Wrestling with Alligators: putting OS X in an open access lab (or “The Joy of X”)

Wrestling Alligators @ SIGUCCS 2003 2

Wrestling with Alligators: putting OS X in an open access lab

(or “The Joy of X”)


What is OS X?UNIX– Command line interface, something that was entirely

absent in all previous versions of the Macintosh OS.

– NEXTStep lineage.

– FreeBSD and System V (from Bell Labs) and Berkeley Labs.

– Long historical root

– Open Source.

– Huge library of well-tested software available for use

– Accompanying security issues as they arise.


Major departure from pre- X operating system (OS9)

– Command line interface a key distinguishing characteristic

– “Aqua” design theme is very different

– Graphics a way to manage a command line series of actions

– Start with Terminal program (/Applications/Utilities).

– Try man –k netinfo


The Toolkit

• One machine as master

– FireWire strongly preferred

– Build your master image in layers


The Toolkit

• One machine as clone

– A second, identical piece of hardware is ideal

– “Crash and burn” insurance

– Your sandbox for experimentation


The Toolkit

– Carbon Copy Cloner

• From Mike Bombich (www.bombich.com).

• Interface to asr (Apple Software Restore) and ditto.

• Takes a complete “snapshot” of the hard drive to back up

• Creates an image file (suffix .img).

• Tool of choice for the production of your master image file.


The Toolkit– NetRestore

• From Mike Bombich (www.bombich.com).

• Restoration of a complete hard drive image.

• Source image can be on a:

– local partition

– FireWire drive

– CD

– Network

• Really fast.

• Post-processing possible


The Toolkit

• FireWire drive

• Without any external drive options at all, you are likely to face an uphill battle.


Security

• Different from the past

– Almost the centerpiece of the process

– Before OS X, the Macintosh was a low security risk.

– UNIX has long been a domain for experimentation

– It will only take one episode of serious abuse to create the potential for major problems.


Security

• Why it matters

– It is easy to set up an Apache web server,

– It is easy to configure ssh and allow anyone in.

– It is easy to set up packet “sniffers”

– Instructions for doing these things are found on the Wild, Wild Web!

– Setting up remote machines to launch a Denial of Service attack possible


Security

• Open Firmware

– Not new with OS X.

– Access certain kinds of parameters at boot time.

– Similar to the older parameter ram.

– Platform independent.

– Developed by Sun Microsystems.


Security• Open Firmware

– What can you do with Open Firmware?

– Boot from a CD.

– Set or reset the root password

– Easy to protect against this condition using the setenv and security-mode commands.

– Interface is command-line.

– Get acquainted with the CLI

– Set the boot-device.

– Read files on the main disk, establish limited networking services and change disk information.


Security

• Open Firmware

– Access: hold down the OPTION O F keys. The command line interface will appear.

– Set any options & the password

– One final note: once you have entered a password, do not forget it!


Security

• Single User mode

– Allows a system administrator access to an ailing machine.

– Once booted into single user mode, the root account is automatically logged in and does not require a password.

– Simple process to check the disk and mount the entire file system as read-write.

– Hard to protect yourself once the user has booted to single user mode.

– Prevent it from happening at all by enabling command security and setting a password.


Security

• A brief detour…

• Let’s boot into single user mode…– Reboot

– Hold down S key

– Notice the instructions…

– Running SystemStarter enables netinfo


Security

• Root

– Superuser and root may be new

– The root user, or superuser is a special UNIX account.

– This user can do anything – absolutely anything – to a system.

– By default, OS X ships with the root account disabled.

• You might have to enable it.

• There is a good alternative


Security

• Root

– Former advocate of enabling root with a good password.

– Now: leave the root account disabled

• Use a combination of methods

• sudo


Security

• Root

– Sudo allows one to act as root (sudo translates to Superuser do)

– Very configurable

• Allow only certain programs to be used by certain users

– Any local administrative account can use sudo

– You can simply type sudo sh

– Single-user mode still works with Root disabled


Security

• Local accounts

– No more local accounts

– Ssh and sudo only


Security

• Local accounts

– Your users cannot be administrators

• Be certain that your regular users are never administrative users,

• With network based authentication method you are all set

– No user that logs in via most properly configured methods will be anything except a non-administrative user.

• Why does this whole administrative user thing even matter?

– Installation of software requires administrative username and password.


Security• Why Classic mode should go away

– Add-on to OS X

– Run older “legacy” applications

– If you offer this, you have extra work.

– Potentially serious security issues

• Boot into OS9, destroy OS X

• FWSucker

• crack /etc/passwd

– Adds a layer of complexity and instability for the user.


Configuration

• Open Firmware– Boot the machine - hold down the OPTION O F keys.

– The command line interface appears:


Configuration

• Open Firmware

– Now, set the password:

– Press enter after typing in a command. The system response is usually the terse ‘ok’.

– Find a way to remember this password!


Configuration

• Open Firmware

– Finally, set the security mode level:

– Then reboot the machine:

• Open Firmware is now secure.

(At this point, you can leave it open as you prepare the master image…


Configuration

• Next we tackle Authentication


Authentication

• Several methods available

• By default, OS X uses locally based methods


Authentication

• Local or network?

– Always open for access to the password file

– If all local accounts are disabled, this is a moot point.

– With all local accounts disabled, though, we face an entirely different problem. How do we log in as an administrator in order to install software? There are several aspects to this question.


Authentication• Local or network?

– Software installations

– Application installations get complex.

– Use the sudo facility.

– Non-local user can become root.

– With enabled local accounts /etc/passwd looks like this:

root:DWa.RtYYiKLw:0:0::0:0:System Administrator:/var/root:/bin/tcsh

– A “state change” can be done several different ways.


Authentication


– Log in as the sudo user, become root

• Issue the password change – passwd root

– Now, you can perform many system-level tasks.

– Installations possible

– You have to change this back to a disabled state


Authentication


– Use netinfo database to enable a disabled account

– Not simple to disable it. You cannot use vi and edit /etc/passwd.

– Reload using niload command.


Authentication


– Create a text file of /etc/passwd:

nidump passwd . > /Users/apple/open_password_file

– Make a copy to edit:

cp open_password_file closed_password_file

vi closed_password_file

– Change all password fields to a simple asterisk


Authentication


– Now it might look like this:nobody:*:-2:-2::0:0:Unprivileged User:/dev/null:/dev/null

root:*:0:0::0:0:System Administrator:/var/root:/bin/tcsh

daemon:*:1:1::0:0:System Services:/var/root:/dev/null

unknown:*:99:99::0:0:Unknown User:/dev/null:/dev/null

smmsp:*:25:25::0:0:Sendmail User:/private/etc/mail:/dev/null

www:*:70:70::0:0:World Wide Web Server:/Library/WebServer:/dev/null

mysql:*:74:74::0:0:MySQL Server:/dev/null:/dev/null

sshd:*:75:75::0:0:sshd Privilege separation:/var/empty:/dev/null

admin:*:501:20::0:0:Administrator:/Users/admin:/bin/tcsh

customer:*:502:20::0:0:CIT Computer Lab User:/Users/customer:/bin/tcsh


Authentication


– Now we have two password files – enabled & disabled.

– Reload a file:

niload -d passwd . < /Users/admin/closed_password_file

– All the local accounts are disabled

– Move modified password files off of the local drive!


Authentication

• Next we configure our remote authentication method, LDAP


Authentication

• LDAP v3

– 10.2.x only

– Security is better

• Passes encrypted passwords

• Kerberos no longer required– Do not install MIT Kerberos on 10.2.x systems!

• SSL support

– LDAP data may (still) need “massaging”

• This can be a critical concern


Authentication

• LDAP v3

– Steps to authentication using SSL:

• Configure Directory Access on the local machine

• Create the dummy account

• Add the certificate to the local machine

• Edit the ldap.conf file to make the local system aware of the certificates

• Configure Authentication on the client


Authentication• LDAP v3

– Required attributes (direct from the Apple systems Engineer!):

• uniqid=User’s Short Name (for us this is netid)

• uid=UID Number (we made this the same for everyone)

• homeDirectory=Home Directory Path (we made this the same for everyone too!)

– Useful attributes:

• cn=Common Name

• gid=GID Number (we made this the same for everyone too )


Authentication

• LDAP v3

– Configure Directory Access


Authentication

• LDAP v3



Authentication

• LDAP v3


• Users contains only those record types and attributes we use

• Default Attribute Types contains only RecordName which is set to value cn as an LDAP server attribute


Authentication

• LDAP v3


• RecordName is set to netid for our installation


Authentication

• LDAP v3


• RealName is the actual name of the user, a.k.a. Common Name or cn


Authentication

• LDAP v3


• UniqueID was one of our custom additions and was the critical part to get a valid local UID


Authentication

• LDAP v3


• PrimaryGroupID was another one of our custom additions but was not a critical part (at this point!)


Authentication

• LDAP v3


• NFSHomeDirectory was the third of our custom additions and was also a critical part to get a valid local home directory


Authentication

• LDAP v3


Setting connection variables:

Reducing default Time out values improves performance

You can test without SSL to get things going if you need to… (in which case you do not need the CA on the client)


Authentication

• LDAP v3– Create the “dummy” account

• This provides the correct local home directory, group and/or user id…

– Be careful here: the numbering has to match your LDAP data!

– Use the account manager:

• ‘Computer Lab User’ (Long name)

• ‘customer’ as short name– Name can be anything– This matches our specification for UID/GID

– Notice that in the /Users section, we now have:

drwxr-xr-x 13 502 20 442 Dec 30 16:14 customer


Authentication

• LDAP v3

– Update the client for ldap and ssl

– The certificates must be in the correct place on the local systems: /System/Library/OpenSSL

mv ~/ca-bundle.crt /System/Library/OpenSSL/certs

• You can test this from the command line (terminal):

openssl s_client –connect ldap.uvm.edu:636 -showcerts


Authentication• LDAP v3

– Edit /etc/openldap/openldap.conf to reflect the newly created server & certificate locations:

HOST ldap.uvm.edu

BASE dc=uvm,dc=edu

TLS_CACERT /System/Library/OpenSSL/certs/ca-bundle.crt


Authentication

• LDAP v3:

– The final ldap.conf file looks about like this:# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt# LDAP Defaults

# See ldap.conf(5) for details# This file should be world readable but not world writable.

#BASE dc=example, dc=com#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12#TIMELIMIT 15#DEREF never

HOST ldap.uvm.eduBASE dc=uvm,dc=eduTLS_CACERT /System/Library/OpenSSL/certs/ca-bundle.crt


Authentication

• LDAP v3

– Configure CustomPath


Authentication

• LDAP v3

– Configure CustomPath

• Notice that our configuration is now available for use


Authentication

• LDAP v3

– Configure customPath

• And here we are done with authentication and are ready to test!


Authentication

• LDAP v3

– The problem: without correct mapping of key attributes (UID, GID & Home Directory), almost nothing works for a non-local user!

– This is a permissions problem:

• Many applications – iTunes, Internet Explorer – require write access to certain areas.

– Without these correct mappings, your non-local users are not valid for the local client system


Authentication

• LDAP v3

– This is why we create the local machine data: default user (UID), home directory (/Users/customer) and group ID (GID)

– User logging in is simply “remapped” to the local account by virtue of other properties pulled in from the query – in our case, UID & HomeDirectory

– Early tests also had a local group ‘customer’ with ID of 502…

– …but further testing suggested that we only needed UID to get the required mapping

– We decided on user “customer” with the default UID of 502


Authentication

• LDAP v3

– The result?

– Users logging in with non-local accounts (those authenticated against our ldap server) all have:

• UID = 502 (This is what makes everything work)

• GID = 502 (We don’t need this, but have it there anyway)

• HomeDirectory = /Users/customer (so everyone shares the same working space, just as they do with current Macs and Windows machines…)


Authentication

• LDAP v3

– Decision time:

• What does your LDAP data look like?

• How much do you have to alter your data to get OS X authentication to work?

• Can you alter your data? Will those managing this service do this for you? (willingly???)


Authentication

• LDAP v3

– We massaged our LDAP data to provide a fixed value for all users:

• uvmAltUID: 502– 502 because for Lab Machines, the next default UID number

chosen by the system was 502

• uvmAltGID: 502– Arbitrary…

• uvmAltHomeDir: /Users/Customer– This matched the locally created account home directory

path


Authentication

• LDAP v3

– The result was that correct permissions are all setup when the user logs in

• You could use GID instead of UID…

• …but there might be other lurking issues!


Installing the software

• Install software as the administrator

• Need to examine permissions and write-access in a few cases.

• Without Classic mode, many knotty issues simply go away.


Configuring what your user sees

• Establish the “look and feel” of the local user.

• Use the “dummy” account

• If need be, set this account to be an administrator

• Do not forget to set the account back to a regular, non-administrative type when you are done.


Configuring what your user sees

• Include the following things in your generic user configuration:

• Screen saver kick in (5 minutes) and also require a password upon wake;

• Energy Saver - display sleep but not the machine

• Run every application.

• Play a DVD disc;

• Set home page default


Printing

• Particular and painful set of challenges

• Easier than OS9 & Desktop Printing.

• Print Center utility and be sure to test thoroughly!


Login/logouthook

• Not the same as Login Items which are managed by the user

• Scripts called through the login or logout hook apply to the system

• Scripts run from login or logout hook run as root and so are completely in control of the entire system.


Login/logouthook

• Edit /etc/ttys.

• Make a copy first!

cd /etc

cp ttys ttys.ORG

• Setup the target directory

mkdir /Library/Admin

mv ~/cleanout_dummy.sh /Library/Admin/cleanout.sh


Login/logouthook

• Use the right editor

• For vi:

cd /etc/

vi ttys

• For emacs:

cd /etc/

emacs ttys

• For pico:

cd /etc/

pico –w ttys


Login/logouthook

• Single line to edit. Here it is in it’s original state:

console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" vt100 on secure window=/System/Library/CoreServices/WindowServer onoption="/usr/libexec/getty std.9600"


Login/logouthook

• Edit to add a loginhook. The added section is in red:

console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow -LoginHook /Library/Admin/cleanout.sh" vt100 on secure window=/System/Library/CoreServices/WindowServer onoption="/usr/libexec/getty std.9600"

• Loginhook points to: /Library/Admin/cleanout.sh. We make that path and file before we reboot!


Login/logouthook

• Console login

– Enter >console as username at the login window

– Plain console login.

– Not a security issue, a support issue


Login/logouthook

• Console login

– Edit /etc/ttys and remove the part shown in red:

– console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow -LoginHook /Library/Admin/cleanout.sh" vt100 on secure window=/System/Library/CoreServices/WindowServer onoption="/usr/libexec/getty std.9600"


Cron jobs

• Mechanism to allow specified jobs (scripts, executables, etc.) to be executed according to certain time criteria.

• Over and over again or simply a “one shot” deal.

• Uses the crontab file for root.


Cron jobs

• Shutdown at 11:55 p.m.

– Can't use “Shut down” from the Apple Menu.

– UNIX tools: shutdown or halt.

– Use halt to avoid problems in unattended mode

– No provision for warning users that have open files. Halt stops the system abruptly.


Cron jobs• Shutdown at 11:55 p.m.

– How: become root, call the crontab editing mechanism:

crontab –e

– Tell cron what to do and when:

55 23 * * * /sbin/halt

– Exacting syntax

– 55 = minute of the hour.

– 23 = hour (11 pm)

– * = wildcard (anything)

– * * * = day of month, the month and the weekday.

– Finally, the command to run must include the full pathname.


Cron jobs


– Put all together, our crontab line says “On any day of the week, on any month, on any day of the month, at exactly 23 hours (11 PM) and 55 minutes, run the halt command in /sbin/”.

55 23 * * * /sbin/halt


Cron jobs


– Warning to users as an RTF file on the system

– Call it like this:

45 23 * * * /usr/bin/open -a /Applications/TextEdit.app/ /Library/Admin/warn.rtf


Cron jobs


– Review your entries using crontab -l flag (list):

crontab –l

55 23 * * * /sbin/halt

45 23 * * * /usr/bin/open -a /Applications/TextEdit.app/ /Library/Admin/warn.rtf


Cron jobs

• System cleanup

– OS X has pre-wired cron jobs for maintenance use.

– Designed to run at 3:00 a.m.

– Timing of log rotation

– Special system crontab files are managed and edited differently and are located in a different place on the system.


Cron jobs• System cleanup

– Make a backup copy of the original file first:cd /etc/cp crontab crontab.ORG

– Decide on timing.

– File is set to read-only by default. We must change this to edit the file:

ls –l crontab-r--r--r-- 1 root wheel 299 Jun 19 11:11 crontabchmod u+w crontabls –l crontab-rw-r--r-- 1 root wheel 299 Jun 19 11:11 crontab


Cron jobs

• System cleanup

– Edit using either vi, emacs or pico –w:

– vi crontab

– Change to your timing:

#minute hour mday month wday who command

# Run daily/weekly/monthly jobs.45 23 * * * root periodic daily30 23 * * 6 root periodic weekly15 23 1 * * root periodic monthly


Cron jobs• System Cleanup

– Change the permissions back to read-only:ls –l crontab

-rw-r--r-- 1 root wheel 299 Jun 19 11:13 crontab

chmod u-w crontab

ls –l crontab

-r--r--r-- 1 root wheel 299 Jun 19 11:13 crontab


Cron jobs

• Logout after a set idle time

– Log the user out of the system after a set amount of idle time.

– Count off a certain time interval beginning from the time that the screensaver kicks in and after that time is exceeded, log the user out.


Cron jobs

• Logout after a set idle time

– No built-in utility to do a command line logout.

– Modified ADC code to produce logout executable

– Add to the root crontab file:

* * * * * /Library/Admin/idleScript.app

– This says “at any time, on any day, run the script named ‘idleScript.app’ in the ‘/Library/Admin’ directory.


Duplicating the /Users/customer folder

• Past practice was a full refresh at some regular interval.

• Increasingly, default OS configurations have increasingly stringent security measures

• Less to worry about

• Restore the local user workspace and configuration

• Just need a spare, clean copy of this directory

• Replace at login.



• The ByHosts problem

– Hardware-linked set of preferences for a number of applications.

– This is quite straightforward in how it is setup.

– Each home directory has~/Library/Preferences/ByHosts

– Use a post-installation script.



• The ByHosts problem

– Iterate through all of the files

– Replaces the master machine hardware address with that of the machine being cloned.



• Ditto versus cp

– Must use the built-in ditto utility and not the standard UNIX cp (copy) command.

– Files are corrupted (damaged) otherwise

– Syntax:

ditto –rsrcFork /source/directory/ /target/directory/

– The –rsrcFork flag preserves resource forks and HFS meta-data.



• Making the backup copy

– Replicate a spare copy of the local home directory.

– Set backup copy location, & make a target directory

– My convention: /Users/admin/Restore

mkdir /Users/admin/Restore



• Making the backup copy

– Now, ditto* the original source directory:

ditto –rsrcFork /Users/customer/ /Users/admin/Restore/

– Make sure it all got there:

ls –laR /Users/admin/Restore/

*Note that this must be done as root


Tweaking the user interface

• Goal is a smooth, easy to manage interface for all users.


Tweaking the user interface• Developer Tools & “nib”bling at parts

– Modifying the Apple menu.

– Use the tools in the Developer package.

– Find the correct file:

System -> Library -> Frameworks -> Carbon.framework -> Versions -> A -> Frameworks -> HIToolbox.framework -> Versions -> A -> Resources -> English.lproj

– Double-click StandardMenus.nib. It will open with Interface Builder.

– Make any changes

– It is also possible to customize the Login screen.


Software Updates

• Be sure to uncheck all automatic updating mechanisms for the generic user.

• Can be done at the command line:

man softwareupdate


Locking things down

• Start with the basics:

– Set the open firmware passwords

– Secure or eliminate local accounts

– Disable root access.

– Do not make general users administrative users.


Locking things down• Changing executable permissions

– Run as many programs as the generic user

– Typically, I’ve been preventing access to these programs:

• Airport utilities• Console• Directory Access• Disk Utility• Installer• Keychain• NetInfo Manager• Network Utility


Locking things down

• Changing executable permissions

– Only change the permissions only for the ‘other’ category – leave ‘group’ and ‘user’ intact.

– Use the chmod command:

chmod o-rwx AirPort\ Admin\ Utility.app

– Advantage to leaving the admin group rwx


Locking things down

• Changing executable permissions

– Some programs facilitate access to sensitive system data

– NetInfo is the critical example

– Change access for system files:

chmod go-rwx /var/backups/

chmod go-rwx /var/db/netinfo/local.nidb



– All utilities for netinfo use should be set to root use only:chmod go-rwx /usr/bin/niclchmod go-rwx /usr/bin/nireportchmod go-rwx /usr/bin/niutilchmod go-rwx /usr/bin/nigrepchmod go-rwx /usr/bin/nifindchmod go-rwx /usr/bin/nidumpchmod go-rwx /usr/bin/niload

– Change NetInfo Manager itself

chmod o-rwx NetInfo\ Manager.app



– Print Center is a special case

– Users cannot add or delete printers

– I use:

chmod o-rwx Print\ Center.app

– To get:

drwxrwx--- 3 root admin 102 Feb 11 2003 Print Center.app

– Others have used:

d-wx-wx-wx 3 root admin 102 Feb 11 2003 Print Center.app


Locking things down

• File access permissions

– Read-only

– No access at all


Locking things down

• SetUID and SetGID programs

– User running these programs or accessing these files is granted system access: the actual process UID is changed to that of the user owner of the file.

– Find all files that are configured as setuid and setgid using the UNIX find command and save to a file:

find / -type f -perm +6000 –ls > mysetuidgidfiles.txt


Locking things down

– These are commonly restricted using the chmod command in absolute mode:

chmod 0700 /usr/bin/chfn

chmod 0700 /sbin/rdump

chmod 0700 /sbin/rrestore

chmod 0700 /usr/sbin/sliplogin

chmod 0700 /usr/bin/wall

chmod 0700 /usr/bin/write


Granting privileges

• A need to perform certain kinds of privileged operations after you have deployed all your machines. With local accounts, the administrator works.

• With no local accounts, you have choices.


Granting privileges

• Designate a specific user or users as sudo users

• Edit /etc/sudoers.

• The last few lines in the default sudoers look like this:# User privilege specificationroot ALL=(ALL) ALL%admin ALL=(ALL) ALL

• Add designated user (mdoe) like this:

mdoe ALL=(ALL) ALL


Granting privileges

• Possible to use a network based backend (typically an sql table)

• Allots privileges based on this table.


Granting privileges

• Gui-based installation of applications or the altering of settings using the gui based tools remains problematic.

• Can use the netinfo command line tools to add a user to the admin group.

niutil -appendprop / /groups/admin users <user_name>

• To remove a user from the admin group, type:

niutil -destroyval / /groups/admin users <user_name>


Refresh & Lost and Found at login

• Use of a "mini-refresh”

• Replace and update the regular user home directory and all the settings at login time.

• Simple to use and is a blessing for users.

• Complete the process of fine-tuning the user interface



• Install utility scripts

– Much of the work is done from /Library/Admin.

– prep.sh

• Lives in /private/var/root

• Makes the process of incremental changes easy and quick.

• Saves the typing of the ditto command used to build the restore point.



• Install loginhook scripts

– Add scripts referenced in our edited /etc/ttys

– If you change the path here, make sure you change it elsewhere or the loginhook scripts will not work.




– cleanout.sh

• Moves any user added files to a Lost and Found directory

• Restores the entire /Users/customer/ directory from the hidden spare.

• This is the script referred to in our modified /etc/ttys file




– cleanhdir.sh

• This script does all the work of the “mini-refresh”.

• The first thing I like to do is to timestamp the login:

date > /tmp/access.out

• Know who is logging in:

echo "$1 logged in." >> /tmp/access.outif test $1 = "admin"then echo "Admin logged in for testing" > /tmp/test.outelse




– cleanhdir.sh

• For a dynamically refreshed /etc/sudoers file, we update that.

• Change privileges first:

/bin/chmod u+w /etc/sudoers

• Then recopy it:

/bin/cp /etc/sudoers.master /etc/sudoers




– cleanhdir.sh

• Reset the permissions:

/bin/chmod u-w /etc/sudoers

• Recopy sshd_config if you use any sort of dynamic changing from a remote source:

/bin/cp /etc/sshd_config.master /etc/sshd_config




– cleanhdir.sh

• Now update the home directory.

• First we do the documents folder:

/usr/bin/ditto -rsrcFork /Users/customer/Documents/ /Lost\ and\ Found

• But not the alias of the lost and found:

/bin/rm -rf /Lost\ and\ Found/Lost\ and\ Found




– cleanhdir.sh

• Now clean up the Desktop:

/usr/bin/ditto -rsrcFork /Users/customer/Desktop/ /Lost\ and\ Found

• Do not save contents of the Library folder in the lost and found, so this line is commented out:

#/usr/bin/ditto -rsrcFork /Users/customer/Library/ /Lost\ and\ Found




– cleanhdir.sh

• Now all the rest goes to the Lost and Found:

/usr/bin/ditto -rsrcFork /Users/customer/Movies/ /Lost\ and\ Found

/usr/bin/ditto -rsrcFork /Users/customer/Music/ /Lost\ and\ Found

/usr/bin/ditto -rsrcFork /Users/customer/Pictures/ /Lost\ and\ Found

/usr/bin/ditto -rsrcFork /Users/customer/Public/ /Lost\ and\ Found

/usr/bin/ditto -rsrcFork /Users/customer/Sites/ /Lost\ and\ Found

• Clean up the Lost and found directory: delete files older than 7 days:

/usr/bin/find /Lost\ and\ Found -mtime +7 -exec /bin/rm -rf {} \;




– cleanhdir.sh

• Now we can delete the old:

/bin/rm -rf /Users/customer/

• And then replace everything from the master replacement in /Users/admin/Restore.

/usr/bin/ditto -rsrcFork /Users/admin/Restore/ /Users/customer

• Unlock Normal.dot:

/usr/sbin/Setfile -a l /Users/customer/Documents/Normal




– cleanhdir.sh

• Now reset permissions and ownership. We do this because we want to be certain that nothing here is ever owned by root:

/usr/sbin/chown -R customer:staff /Users/customer

• And then we can reset the lock of Normal.dot:

/usr/sbin/Setfile -a L /Users/customer/Documents/Normal




– cleanhdir.sh

• ‘fi’ “closes” the if clause found at the beginning:

fi

• We must add this exit signal to allow login to complete:

exit 0




– attrs.pl (for MySQL access only)

• Prerequisites for this:

• mysql client software. Available from http://www.mysql.com/downloads/mysql-4.0.html - be sure to get the package installer (it is a lot simpler).

• DBI software. This is the Database Independent interface for Perl. Available from http://search.cpan.org/author/TIMB/DBI-1.38/DBI.pm - and the version may change.

• DBD software. This is the driver for the MySQL Perl interface. Available from http://search.cpan.org/author/RUDY/DBD-mysql-2.9002/ - note that the versions may change quickly.



• Install management scripts

– idleScript.app

• How to determine idle time for the machine.

• Modified version

• Cron runs this script every minute

• We try to determine if ScreenSaver is running.

• If it is, then we increment a count in a file found in /tmp.

• After the threshold, the machine logs out the current user, no matter what!



• Install management scripts

– idleScript.app

• Be sure to set maxtime

• Killing the screensaver process was trickier than we expected.

• Used killall

• Note the line that reads:

system "/sbin/logout" || die "Unable to call logout";

• This is a custom file, and the binary is available at http://www.uvm.edu/~dlrh/osx/



• Configure common startup options

– Web page

• Deactivate local accounts

– Be sure you have those files accessible somewhere.


Preparing the master img file

• Need a bootable device that is not the local machine.

• We’ll boot to that, and run Carbon Copy Cloner.



• Prepare a master boot drive on your FireWire drive

– Boot to your master

– Log in as the admin user

– Attach the external drive

– Download Carbon Copy Cloner

– Run it off of the mounted disk Image



• Carbon Copy Cloner

– Easy to use and free

– Select the Source Disk, which is our master disk.

– Select a Target Disk - the attached external FireWire drive


Preparing the master img file• Carbon Copy Cloner

– Next, we set up Preferences

– Set the Target Disk option of Make bootable.

– Check the Source Disk Option of Repair permissions before cloning.

– Do not check on the Create disk image on target option

– Save these preferences

– Clone



• Carbon Copy Cloner

– Now test it out.

– Reboot your master system, hold down the Option key

– Problems can include:

• a failure to boot the external device at all

• inability to select that device for booting

• inability to get it to actually boot to the external drive

– Install both Carbon Copy Cloner and NetRestore on this external drive.



• Preparing an ASR READY image file

– Develop our master image for use in cloning.

– Space needs: 2 to 3 times the actual final image size to succeed.

– Select your source drive – the master image drive

– Select the target



• Preparing an ASR READY image file• Check on the Create disk image on target option.

• Check on the ASR options choice Prepare for Apple Software Restore.

• Select the Read-only compressed option and leave the Segment size empty (the system will decide).

• Select Make bootable option.

• Clone it!

• The result is an image file with the naming convention <Hard Drive name>_asr.img


Cloning

• Boot from your Restore drive


Cloning• NetRestore

– You can set up specific configurations

– Select Erase Target Disk, Verify restored disk, and Set target as boot disk.

– Drag the source file you created earlier into the Source text entry area.

– Next, select a target drive


Cloning

• NetRestore

– Select Preferences.

– The Default Target Options are configurable


Cloning

• Post processing scripts

– Post-action scripts afford great power

– Fix the ByHosts problem

– Add functionality to these scripts for other tasks.

– Fixing ByHosts

• Iterate through a list of files in ~/Library/Preferences/ByHost

• Set the correct hardware address for each machine

• Make a new copy of the restore point


Cloning

• Post processing scripts• Note that the call to the Post-action script text entry

box requires a full pathname.

./postpMYSCRIPT.sh

• Place the file postpMYSCRIPT.sh at the root of the bootable external drive.


Cloning

• Configurations

– Open the Edit configurations…

– Click on the image file listed that you used.

– Go back to the Preferences and select this configuration in the Default configuration pop-up menu.


Cloning

• Post-restore actions

– Can set the Open Firmware password.

– It is echoed in bullets - use care!

– Clone away!

– Test, test, test!


Going further

• Remote access

– Ssh access

– Turned on using the System Preferences, Sharing, Remote Access.


Going further

• Remote software updates

– Ssh allows remote software updates


Going further• Full refresh

– A useful goal

• May not be as critical as it once was.

• Radmind– Well tested– Well supported– Free– http://rsug.itd.umich.edu/software/radmind/

• Rsync– Complex– Legacy UNIX– http://www.macosxlabs.org/rsyncx/rsyncx.html


Essential reading

• www.macosxlabs.org (be SURE you check the forums!)

• www.bombich.com (be SURE you check the forums!)


Q & A

?

Wrestling with Alligators: putting OS X in an open access lab (or “The Joy of X”)

Documents

Transcript of Wrestling with Alligators: putting OS X in an open access lab (or “The Joy of X”)