Apple

Leopard, NFS, Automounter and Finder

/ Felipe Alfaro Solana / 9 Comments

The AutoFS service in Leopard, also known as automount, is configured by means of text files stored in /etc and the automount command-line utility. The standard automount configuration also allows for local directory service lookups and thus can also be configured by using Directory Utility.

The configuration of the automounter starts with the master configuration file, /etc/auto_master The contents of this file look like this:

#
# Automounter master map
#
+auto_master		# Use directory service
/net			-hosts		-nobrowse,nosuid
/home			auto_home	-nobrowse
/Network/Servers	-fstab
/-			-static

Here is a brief description of each one:

  • /net -hosts -nobrowse,nosuid

    This configures automount of NFS servers in /net. Automounting is done for any resolvable host name (it doesn’t have to have an entry in /etc/hosts and it’s browsable under /net. The problem is that /net is not linked from the sidebar in Finder, and thus not very useable except from the command-line.

  • /home auto_home -nobrowse

    This configures automounting of home directories via a directory service, as configured in /etc/auto_home.

  • /Network/Servers -fstab

    This line states that all mount entries defined in /etc/fstab should be mounted in /Network/Servers. However, this is not entirely true as mount entries listed in /etc/fstab have to specify an absolute mount point, or else automount will complain. Since mount entries specify an absolute mount point, and it won’t be overridden by automount, in order to make Finder show the entries in the sidebar it is recommended that the mount point is located in a subdirectory within /Networ/.

    For example, this how my /etc/fstab file looks like:

    media:/export /Network/media nfs nosuid,nodev 0 0
  • /- -static

    This entry is very similar to the previous one, but instead of using /etc/fstab as the source of mount entries, this one uses the local directory service instead. Entries can be configured using Directory Utility, and stored as a plist file in /var/db/dslocal/nodes/Default/mounts.

    Here is an example of a file named /var/db/dslocal/nodes/Default/mounts/media.lan:%2Fexport.plist:

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>dir</key>
	<array>
		<string>/Network/media</string>
	</array>
	<key>generateduid</key>
	<array>
		<string>1895C8D3-7DBF-4857-8D61-04080DFA5B55</string>
	</array>
	<key>name</key>
	<array>
		<string>media.lan:/export</string>
	</array>
	<key>opts</key>
	<array>
		<string>nosuid</string>
		<string>nodev</string>
	</array>
	<key>vfstype</key>
	<array>
		<string>nfs</string>
	</array>
</dict>
</plist>

Reloading the automount configuration is just as simple as running:

automount -vc

automount will reload its configuration and will automatically mount any entry listed in /etc/fstab. Additionally, the Finder will display an All… link in the sidebar that makes very easy to get to the automounted volumes.

Mac OS X 10.5 Leopard built-in firewall

/ Felipe Alfaro Solana / 16 Comments

The firewall in Mac OS X 10.5 Leopard is confusing, to say the least. It is not enabled by default, which is a huge mistake, in my humble opinion. Also, the graphical user interface offers less flexibility than in previous version while trying to configure it. Besides allowing you to independently control the blocking of incoming ICMP Echo Requests and logging via syslog, it has the following main operation modes:

  • Allow all incoming connections.

    Seems obvious that choosing this setting means that the firewall is essentially disabled and any traffic can freely flow in and out of the computer.

    I would not recommend this setting, even for trusted networks. It is easy for a laptop computer to attach to a different network at any time and have the user forget to re-enable the firewall, posing as a potential victim for other users or computers. For a desktop computer it is more and more common to be attached to a network that has some sort of wireless bridging or routing device that might be used by untrusted users to get access to the network, or by trusted users that carry (maybe without their knowledge) malware, for example.

    This setting offers little or no security, but makes very easy to share contents or provide external services.

  • Block al incoming connections.

    This seems the safest choice, but might not always be desirable if you are sharing content or have services running that you want to make accessible from the outside (like an SSH server, or even the iTunes music collection).

    This is my preferred setting, I have to say. This setting offers adequate security, but stops you from sharing content or offering access to services externally. However, it seems that Leopard’s firewall does not block all services, and some of them are still accessible from the outside (see at the end of the post for more information).

  • Set access for specific services and applications.

    This is by far the most confusing setting. First, because it doesn’t seem to add any rules to IPFW. I’m starting to believe that Leopard offers two layers of filtering. It seems IPFW is one of them, but it defaults to use a ruleset with only default accept entry in it (sequence 65535):

    # ipfw list
65535 allow ip from any to any

    (NOTE: if you enable the Stealth functionality, a IPFW rule is added before the default entry, and it looks like this:

    33300 deny icmp from any to me in icmptypes 8

    This blocks ICMP Echo Requests, but be aware that Stealth mode is not enabled by default).

    About the other filtering layer, I’m not sure what it is used or how it is implemented, but it seems to be the result of some sort of kernel-level and user-space cooperation. The second reason why I think this setting can be confusing is because it seems to only affect a particular user (normally the logged user), but not the system or other users like root.

    For example, I compiled synergy and ran it as user root. Then, I configured the Leopard’s firewall for access to specific services and applications, but I left the list empty. I verified that I could reach the synergys server at port 24800 from other computer in the same network segment. I was really surprised, to be honest.

    The next thing I tried is to kill synergys and to re-run it as my currently logged in user. This time, Leopard presented me with a dialog box that asked whether to allow synergys to accept incoming connections:

    Do you want the application “synergys” to accept incoming network connections?

    Clicking Deny may limit the application’s behavior. This setting can be changed in the Firewall pane of Security Preferences.

    This caused the expected behavior: any attempt to connect to port 24800 from the outside was blocked by Leopard’s firewall:

    22:02:30.989097 IP 10.42.242.16.49950 > 10.42.242.12.24800:
  S 3207271609:3207271609(0) win 65535
  <mss 1460,nop,wscale 3,nop,nop,timestamp 699234003 0,sackOK,eol>
22:02:31.913244 IP 10.42.242.16.49950 > 10.42.242.12.24800:
  S 3207271609:3207271609(0) win 65535
  <mss 1460,nop,wscale 3,nop,nop,timestamp 699234012 0,sackOK,eol>
22:02:32.914300 IP 10.42.242.16.49950 > 10.42.242.12.24800:
  S 3207271609:3207271609(0) win 65535
  <mss 1460,nop,wscale 3,nop,nop,timestamp 699234022 0,sackOK,eol>
22:02:33.915334 IP 10.42.242.16.49950 > 10.42.242.12.24800:
  S 3207271609:3207271609(0) win 65535
  <mss 1460,sackOK,eol>
22:02:34.916398 IP 10.42.242.16.49950 > 10.42.242.12.24800:
  S 3207271609:3207271609(0) win 65535
  <mss 1460,sackOK,eol>
22:02:35.917319 IP 10.42.242.16.49950 > 10.42.242.12.24800:
  S 3207271609:3207271609(0) win 65535
  <mss 1460,sackOK,eol>
22:02:37.919629 IP 10.42.242.16.49950 > 10.42.242.12.24800:
  S 3207271609:3207271609(0) win 65535
  <mss 1460,sackOK,eol>
22:02:41.924491 IP 10.42.242.16.49950 > 10.42.242.12.24800:
  S 3207271609:3207271609(0) win 65535
  <mss 1460,sackOK,eol>

    Note how the first three segments had the time-stamp and window scaling options activated. The remaining SYN segments didn’t. This is probably due to Leopard thinking that there was congestion or that it was talking to an old system.

    Once I chose Always allow, Leopard added an entry into the Firewall list named synergys. From here on, I was able connect to port 24800. This is the the network capture that tcpdump displayed when trying to connect to port 24800 from another compuer after synergys had been granted access:

    22:24:20.674656 IP 10.42.242.16.50055 > 10.42.242.12.24800:
  S 2514913060:2514913060(0) win 65535
  <mss 1460,nop,wscale 3,nop,nop,timestamp 699247086 0,sackOK,eol>
22:24:20.675544 IP 10.42.242.12.24800 > 10.42.242.16.50055:
  S 812848149:812848149(0) ack 2514913061 win 65535
  <mss 1460,nop,wscale 1,nop,nop,timestamp 473026159 699247086,sackOK,eol>
22:24:20.675591 IP 10.42.242.16.50055 > 10.42.242.12.24800:
  . ack 1 win 65535 <nop ,nop,timestamp 699247086 473026159>
22:24:20.677911 IP 10.42.242.12.24800 > 10.42.242.16.50055:
  P 1:16(15) ack 1 win 33304 <nop ,nop,timestamp 473026159 699247086>
22:24:20.677959 IP 10.42.242.16.50055 > 10.42.242.12.24800:
  . ack 16 win 65535 <nop ,nop,timestamp 699247086 473026159>

    Funny enough, keeping my telnet client running while trying to connect at port 24800, waiting for Leopard to remove the time-stamp and window scaling options, then allowing this traffic, didn’t make Leopard to try to re-negotiate the time-stamp and window scaling options.

    Another thing worth mentioning is that once synergys had been granted access to incoming traffic at port 24800, removing it from the list of allowed applications and services didn’t stop it from receiving traffic. To block synergys from receiving traffic it was necessary to change Allow incoming connections to Block incoming connections (removing its entry from the list did still allow it to receive incoming traffic).

    Another interesting feature is that Leopard’s seems to be aware of service dependency. For example, enabling the Screen Sharing service also starts a local Kerberos 5 KDC which is used to authenticate users. This is fascinating since users of Screen Sharing, for example, will first request a TGT to this local Kerberos 5 KDC (and will be able to decrypt that TGT if they know the correct password), then using the TGT request a service ticket for the Screen Sharing service that can present to it in order to get authenticated. But moreover, trying to connect to the Screen Sharing service for a second time will not require the user to provide his credentials again because a Kerberos service ticket is already available (provided that it didn’t expire). This is Single Sign-On in its true form.

Conclusion

In conclusion, I can’t say that the graphical user interface provides a lot of room for configuration, neither does it offer any way to configure egress filtering (that is, traffic that originates on the local computer and is to be sent out externally via a network interface).

In general, Leopard’s default administration tools are probably on par with those from Windows Vista. Even though the underpinnings of the newest member of the Mac OS X family are powered by IPFW, I feel Leopard’s firewall has a long way to go to in order to get closer to the powerful functionality and configurability of PF or Netfilter/IPtables, for example.

Also, not enabling the firewall by default is a big mistake in my opinion. One of my Mac OS X laptops is listening on port 111/tcp, 1020/tcp and 1021/tcp. The first one is iCalAlarmAgent and the other two are related to launchd. Even if you configure the firewall to block all traffic, these three ports are still accessible from the outside.

Playing with Mac OS X 10.5 Leopard local directory service, II

/ Felipe Alfaro Solana / 2 Comments

After experimenting with local files for Mac OS X 10.5 Leopard Directory Service, I read a hint on MacOSXHints name Manage users and groups using a GUI tool.

What this tip describes, basically, is that you can use Mac OS X Server Administration Tools to connect locally to the Directory Service running on Mac OS X Leopard. Just start Workgroup Manager, and authenticate to host localhost with the credentials of any user with administrative rights. Using Workgroup Manager it is possible to create and manage users and groups, but more important is that changes take effect immediately, without having to kill /usr/sbin/DirectoryService, rebooting or having to log out. Very nice!

Playing with Mac OS X 10.5 Leopard local directory service

/ Felipe Alfaro Solana / 11 Comments

New with Mac OS X 10.5 is the replacement of the old NetInfo architecture. The new component, Directory Services, is a highly configurable service that can use many back-ends to store, retrieve and abstract concepts like users, groups, machines or mount points.

Directory Services sports LDAP, Active Directory and Open Directory support, and also local files. Local files seem to be stored directly in the root volume, in the /var/db/dslocal/nodes/Default/ directory. Within this subdirectory, we can found others that create a tree-like, hierarchical structure:

  • aliases/. Contains a one pList for every account alias that is registered in the Local directory service. There are some built-in aliases, plus additional aliases that can be created from the Accounts preference pane.
  • config/. Contains several configuration files for components like Kerberos KDC (in a pretty funny format, that basically looks like XML-syntax wrapper that contains the traditional kdc.conf text-based configuration file as a string), Share points and so on.
  • groups/. Contains one pList file for every known local group. The format is pretty straightforward and almost resembles the traditional UNIX /etc/group file, but expressed using XML.
  • machines/. Contains one pList file for every known machine. It seems to me this is the equivalent of the /etc/hosts UNIX file where each machine entry is stored in as a single pList file. For a default Mac OS X installation, you will find a localhost.plist and a broadcasthost.plist entry.
  • mounts/. Contains one pList for every automount point. By default, there are no automount points defined, and they can be created using the Directory Utility application, dscl or by manually creating or changing pList files.
  • networks/. Contains one pList file for every known network. This seems like the equivalent of /etc/ethers in UNIX systems. By default, only a single pList file exists: loopback.plist, which lists 127.0.0.0/8 as a known network.
  • users/. Contains one pList file for every known local user. This is the equivalent of /etc/passwd in any UNIX system. As in modern UNIX systems, the password is stored somewhere else (does anybody know where?).

By tweaking these files and restarting the Directory Service, it is possible to emulate the behavior of a UNIX-like system, with the difference that access to these entities is mediated by a service, as is not exposed via a POSIX API that, when configured to use local files, parses the contents of local files. In Mac OS X, it is necessary to notify the Directory Service when the contents of any of the pList files changes.

Another way of editing some of these components without having to use dscl or editing pList files by hand is by right-clicking a user or a group in the Accounts preference pane, then choosing Advanced Options ... from the menu.

Playing music remotely using MPD

/ Felipe Alfaro Solana / 2 Comments

From the home page of MPD:

Music Player Daemon (MPD) allows remote access for playing music (MP3, Ogg Vorbis, FLAC, AAC, Mod, and wave files) and managing playlists. MPD is designed for integrating a computer into a stereo system that provides control for music playback over a local network. It is also makes a great desktop music player, especially if you are a console junkie, like frontend options, or restart X often.

The idea behind using MPD was to be able to set up a multimedia computer that I could manage either locally or remotely. When I mean remotely, I don’t mean via VNC or X11/NX. For example, I don’t need the overhead of a full X11 session just to play music over the sound card of my multimedia computer. I might do that using MPlayer over a SSH/screen session or a text-based, command-line music player, but sometimes I like GUI applications too!

Also, detaching the music player controller (the daemon) from the client allows me to use different clients from different computers. Sometimes I’m using one of my Apple computers. Sometimes I’m using one of Linux boxes. Using a client that matches natively my operating system is something that I really appreciate.

For Linux I use Sonata. For Mac OS X I use Theremin.

Installing MPD on Ubuntu Feisty Fawn

Installing MPD in Ubuntu Linux, as usual, it’s pretty straightforward:

sudo apt-get install mpd

By default, Ubuntu will install MPD, start it up and create the symbolic links under /etc/rc[0123456].d to make sure it gets started at the next system boot.

You might also want to edit MPD’s configuration file:

$EDITOR /etc/mpd.conf

In my case, the only thing I changed in this file is the bind_to_address directive to allow clients to connect remotely. It looks like this:

bind_to_address                 "0.0.0.0"

Installing Sonata on Ubuntu Feisty Fawn

Sonata is a nice Python-based, GTK+2.0-based MPD client. Thus, it’s multi-platform and can be run on Linux, *BSD, Solaris, Mac OS X and (I guess) even Windows.

To install Sonata on Ubuntu Linux, run apt-get as usual:

sudo apt-get install sonata

The first time you run Sonata, either from the command-line or from the menu, it will ask you where the MPD daemon is running. It defaults to localhost (and port 6600) so I changed that to point to the hostname of my multimedia computer.

Installing Sonata on Mac OS X

Installing Sonata on Mac OS X is a little bit more elaborated, since some of the components that Sonata requires are not installed by default on Mac OS X.

Sonata requires Python and, more concretely, PyGTK. Since I am already using MacPorts, getting PyGTK installed was a matter of running:

sudo /opt/local/bin/port install py-gtk2

The rest is pretty much the same as for Linux.

Installing Theremin.app on Mac OS X

Theremin.app is a nice, native Cocoa application for Mac OS X that sports Growl integration. For example, when MPD starts playing a new song, Theremin.app notifies the user via a Growl notification.

Download Theremin.app from Theremin’s Web site.

Extract it and run it:

tar jxvf Theremin_0.5.1.tbz
open Theremin.app

Theremin.app can also be compiled from sources by downloading the source code from the Subversion repository and using Xcode to compile it. I must confess that I was lazy to that, so I chose to run the pre-compiled binaries.

Apple's Safe-Sleep and privacy

/ Felipe Alfaro Solana / Leave a comment

Safe-Sleep is a technology from Apple — similar to the hibernation in Windows systems — that allows Mac OS X to save the contents of the entire RAM into the filesystem when the computer is put to sleep. This helps the system surviving a complete power loss, for example, like when replacing batteries on the fly.

The entire contents of the RAM are stored in /private/var/vm/sleepimage completely un-encrypted, even if the user explicitly configured FileVault or an encrypted swap. A possible reasoning for this is that sleepimage is a per-system, and not a per-user, file and thus completely unrelated to FileVault and I guess that encryption is not possible since the firmware needs access to some contents of this file.

While Safe-Sleep could seem like a nice feature for Mac OS X, for me it constitutes a big threat to my privacy. In fact, I’ve seen my log-in password stored in plain text in /private/var/vm/sleepimage a couple of time which, of course, scares me.

To disable Safe-Sleep, run the following command:

sudo pmset -a hibernatemode 0

If you ever want to re-enable Safe-Sleep, run the following command:

sudo pmset -a hibernatemode 3

iTunes Plus: Is DRM dead, finally?

/ Felipe Alfaro Solana / Leave a comment

Today, while I was looking through my e-mails, I realized that one from the Apple iTunes Store had been sitting unread for a couple of days in my inbox. I usually don’t pay much attention to this kind of e-mails but I was bored enough to go and give it a try.

The e-mail was the announcement on the availability of iTunes Plus for the Spanish iTunes Store. I was so curious that I saw myself firing iTunes on Mac OS X up even before I finished on reading the e-mail. I looked around a little bit but wasn’t able to find any trace of any 1,29€ songs, anywhere. I searched for Paul McCartney, Coldplay and the like, but all I could find were the traditional 0,99€ songs. I felt disappointed, but after a closer look, I could find an iTunes Plus link on the Quick Links section on the main page, so badly placed to even not realize it is there.

I decided to give it a chance, so I clicked on the link. Next, I was presented with the typical incomprehensible use license, clicked Accept and jumped in to search for some music, specifically music from Enigma. I could see that all the songs listed 1,29€ under the price column plus a “+” (plus) sign besides it. I double clicked on “Return to Innocence” in order to hear a preview but iTunes was stuck for so long trying to connect to the server that I finally gave up and clicked on Cancel. I felt lucky so I clicked on the Purchase button. In general, the purchase process is identical to the one used by DRM-protected iTunes Store, except that it took unusually longer to complete. I don’t know the exact reasons for this. It could be because of iTunes Plus Store uses different back-ends servers that are not scaled up well enough for the demand of service, could be something else. In any case, I felt really happy when I told iTunes to display the file on Finder and saw the extension was “.m4a” instead of “.m4p” (typical of DRM-protected songs). The sound quality seems pretty good at 256kbps in AAC digital format and since MPlayer, Rhythmbox and many other open source, free players can play unprotected AAC songs with no trouble at all, it means this is big step forward in the right direction towards a DRM-free world (at least in the music world).

It was about time for the music industry to realize that DRM (Digital Restrictions Management) is not the answer. Finally!

Mac OS X, Bluetooth and Motorola UMTS phones

/ Felipe Alfaro Solana / 2 Comments

NOTE: This post is a based on Mac OS X, Bluetooth and Nokia UMTS phones that I wrote some days ago, but adapted to Motorola 3G phones.

This brief post explains how to pair Mac OS X with a Motorola 3G/UMTS phone in order to access the Internet via a data packet connection. In my case, I’m using a Motorola RAZR V3xx phone but any other Motorola 3G phone should work.

Before you start, please make sure that your phone is properly configured and that you can browse the Web via a GPRS/UMTS connection. Also, make sure that Bluetooth support in your phone is configured and activated and, for phones that have temporary visibility (are only visible via Bluetooth for a limited period of time), make sure to enable Bluetooth just before the pairing process.

Initial configuration

First, download the Motorola 3G Modem Scripts for Mac OS X from Ross Barkman’s Home Page (the official site) or from here.

Second, uncompress the file and copy the files named “Motorola 3G CID1” and “Motorola 3G CID2” into “/Library/Modem Scripts“.

Next, pair your Mac OS X computer with the Motorola phone by clicking on the Bluetooth icon in the menu bar and then Set up Bluetooth Device…. When pairing make you sure you choose Use a direct, higher speed connection to reach your Internet Service Provider *GPRS, 1xRTT).

Enter guest as the Username, guest as the Password, the APN (CID String or Telephone number) and make sure Motorola 3G CID1 is selected as the Modem Script. For example:

For a detailed list of possible combinations of username, password and APN CID for a lot of providers around the world visit Ross Barkman’s GPRS Info Page.

Dialing out

To dial out, open Internet Connect, browse to the Bluetooth tab and make sure the right entry is selected from the drop down menu. Then click Connect. Mac OS X will authenticate to the remote PPP server and a new dynamic PPP subinterface should be configured:

$ ifconfig ppp0
ppp0: flags=8051 mtu 1500
        inet 10.142.15.9 --> 10.6.6.6 netmask 0xffffff00

In my case, browsing speed is very good (around 384Kbps), but it might vary according to placement, coverage, whether you are moving and so on (by the way, UMTS network planning, deployment and coverage is something not trivial).

Troubleshooting

Make sure all the information for the connection have been entered correctly, specially the APN/Telephone number. If it doesn’t work, try using Motorola 3G CID2 as the Modem Script instead.

iSync 2.3 and the Motorola RAZR V3xx

/ Felipe Alfaro Solana / 4 Comments

It turns out that the Motorola RAZR V3xx cell phone is not yet supported by iSync 2.3. Fortunately enough, David has created an iSync 2.3 plugin.

David wrote a post named iSync and a Motorola RAZR V3xx and the iSync 2.3 plug-in that can be downloaded from here or from here.

Unfortunately, the version that is available at the moment of this writing is version 4 and, while it does support synching contacts, iCal synching is not yet supported or working. Anyways, thanks for the plug-in, David 🙂

Mac OS X, Bluetooth and Nokia UMTS phones

/ Felipe Alfaro Solana / 10 Comments

This brief post explains how to pair Mac OS X with a Nokia 3G/UMTS phone in order to access the Internet via a data packet connection. In my case, I’m using a Nokia 6234 phone but any other Nokia phone should work.

Before you start, please make sure that your phone is properly configured and that you can browse the Web via a GPRS/UMTS connection. Also, make sure that Bluetooth support in your phone is configured and activated and, for phones that have temporary visibility (are only visible via Bluetooth for a limited period of time), make sure to enable Bluetooth just before the pairing process.

Initial configuration

First, download the Nokia 3G Modem Scripts for Mac OS X from Ross Barkman’s Home Page (the official site) or from here.

Second, uncompress the file and copy the files named “Nokia 3G CID1” and “Nokia 3G CID2” into “/Library/Modem Scripts“.

Next, pair your Mac OS X computer with the Nokia phone by clicking on the Bluetooth icon in the menu bar and then Set up Bluetooth Device…. When pairing make you sure you choose Use a direct, higher speed connection to reach your Internet Service Provider *GPRS, 1xRTT).

Enter guest as the Username, guest as the Password, the APN (CID String or Telephone number) and make sure Nokia 3G CID1 is selected as the Modem Script. For example:

For a detailed list of possible combinations of username, password and APN CID for a lot of providers around the world visit Ross Barkman’s GPRS Info Page.

Dialing out

To dial out, open Internet Connect, browse to the Bluetooth tab and make sure the right entry is selected from the drop down menu. Then click Connect. Mac OS X will authenticate to the remote PPP server and a new dynamic PPP subinterface should be configured:

$ ifconfig ppp0
ppp0: flags=8051 mtu 1500
        inet 10.142.15.9 --> 10.6.6.6 netmask 0xffffff00

In my case, browsing speed is very good (around 384Kbps), but it might vary according to placement, coverage, whether you are moving and so on (by the way, UMTS network planning, deployment and coverage is something not trivial).

Troubleshooting

Make sure all the information for the connection have been entered correctly, specially the APN/Telephone number. If it doesn’t work, try using Nokia 3G CID2 as the Modem Script instead.