk Image
Wrestling Alligators @ SIGUCCS 2003
124
Preparing the master img file
• Carbon Copy Cloner
– Easy to use and free
– Select the Source Disk,
which is our master disk.
– Select a Target Disk - the
attached external
FireWire drive
Wrestling Alligators @ SIGUCCS 2003
125
Preparing the master img file
• Carbon Copy Cloner
– Next, we set up
Preferences
– Set the Target Disk option
of Make bootable.
– Check the Source Disk
Option of Repair
permissions before
cloning.
– Do not check on the
Create disk image on
target option
– Save these preferences
– Clone
Wrestling Alligators @ SIGUCCS 2003
126
Preparing the master img file
• Carbon Copy Cloner
– Now test it out.
– Reboot your master system, hold down the Option key
– Problems can include:
• a failure to boot the external device at all
• inability to select that device for booting
• inability to get it to actually boot to the external drive
– Install both Carbon Copy Cloner and NetRestore on this
external drive.
Wrestling Alligators @ SIGUCCS 2003
127
Preparing the master img file
• Preparing an ASR READY image file
– Develop our master image for use in cloning.
– Space needs: 2 to 3 times the actual final image
size to succeed.
– Select your source drive – the master image
drive
– Select the target
Wrestling Alligators @ SIGUCCS 2003
128
Preparing the master img file
• Preparing an ASR READY image file
• Check on the Create disk image on target option.
• Check on the ASR options choice Prepare for Apple
Software Restore.
• Select the Read-only compressed option and leave
the Segment size empty (the system will decide).
• Select Make bootable option.
• Clone it!
• The result is an image file with the naming
convention <Hard Drive name>_asr.img
Wrestling Alligators @ SIGUCCS 2003
129
Cloning
• Boot from your Restore drive
Wrestling Alligators @ SIGUCCS 2003
130
Cloning
• NetRestore
– You can set up specific
configurations
– Select Erase Target Disk,
Verify restored disk, and Set
target as boot disk.
– Drag the source file you
created earlier into the
Source text entry area.
– Next, select a target drive
Wrestling Alligators @ SIGUCCS 2003
131
Cloning
• NetRestore
– Select Preferences.
– The Default Target
Options are configurable
Wrestling Alligators @ SIGUCCS 2003
132
Cloning
• Post processing scripts
– Post-action scripts afford great power
– Fix the ByHosts problem
– Add functionality to these scripts for other tasks.
– Fixing ByHosts
• Iterate through a list of files in ~/Library/Preferences/ByHost
• Set the correct hardware address for each machine
• Make a new copy of the restore point
Wrestling Alligators @ SIGUCCS 2003
133
Cloning
• Post processing scripts
• Note that the call to the Post-action script text entry
box requires a full pathname.
./postpMYSCRIPT.sh
• Place the file postpMYSCRIPT.sh at the root of the
bootable external drive.
Wrestling Alligators @ SIGUCCS 2003
134
Cloning
• Configurations
– Open the Edit
configurations…
– Click on the image file
listed that you used.
– Go back to the
Preferences and select
this configuration in the
Default configuration
pop-up menu.
Wrestling Alligators @ SIGUCCS 2003
135
Cloning
• Post-restore actions
– Can set the Open Firmware
password.
– It is echoed in bullets - use
care!
– Clone away!
– Test, test, test!
Wrestling Alligators @ SIGUCCS 2003
136
Going further
• Remote access
– Ssh access
– Turned on using the System Preferences,
Sharing, Remote Access.
Wrestling Alligators @ SIGUCCS 2003
137
Going further
• Remote software updates
– Ssh allows remote software updates
Wrestling Alligators @ SIGUCCS 2003
138
Going further
• Full refresh
– A useful goal
• May not be as critical as it once was.
• Radmind
–
–
–
–
Well tested
Well supported
Free
http://rsug.itd.umich.edu/software/radmind/
• Rsync
– Complex
– Legacy UNIX
– http://www.macosxlabs.org/rsyncx/rsyncx.html
Wrestling Alligators @ SIGUCCS 2003
139
Essential reading
• www.macosxlabs.org (be SURE you check
the forums!)
• www.bombich.com (be SURE you check the
forums!)
Wrestling Alligators @ SIGUCCS 2003
140
Q&A
?
Wrestling Alligators @ SIGUCCS 2003
141