Wrestling with Alligators: putting OS X in an open access lab (or - PowerPoint PPT Presentation

About This Presentation
Title:

Wrestling with Alligators: putting OS X in an open access lab (or

Description:

Wrestling with Alligators: putting OS X in an open access lab (or 'The Joy of X' ... Wrestling Alligators _at_ SIGUCCS 2003. 4. Major departure from pre- X ... – PowerPoint PPT presentation

Number of Views:162
Avg rating:3.0/5.0
Slides: 141
Provided by: davidh50
Learn more at: https://www.uvm.edu
Category:

less

Transcript and Presenter's Notes

Title: Wrestling with Alligators: putting OS X in an open access lab (or


1
(No Transcript)
2
Wrestling with Alligators putting OS X in an
open access lab (or The Joy of X)
3
What is OS X?UNIX
  • Command line interface, something that was
    entirely absent in all previous versions of the
    Macintosh OS.
  • NEXTStep lineage.
  • FreeBSD and System V (from Bell Labs) and
    Berkeley Labs.
  • Long historical root
  • Open Source.
  • Huge library of well-tested software available
    for use
  • Accompanying security issues as they arise.

4
Major departure from pre- X operating system (OS9)
  • Command line interface a key distinguishing
    characteristic
  • Aqua design theme is very different
  • Graphics a way to manage a command line series of
    actions
  • Start with Terminal program (/Applications/Utiliti
    es).
  • Try man k netinfo

5
The Toolkit
  • One machine as master
  • FireWire strongly preferred
  • Build your master image in layers

6
The Toolkit
  • One machine as clone
  • A second, identical piece of hardware is ideal
  • Crash and burn insurance
  • Your sandbox for experimentation

7
The Toolkit
  • Carbon Copy Cloner
  • From Mike Bombich (www.bombich.com).
  • Interface to asr (Apple Software Restore) and
    ditto.
  • Takes a complete snapshot of the hard drive to
    back up
  • Creates an image file (suffix .img).
  • Tool of choice for the production of your master
    image file.

8
The Toolkit
  • NetRestore
  • From Mike Bombich (www.bombich.com).
  • Restoration of a complete hard drive image.
  • Source image can be on a
  • local partition
  • FireWire drive
  • CD
  • Network
  • Really fast.
  • Post-processing possible

9
The Toolkit
  • FireWire drive
  • Without any external drive options at all, you
    are likely to face an uphill battle.

10
Security
  • Different from the past
  • Almost the centerpiece of the process
  • Before OS X, the Macintosh was a low security
    risk.
  • UNIX has long been a domain for experimentation
  • It will only take one episode of serious abuse to
    create the potential for major problems.

11
Security
  • Why it matters
  • It is easy to set up an Apache web server,
  • It is easy to configure ssh and allow anyone in.
  • It is easy to set up packet sniffers
  • Instructions for doing these things are found on
    the Wild, Wild Web!
  • Setting up remote machines to launch a Denial of
    Service attack possible

12
Security
  • Open Firmware
  • Not new with OS X.
  • Access certain kinds of parameters at boot time.
  • Similar to the older parameter ram.
  • Platform independent.
  • Developed by Sun Microsystems.

13
Security
  • Open Firmware
  • What can you do with Open Firmware?
  • Boot from a CD.
  • Set or reset the root password
  • Easy to protect against this condition using the
    setenv and security-mode commands.
  • Interface is command-line.
  • Get acquainted with the CLI
  • Set the boot-device.
  • Read files on the main disk, establish limited
    networking services and change disk information.

14
Security
  • Open Firmware
  • Access hold down the ? OPTION O F keys. The
    command line interface will appear.
  • Set any options the password
  • One final note once you have entered a password,
    do not forget it!

15
Security
  • Single User mode
  • Allows a system administrator access to an ailing
    machine.
  • Once booted into single user mode, the root
    account is automatically logged in and does not
    require a password.
  • Simple process to check the disk and mount the
    entire file system as read-write.
  • Hard to protect yourself once the user has booted
    to single user mode.
  • Prevent it from happening at all by enabling
    command security and setting a password.

16
Security
  • A brief detour
  • Lets boot into single user mode
  • Reboot
  • Hold down ? S key
  • Notice the instructions
  • Running SystemStarter enables netinfo

17
Security
  • Root
  • Superuser and root may be new
  • The root user, or superuser is a special UNIX
    account.
  • This user can do anything absolutely anything
    to a system.
  • By default, OS X ships with the root account
    disabled.
  • You might have to enable it.
  • There is a good alternative

18
Security
  • Root
  • Former advocate of enabling root with a good
    password.
  • Now leave the root account disabled
  • Use a combination of methods
  • sudo

19
Security
  • Root
  • Sudo allows one to act as root (sudo translates
    to Superuser do)
  • Very configurable
  • Allow only certain programs to be used by certain
    users
  • Any local administrative account can use sudo
  • You can simply type sudo sh
  • Single-user mode still works with Root disabled

20
Security
  • Local accounts
  • No more local accounts
  • Ssh and sudo only

21
Security
  • Local accounts
  • Your users cannot be administrators
  • Be certain that your regular users are never
    administrative users,
  • With network based authentication method you are
    all set
  • No user that logs in via most properly configured
    methods will be anything except a
    non-administrative user.
  • Why does this whole administrative user thing
    even matter?
  • Installation of software requires administrative
    username and password.

22
Security
  • Why Classic mode should go away
  • Add-on to OS X
  • Run older legacy applications
  • If you offer this, you have extra work.
  • Potentially serious security issues
  • Boot into OS9, destroy OS X
  • FWSucker
  • crack /etc/passwd
  • Adds a layer of complexity and instability for
    the user.

23
Configuration
  • Open Firmware
  • Boot the machine - hold down the ? OPTION O F
    keys.
  • The command line interface appears

24
Configuration
  • Open Firmware
  • Now, set the password
  • Press enter after typing in a command. The
    system response is usually the terse ok.
  • Find a way to remember this password!

25
Configuration
  • Open Firmware
  • Finally, set the security mode level
  • Then reboot the machine
  • Open Firmware is now secure.
  • (At this point, you can leave it open as you
    prepare the master image

26
Configuration
  • Next we tackle Authentication

27
Authentication
  • Several methods available
  • By default, OS X uses locally based methods

28
Authentication
  • Local or network?
  • Always open for access to the password file
  • If all local accounts are disabled, this is a
    moot point.
  • With all local accounts disabled, though, we face
    an entirely different problem. How do we log in
    as an administrator in order to install software?
    There are several aspects to this question.

29
Authentication
  • Local or network?
  • Software installations
  • Application installations get complex.
  • Use the sudo facility.
  • Non-local user can become root.
  • With enabled local accounts /etc/passwd looks
    like this
  • rootDWa.RtYYiKLw0000System
    Administrator/var/root/bin/tcsh
  • A state change can be done several different
    ways.

30
Authentication
  • Local or network?
  • Log in as the sudo user, become root
  • Issue the password change passwd root
  • Now, you can perform many system-level tasks.
  • Installations possible
  • You have to change this back to a disabled state

31
Authentication
  • Local or network?
  • Use netinfo database to enable a disabled account
  • Not simple to disable it. You cannot use vi and
    edit /etc/passwd.
  • Reload using niload command.

32
Authentication
  • Local or network?
  • Create a text file of /etc/passwd
  • nidump passwd . gt /Users/apple/open_password_file
  • Make a copy to edit
  • cp open_password_file closed_password_file
  • vi closed_password_file
  • Change all password fields to a simple asterisk

33
Authentication
  • Local or network?
  • Now it might look like this
  • nobody-2-200Unprivileged
    User/dev/null/dev/null
  • root0000System Administrator/var/root/bi
    n/tcsh
  • daemon1100System Services/var/root/dev/n
    ull
  • unknown999900Unknown User/dev/null/dev/n
    ull
  • smmsp252500Sendmail User/private/etc/mail
    /dev/null
  • www707000World Wide Web
    Server/Library/WebServer/dev/null
  • mysql747400MySQL Server/dev/null/dev/nul
    l
  • sshd757500sshd Privilege
    separation/var/empty/dev/null
  • admin5012000Administrator/Users/admin/bi
    n/tcsh
  • customer5022000CIT Computer Lab
    User/Users/customer/bin/tcsh

34
Authentication
  • Local or network?
  • Now we have two password files enabled
    disabled.
  • Reload a file
  • niload -d passwd . lt /Users/admin/closed_password_
    file
  • All the local accounts are disabled
  • Move modified password files off of the local
    drive!

35
Authentication
  • Next we configure our remote authentication
    method, LDAP

36
Authentication
  • LDAP v3
  • 10.2.x only
  • Security is better
  • Passes encrypted passwords
  • Kerberos no longer required
  • Do not install MIT Kerberos on 10.2.x systems!
  • SSL support
  • LDAP data may (still) need massaging
  • This can be a critical concern

37
Authentication
  • LDAP v3
  • Steps to authentication using SSL
  • Configure Directory Access on the local machine
  • Create the dummy account
  • Add the certificate to the local machine
  • Edit the ldap.conf file to make the local system
    aware of the certificates
  • Configure Authentication on the client

38
Authentication
  • LDAP v3
  • Required attributes (direct from the Apple
    systems Engineer!)
  • uniqidUsers Short Name (for us this is netid)
  • uidUID Number (we made this the same for
    everyone)
  • homeDirectoryHome Directory Path (we made this
    the same for everyone too!)
  • Useful attributes
  • cnCommon Name
  • gidGID Number (we made this the same for
    everyone too ?)

39
Authentication
  • LDAP v3
  • Configure Directory Access

40
Authentication
  • LDAP v3
  • Configure Directory Access

41
Authentication
  • LDAP v3
  • Configure Directory Access

Default Attribute Types contains only
RecordName which is set to value cn as an LDAP
server attribute
Users contains only those record types and
attributes we use
42
Authentication
  • LDAP v3
  • Configure Directory Access

RecordName is set to netid for our installation
43
Authentication
  • LDAP v3
  • Configure Directory Access

RealName is the actual name of the user, a.k.a.
Common Name or cn
44
Authentication
  • LDAP v3
  • Configure Directory Access

UniqueID was one of our custom additions and
was the critical part to get a valid local UID
45
Authentication
  • LDAP v3
  • Configure Directory Access

PrimaryGroupID was another one of our custom
additions but was not a critical part (at this
point!)
46
Authentication
  • LDAP v3
  • Configure Directory Access

NFSHomeDirectory was the third of our custom
additions and was also a critical part to get a
valid local home directory
47
Authentication
  • LDAP v3
  • Configure Directory Access

Setting connection variables Reducing default
Time out values improves performance You
can test without SSL to get things going if
you need to (in which case you do not need
the CA on the client)
48
Authentication
  • LDAP v3
  • Create the dummy account
  • This provides the correct local home directory,
    group and/or user id
  • Be careful here the numbering has to match your
    LDAP data!
  • Use the account manager
  • Computer Lab User (Long name)
  • customer as short name
  • Name can be anything
  • This matches our specification for UID/GID
  • Notice that in the /Users section, we now have

drwxr-xr-x 13 502 20 442 Dec 30 1614 customer
49
Authentication
  • LDAP v3
  • Update the client for ldap and ssl
  • The certificates must be in the correct place on
    the local systems /System/Library/OpenSSL
  • mv /ca-bundle.crt /System/Library/OpenSSL/certs
  • You can test this from the command line
    (terminal)
  • openssl s_client connect ldap.uvm.edu636
    -showcerts

50
Authentication
  • LDAP v3
  • Edit /etc/openldap/openldap.conf to reflect the
    newly created server certificate locations
  • HOST ldap.uvm.edu
  • BASE dcuvm,dcedu
  • TLS_CACERT /System/Library/OpenSSL/certs/ca-bundle
    .crt

51
Authentication
  • LDAP v3
  • The final ldap.conf file looks about like this

OpenLDAP pkg/ldap/libraries/libldap/ldap.conf,
v 1.9 2000/09/04 195701 kurt LDAP Defaults
See ldap.conf(5) for details This file should
be world readable but not world writable. BASE
dcexample, dccom URI ldap//ldap.example.co
m ldap//ldap-master.example.com666 SIZELIMIT
12 TIMELIMIT 15 DEREF
never HOST ldap.uvm.edu BASE dcuvm,dcedu TLS_CA
CERT /System/Library/OpenSSL/certs/ca-bundle.crt
52
Authentication
  • LDAP v3
  • Configure CustomPath

53
Authentication
  • LDAP v3
  • Configure CustomPath

Notice that our configuration is now available
for use
54
Authentication
  • LDAP v3
  • Configure customPath

And here we are done with authentication and
are ready to test!
55
Authentication
  • LDAP v3
  • The problem without correct mapping of key
    attributes (UID, GID Home Directory), almost
    nothing works for a non-local user!
  • This is a permissions problem
  • Many applications iTunes, Internet Explorer
    require write access to certain areas.
  • Without these correct mappings, your non-local
    users are not valid for the local client system

56
Authentication
  • LDAP v3
  • This is why we create the local machine data
    default user (UID), home directory
    (/Users/customer) and group ID (GID)
  • User logging in is simply remapped to the local
    account by virtue of other properties pulled in
    from the query in our case, UID HomeDirectory
  • Early tests also had a local group customer
    with ID of 502
  • but further testing suggested that we only
    needed UID to get the required mapping
  • We decided on user customer with the default
    UID of 502

57
Authentication
  • LDAP v3
  • The result?
  • Users logging in with non-local accounts (those
    authenticated against our ldap server) all have
  • UID 502 (This is what makes everything work)
  • GID 502 (We dont need this, but have it there
    anyway)
  • HomeDirectory /Users/customer (so everyone
    shares the same working space, just as they do
    with current Macs and Windows machines)

58
Authentication
  • LDAP v3
  • Decision time
  • What does your LDAP data look like?
  • How much do you have to alter your data to get OS
    X authentication to work?
  • Can you alter your data? Will those managing
    this service do this for you? (willingly???)

59
Authentication
  • LDAP v3
  • We massaged our LDAP data to provide a fixed
    value for all users
  • uvmAltUID 502
  • 502 because for Lab Machines, the next default
    UID number chosen by the system was 502
  • uvmAltGID 502
  • Arbitrary
  • uvmAltHomeDir /Users/Customer
  • This matched the locally created account home
    directory path

60
Authentication
  • LDAP v3
  • The result was that correct permissions are all
    setup when the user logs in
  • You could use GID instead of UID
  • but there might be other lurking issues!

61
Installing the software
  • Install software as the administrator
  • Need to examine permissions and write-access in a
    few cases.
  • Without Classic mode, many knotty issues simply
    go away.

62
Configuring what your user sees
  • Establish the look and feel of the local user.
  • Use the dummy account
  • If need be, set this account to be an
    administrator
  • Do not forget to set the account back to a
    regular, non-administrative type when you are
    done.

63
Configuring what your user sees
  • Include the following things in your generic user
    configuration
  • Screen saver kick in (5 minutes) and also require
    a password upon wake
  • Energy Saver - display sleep but not the machine
  • Run every application.
  • Play a DVD disc
  • Set home page default

64
Printing
  • Particular and painful set of challenges
  • Easier than OS9 Desktop Printing.
  • Print Center utility and be sure to test
    thoroughly!

65
Login/logouthook
  • Not the same as Login Items which are managed by
    the user
  • Scripts called through the login or logout hook
    apply to the system
  • Scripts run from login or logout hook run as root
    and so are completely in control of the entire
    system.

66
Login/logouthook
  • Edit /etc/ttys.
  • Make a copy first!
  • cd /etc
  • cp ttys ttys.ORG
  • Setup the target directory
  • mkdir /Library/Admin
  • mv /cleanout_dummy.sh /Library/Admin/cleanout.sh

67
Login/logouthook
  • Use the right editor
  • For vi
  • cd /etc/
  • vi ttys
  • For emacs
  • cd /etc/
  • emacs ttys
  • For pico
  • cd /etc/
  • pico w ttys

68
Login/logouthook
  • Single line to edit. Here it is in its original
    state
  • console "/System/Library/CoreServices/loginwindow.
    app/Contents/MacOS/loginwindow" vt100 on secure
    window/System/Library/CoreServices/WindowServer
    onoption"/usr/libexec/getty std.9600"

69
Login/logouthook
  • Edit to add a loginhook. The added section is in
    red
  • console "/System/Library/CoreServices/loginwindow.
    app/Contents/MacOS/loginwindow -LoginHook
    /Library/Admin/cleanout.sh" vt100 on secure
    window/System/Library/CoreServices/WindowServer
    onoption"/usr/libexec/getty std.9600"
  • Loginhook points to /Library/Admin/cleanout.sh.
    We make that path and file before we reboot!

70
Login/logouthook
  • Console login
  • Enter gtconsole as username at the login window
  • Plain console login.
  • Not a security issue, a support issue

71
Login/logouthook
  • Console login
  • Edit /etc/ttys and remove the part shown in red
  • console "/System/Library/CoreServices/loginwindow.
    app/Contents/MacOS/loginwindow -LoginHook
    /Library/Admin/cleanout.sh" vt100 on secure
    window/System/Library/CoreServices/WindowServer
    onoption"/usr/libexec/getty std.9600"

72
Cron jobs
  • Mechanism to allow specified jobs (scripts,
    executables, etc.) to be executed according to
    certain time criteria.
  • Over and over again or simply a one shot deal.
  • Uses the crontab file for root.

73
Cron jobs
  • Shutdown at 1155 p.m.
  • Can't use Shut down from the Apple Menu.
  • UNIX tools shutdown or halt.
  • Use halt to avoid problems in unattended mode
  • No provision for warning users that have open
    files. Halt stops the system abruptly.

74
Cron jobs
  • Shutdown at 1155 p.m.
  • How become root, call the crontab editing
    mechanism
  • crontab e
  • Tell cron what to do and when
  • 55 23 /sbin/halt
  • Exacting syntax
  • 55 minute of the hour.
  • 23 hour (11 pm)
  • wildcard (anything)
  • day of month, the month and the weekday.
  • Finally, the command to run must include the full
    pathname.

75
Cron jobs
  • Shutdown at 1155 p.m.
  • Put all together, our crontab line says On any
    day of the week, on any month, on any day of the
    month, at exactly 23 hours (11 PM) and 55
    minutes, run the halt command in /sbin/. 55 23
    /sbin/halt

76
Cron jobs
  • Shutdown at 1155 p.m.
  • Warning to users as an RTF file on the system
  • Call it like this
  • 45 23 /usr/bin/open -a /Applications/TextEdi
    t.app/ /Library/Admin/warn.rtf

77
Cron jobs
  • Shutdown at 1155 p.m.
  • Review your entries using crontab -l flag (list)
  • crontab l
  • 55 23 /sbin/halt
  • 45 23 /usr/bin/open -a /Applications/TextEdi
    t.app/ /Library/Admin/warn.rtf

78
Cron jobs
  • System cleanup
  • OS X has pre-wired cron jobs for maintenance use.
  • Designed to run at 300 a.m.
  • Timing of log rotation
  • Special system crontab files are managed and
    edited differently and are located in a different
    place on the system.

79
Cron jobs
  • System cleanup
  • Make a backup copy of the original file first
  • cd /etc/
  • cp crontab crontab.ORG
  • Decide on timing.
  • File is set to read-only by default. We must
    change this to edit the file
  • ls l crontab
  • -r--r--r-- 1 root wheel 299 Jun 19 1111
    crontab
  • chmod uw crontab
  • ls l crontab
  • -rw-r--r-- 1 root wheel 299 Jun 19 1111
    crontab

80
Cron jobs
  • System cleanup
  • Edit using either vi, emacs or pico w
  • vi crontab
  • Change to your timing
  • minute hour mday month wday who command
  • Run daily/weekly/monthly jobs.
  • 45 23 root periodic daily
  • 30 23 6 root periodic weekly
  • 15 23 1 root periodic monthly

81
Cron jobs
  • System Cleanup
  • Change the permissions back to read-only
  • ls l crontab
  • -rw-r--r-- 1 root wheel 299 Jun 19 1113
    crontab
  • chmod u-w crontab
  • ls l crontab
  • -r--r--r-- 1 root wheel 299 Jun 19 1113
    crontab

82
Cron jobs
  • Logout after a set idle time
  • Log the user out of the system after a set amount
    of idle time.
  • Count off a certain time interval beginning from
    the time that the screensaver kicks in and after
    that time is exceeded, log the user out.

83
Cron jobs
  • Logout after a set idle time
  • No built-in utility to do a command line logout.
  • Modified ADC code to produce logout executable
  • Add to the root crontab file
  • /Library/Admin/idleScript.app
  • This says at any time, on any day, run the
    script named idleScript.app in the
    /Library/Admin directory.

84
Duplicating the /Users/customer folder
  • Past practice was a full refresh at some regular
    interval.
  • Increasingly, default OS configurations have
    increasingly stringent security measures
  • Less to worry about
  • Restore the local user workspace and
    configuration
  • Just need a spare, clean copy of this directory
  • Replace at login.

85
Duplicating the /Users/customer folder
  • The ByHosts problem
  • Hardware-linked set of preferences for a number
    of applications.
  • This is quite straightforward in how it is setup.
  • Each home directory has/Library/Preferences/ByHos
    ts
  • Use a post-installation script.

86
Duplicating the /Users/customer folder
  • The ByHosts problem
  • Iterate through all of the files
  • Replaces the master machine hardware address with
    that of the machine being cloned.

87
Duplicating the /Users/customer folder
  • Ditto versus cp
  • Must use the built-in ditto utility and not the
    standard UNIX cp (copy) command.
  • Files are corrupted (damaged) otherwise
  • Syntax
  • ditto rsrcFork /source/directory/
    /target/directory/
  • The rsrcFork flag preserves resource forks and
    HFS meta-data.

88
Duplicating the /Users/customer folder
  • Making the backup copy
  • Replicate a spare copy of the local home
    directory.
  • Set backup copy location, make a target
    directory
  • My convention /Users/admin/Restore
  • mkdir /Users/admin/Restore

89
Duplicating the /Users/customer folder
  • Making the backup copy
  • Now, ditto the original source directory
  • ditto rsrcFork /Users/customer/
    /Users/admin/Restore/
  • Make sure it all got there
  • ls laR /Users/admin/Restore/
  • Note that this must be done as root

90
Tweaking the user interface
  • Goal is a smooth, easy to manage interface for
    all users.

91
Tweaking the user interface
  • Developer Tools nibbling at parts
  • Modifying the Apple menu.
  • Use the tools in the Developer package.
  • Find the correct file
  • System -gt Library -gt Frameworks -gt
    Carbon.framework -gt Versions -gt A -gt Frameworks
    -gt HIToolbox.framework -gt Versions -gt A -gt
    Resources -gt English.lproj
  • Double-click StandardMenus.nib. It will open with
    Interface Builder.
  • Make any changes
  • It is also possible to customize the Login screen.

92
Software Updates
  • Be sure to uncheck all automatic updating
    mechanisms for the generic user.
  • Can be done at the command line
  • man softwareupdate

93
Locking things down
  • Start with the basics
  • Set the open firmware passwords
  • Secure or eliminate local accounts
  • Disable root access.
  • Do not make general users administrative users.

94
Locking things down
  • Changing executable permissions
  • Run as many programs as the generic user
  • Typically, Ive been preventing access to these
    programs
  • Airport utilities
  • Console
  • Directory Access
  • Disk Utility
  • Installer
  • Keychain
  • NetInfo Manager
  • Network Utility

95
Locking things down
  • Changing executable permissions
  • Only change the permissions only for the other
    category leave group and user intact.
  • Use the chmod command
  • chmod o-rwx AirPort\ Admin\ Utility.app
  • Advantage to leaving the admin group rwx

96
Locking things down
  • Changing executable permissions
  • Some programs facilitate access to sensitive
    system data
  • NetInfo is the critical example
  • Change access for system files
  • chmod go-rwx /var/backups/
  • chmod go-rwx /var/db/netinfo/local.nidb

97
Locking things down
  • Changing executable permissions
  • All utilities for netinfo use should be set to
    root use only
  • chmod go-rwx /usr/bin/nicl
  • chmod go-rwx /usr/bin/nireport
  • chmod go-rwx /usr/bin/niutil
  • chmod go-rwx /usr/bin/nigrep
  • chmod go-rwx /usr/bin/nifind
  • chmod go-rwx /usr/bin/nidump
  • chmod go-rwx /usr/bin/niload
  • Change NetInfo Manager itself
  • chmod o-rwx NetInfo\ Manager.app

98
Locking things down
  • Changing executable permissions
  • Print Center is a special case
  • Users cannot add or delete printers
  • I use
  • chmod o-rwx Print\ Center.app
  • To get
  • drwxrwx--- 3 root admin 102 Feb 11 2003 Print
    Center.app
  • Others have used
  • d-wx-wx-wx 3 root admin 102 Feb 11 2003 Print
    Center.app

99
Locking things down
  • File access permissions
  • Read-only
  • No access at all

100
Locking things down
  • SetUID and SetGID programs
  • User running these programs or accessing these
    files is granted system access the actual
    process UID is changed to that of the user owner
    of the file.
  • Find all files that are configured as setuid and
    setgid using the UNIX find command and save to a
    file
  • find / -type f -perm 6000 ls gt
    mysetuidgidfiles.txt

101
Locking things down
  • These are commonly restricted using the chmod
    command in absolute mode
  • chmod 0700 /usr/bin/chfn
  • chmod 0700 /sbin/rdump
  • chmod 0700 /sbin/rrestore
  • chmod 0700 /usr/sbin/sliplogin
  • chmod 0700 /usr/bin/wall
  • chmod 0700 /usr/bin/write

102
Granting privileges
  • A need to perform certain kinds of privileged
    operations after you have deployed all your
    machines. With local accounts, the administrator
    works.
  • With no local accounts, you have choices.

103
Granting privileges
  • Designate a specific user or users as sudo users
  • Edit /etc/sudoers.
  • The last few lines in the default sudoers look
    like this
  • User privilege specification
  • root ALL(ALL) ALL
  • admin ALL(ALL) ALL
  • Add designated user (mdoe) like this
  • mdoe ALL(ALL) ALL

104
Granting privileges
  • Possible to use a network based backend
    (typically an sql table)
  • Allots privileges based on this table.

105
Granting privileges
  • Gui-based installation of applications or the
    altering of settings using the gui based tools
    remains problematic.
  • Can use the netinfo command line tools to add a
    user to the admin group.
  • niutil -appendprop / /groups/admin users
    ltuser_namegt
  • To remove a user from the admin group, type
  • niutil -destroyval / /groups/admin users
    ltuser_namegt

106
Refresh Lost and Found at login
  • Use of a "mini-refresh
  • Replace and update the regular user home
    directory and all the settings at login time.
  • Simple to use and is a blessing for users.
  • Complete the process of fine-tuning the user
    interface

107
Refresh Lost and Found at login
  • Install utility scripts
  • Much of the work is done from /Library/Admin.
  • prep.sh
  • Lives in /private/var/root
  • Makes the process of incremental changes easy and
    quick.
  • Saves the typing of the ditto command used to
    build the restore point.

108
Refresh Lost and Found at login
  • Install loginhook scripts
  • Add scripts referenced in our edited /etc/ttys
  • If you change the path here, make sure you change
    it elsewhere or the loginhook scripts will not
    work.

109
Refresh Lost and Found at login
  • Install loginhook scripts
  • cleanout.sh
  • Moves any user added files to a Lost and Found
    directory
  • Restores the entire /Users/customer/ directory
    from the hidden spare.
  • This is the script referred to in our modified
    /etc/ttys file

110
Refresh Lost and Found at login
  • Install loginhook scripts
  • cleanhdir.sh
  • This script does all the work of the
    mini-refresh.
  • The first thing I like to do is to timestamp the
    login
  • date gt /tmp/access.out
  • Know who is logging in
  • echo "1 logged in." gtgt /tmp/access.out
  • if test 1 "admin"
  • then
  • echo "Admin logged in for testing" gt
    /tmp/test.out
  • else

111
Refresh Lost and Found at login
  • Install loginhook scripts
  • cleanhdir.sh
  • For a dynamically refreshed /etc/sudoers file, we
    update that.
  • Change privileges first
  • /bin/chmod uw /etc/sudoers
  • Then recopy it
  • /bin/cp /etc/sudoers.master /etc/sudoers

112
Refresh Lost and Found at login
  • Install loginhook scripts
  • cleanhdir.sh
  • Reset the permissions
  • /bin/chmod u-w /etc/sudoers
  • Recopy sshd_config if you use any sort of dynamic
    changing from a remote source
  • /bin/cp /etc/sshd_config.master
    /etc/sshd_config

113
Refresh Lost and Found at login
  • Install loginhook scripts
  • cleanhdir.sh
  • Now update the home directory.
  • First we do the documents folder
  • /usr/bin/ditto -rsrcFork /Users/customer/Docum
    ents/ /Lost\ and\ Found
  • But not the alias of the lost and found
  • /bin/rm -rf /Lost\ and\ Found/Lost\ and\ Found

114
Refresh Lost and Found at login
  • Install loginhook scripts
  • cleanhdir.sh
  • Now clean up the Desktop
  • /usr/bin/ditto -rsrcFork /Users/customer/Desktop/
    /Lost\ and\ Found
  • Do not save contents of the Library folder in the
    lost and found, so this line is commented out
  • /usr/bin/ditto -rsrcFork /Users/customer/Library/
    /Lost\ and\ Found

115
Refresh Lost and Found at login
  • Install loginhook scripts
  • cleanhdir.sh
  • Now all the rest goes to the Lost and Found
  • /usr/bin/ditto -rsrcFork /Users/customer/Movies/
    /Lost\ and\ Found
  • /usr/bin/ditto -rsrcFork /Users/customer/Music/
    /Lost\ and\ Found
  • /usr/bin/ditto -rsrcFork /Users/customer/Pictures/
    /Lost\ and\ Found
  • /usr/bin/ditto -rsrcFork /Users/customer/Public/
    /Lost\ and\ Found
  • /usr/bin/ditto -rsrcFork /Users/customer/Sites/
    /Lost\ and\ Found
  • Clean up the Lost and found directory delete
    files older than 7 days
  • /usr/bin/find /Lost\ and\ Found -mtime 7 -exec
    /bin/rm -rf \

116
Refresh Lost and Found at login
  • Install loginhook scripts
  • cleanhdir.sh
  • Now we can delete the old
  • /bin/rm -rf /Users/customer/
  • And then replace everything from the master
    replacement in /Users/admin/Restore.
  • /usr/bin/ditto -rsrcFork /Users/admin/Restore/
    /Users/customer
  • Unlock Normal.dot
  • /usr/sbin/Setfile -a l /Users/customer/Documen
    ts/Normal

117
Refresh Lost and Found at login
  • Install loginhook scripts
  • cleanhdir.sh
  • Now reset permissions and ownership. We do this
    because we want to be certain that nothing here
    is ever owned by root
  • /usr/sbin/chown -R customerstaff
    /Users/customer
  • And then we can reset the lock of Normal.dot
  • /usr/sbin/Setfile -a L /Users/customer/Documen
    ts/Normal

118
Refresh Lost and Found at login
  • Install loginhook scripts
  • cleanhdir.sh
  • fi closes the if clause found at the
    beginning
  • fi
  • We must add this exit signal to allow login to
    complete
  • exit 0

119
Refresh Lost and Found at login
  • Install loginhook scripts
  • attrs.pl (for MySQL access only)
  • Prerequisites for this
  • mysql client software. Available from
    http//www.mysql.com/downloads/mysql-4.0.html -
    be sure to get the package installer (it is a lot
    simpler).
  • DBI software. This is the Database Independent
    interface for Perl. Available from
    http//search.cpan.org/author/TIMB/DBI-1.38/DBI.pm
    - and the version may change.
  • DBD software. This is the driver for the MySQL
    Perl interface. Available from http//search.cpan.
    org/author/RUDY/DBD-mysql-2.9002/ - note that the
    versions may change quickly.

120
Refresh Lost and Found at login
  • Install management scripts
  • idleScript.app
  • How to determine idle time for the machine.
  • Modified version
  • Cron runs this script every minute
  • We try to determine if ScreenSaver is running.
  • If it is, then we increment a count in a file
    found in /tmp.
  • After the threshold, the machine logs out the
    current user, no matter what!

121
Refresh Lost and Found at login
  • Install management scripts
  • idleScript.app
  • Be sure to set maxtime
  • Killing the screensaver process was trickier than
    we expected.
  • Used killall
  • Note the line that reads
  • system "/sbin/logout" die "Unable to call
    logout"
  • This is a custom file, and the binary is
    available at http//www.uvm.edu/dlrh/osx/

122
Refresh Lost and Found at login
  • Configure common startup options
  • Web page
  • Deactivate local accounts
  • Be sure you have those files accessible somewhere.

123
Preparing the master img file
  • Need a bootable device that is not the local
    machine.
  • Well boot to that, and run Carbon Copy Cloner.

124
Preparing the master img file
  • Prepare a master boot drive on your FireWire
    drive
  • Boot to your master
  • Log in as the admin user
  • Attach the external drive
  • Download Carbon Copy Cloner
  • Run it off of the mounted disk Image

125
Preparing the master img file
  • Carbon Copy Cloner
  • Easy to use and free
  • Select the Source Disk, which is our master disk.
  • Select a Target Disk - the attached external
    FireWire drive

126
Preparing the master img file
  • Carbon Copy Cloner
  • Next, we set up Preferences
  • Set the Target Disk option of Make bootable.
  • Check the Source Disk Option of Repair
    permissions before cloning.
  • Do not check on the Create disk image on target
    option
  • Save these preferences
  • Clone

127
Preparing the master img file
  • Carbon Copy Cloner
  • Now test it out.
  • Reboot your master system, hold down the Option
    key
  • Problems can include
  • a failure to boot the external device at all
  • inability to select that device for booting
  • inability to get it to actually boot to the
    external drive
  • Install both Carbon Copy Cloner and NetRestore on
    this external drive.

128
Preparing the master img file
  • Preparing an ASR READY image file
  • Develop our master image for use in cloning.
  • Space needs 2 to 3 times the actual final image
    size to succeed.
  • Select your source drive the master image drive
  • Select the target

129
Preparing the master img file
  • Preparing an ASR READY image file
  • Check on the Create disk image on target option.
  • Check on the ASR options choice Prepare for Apple
    Software Restore.
  • Select the Read-only compressed option and leave
    the Segment size empty (the system will decide).
  • Select Make bootable option.
  • Clone it!
  • The result is an image file with the naming
    convention ltHard Drive namegt_asr.img

130
Cloning
  • Boot from your Restore drive

131
Cloning
  • NetRestore
  • You can set up specific configurations
  • Select Erase Target Disk, Verify restored disk,
    and Set target as boot disk.
  • Drag the source file you created earlier into the
    Source text entry area.
  • Next, select a target drive

132
Cloning
  • NetRestore
  • Select Preferences.
  • The Default Target Options are configurable

133
Cloning
  • Post processing scripts
  • Post-action scripts afford great power
  • Fix the ByHosts problem
  • Add functionality to these scripts for other
    tasks.
  • Fixing ByHosts
  • Iterate through a list of files in
    /Library/Preferences/ByHost
  • Set the correct hardware address for each machine
  • Make a new copy of the restore point

134
Cloning
  • Post processing scripts
  • Note that the call to the Post-action script text
    entry box requires a full pathname.
  • ./postpMYSCRIPT.sh
  • Place the file postpMYSCRIPT.sh at the root of
    the bootable external drive.

135
Cloning
  • Configurations
  • Open the Edit configurations
  • Click on the image file listed that you used.
  • Go back to the Preferences and select this
    configuration in the Default configuration pop-up
    menu.

136
Cloning
  • Post-restore actions
  • Can set the Open Firmware password.
  • It is echoed in bullets - use care!
  • Clone away!
  • Test, test, test!

137
Going further
  • Remote access
  • Ssh access
  • Turned on using the System Preferences, Sharing,
    Remote Access.

138
Going further
  • Remote software updates
  • Ssh allows remote software updates

139
Going further
  • Full refresh
  • A useful goal
  • May not be as critical as it once was.
  • Radmind
  • Well tested
  • Well supported
  • Free
  • http//rsug.itd.umich.edu/software/radmind/
  • Rsync
  • Complex
  • Legacy UNIX
  • http//www.macosxlabs.org/rsyncx/rsyncx.html

140
Essential reading
  • www.macosxlabs.org (be SURE you check the
    forums!)
  • www.bombich.com (be SURE you check the forums!)

141
Q A
142
Q A
Write a Comment
User Comments (0)
About PowerShow.com