Are You Still Using AFP?

Mac OS X, Software, Tipps No Responses »

Apr 222014

Have you ever wondered why Apple is moving from AFP to SMB2?

Well, here’s one example:
If you are connected to an AFP server (either OS X or netatalk) and you duplicate a really large file the complete AFP connection on the client stalls. In the background the client instructs the server to duplicate the file. However it blocks until the copy process is finished. This is a good idea implemented poorly. It causes all applications doing I/O operations on the sharepoint to either freeze until the operation is finished or even crash.

The best part: If you are using SMB you can duplicate files and don’t hang your applications. I could verify this behavior down to OS X Lion. Maybe it’s even true for Snow Leopard…

Create a RAM Disk Using AppleScript

Uncategorized No Responses »

Mar 302014

In my post How to Create a RAM Disk – The Easy Way I released RamDiskCreator. As the name suggest it’s only duty is to create a RAM disk. The following AppleScript function does the same. I wrote it for Uwe to create two RAM disks at startup.

on createRamDisk(sizeInMB, volumeName)
	set sizeInSectors to round sizeInMB * 1024 * 1024 / 512 rounding up
	set cmd to "diskutil erasevolume HFS+ '" & volumeName & "' `hdiutil attach -nomount ram://" & sizeInSectors & "`"
	try
		do shell script cmd
		return true
	on error
		return false
	end try
end createRamDisk

You can download the source here.

Another Mac OS X Sudo Password Bypass

Mac OS X, Software 1 Response »

Mar 112014

Last year there was a bug in OS X that allowed a local attacker to gain root privileges by abusing sudo’s cache. A few month earlier (January 2013) I informed Apple about a similar problem caused by OS X’s default tty_tickets = off setting. This insecure configuration allows all applications to misuse a cached sudo authentication within the cache timeout. The same issue was discussed in this thread on the Debian mailing list in 2010!

The sudo man page reads:

[…] Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time […]

As Mac OS X uses the default value, a 5 minute timeout is used. That means if a admin user runs sudo, a malicious script can run privileged commands without any further user interaction for 5 minutes. My PoC installs a launchd configuration file (sh.bogner.sudo_escalation.plist) that loads sudo_escalation.sh at startup. This script tries to launch Terminal.app as root as soon as the user used sudo.

Download

How to Reproduce

The PoC has to be installed (with the installer command)
The currently logged in user has to be member of the admin group
The user or any application (like an installer) has to use the sudo command
Like: sudo echo “Show me what the PoC does”
Terminal.app should be launched as root

My bug report was acknowledged and ignored. This problems exists on all fully patched versions of OS X including Snow Leopard (10.6), Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9). That’s a really bad time to fix!

The Fix

The reaction time is especially disappointing as the fix is very easy and without any side effects (at least for me):

Open a terminal window and type (or better copy and paste):

export EDITOR=nano #you can skip this step if you know how to use vi
sudo visudo #enter you password afterwards

Add the following line after Defaults env_keep += “HOME MAIL” (it should look like this):
```
Defaults        tty_tickets
```
Press [CTRL]+[o] followed by [ENTER] to save your changes
and [CTRL]+[x] to exit the editor
Now you can verify your steps by retesting the PoC

Why Is My OD LDAP Server Stopped & How To Fix It

Mac OS X, Tipps No Responses »

Feb 252014

e_mail I take care of several OS X mail servers for my customers and I always use the widely deployed OpenDirectory LDAP server for user management. However, from time to time one of these OD servers stops working. Based on my experience, there are two (and a half) main reasons for this malfunction:

Power outage: After a power outage the database got corrupted. (This is a valid reason for a service outage 😉
OD Backup: After creating an OpenDirectory backup the launchd org.openldap.slapd.plist configuration file is disabled. This means, that the LDAP server will not be started and all services (Mail, iCal, Address Book) stop working.
OD Backup^2: There is an even more serious OD Backup Bug. Thankfully I have seen it only once. If this bug is triggered, not only is the default org.openldap.slapd.plist configuration disabled but there is a second hidden dot-file temporary configuration file with the same launchd key. Thereby we trigger undefined behaviour (two configuration files with the same key) and no usable error message is logged! (It was quite hard to find this problem).

After finding and fixing the cause you still have to repair your OpenDirectory database. Use the following three easy steps to do so:

First you have to stop a possible running OD instance by unloading the launchd configuration:
```
sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist
```
Then run the db_recover utility with the following parameters to recover your OpenDirectory database:
```
sudo db_recover -v -h /var/db/openldap/openldap-data/
```

And restart your OpenDirectory server:

sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.plist

Voilà your OpenDirectory is working again and you have earned yourself another coffee 😉

Migrating Catalog Files from Restrospect Version 6 to 10

Tipps No Responses »

Dec 122013

Once in a while one of our customer who still uses Retrospects 6 updates to the latest version using the built-in updater. Now he has two problems:

At first it’s a paid update that disables your backup software without a valid serial number. However most people don’t see the corresponding information and think it’s free. This is not a nice way to introduce people to your new version!
The more important problem is, that Retrospect 10 can’t handle Retrospect 6’s catalog files. Thereby all your tapes are completely useless! They even have a “Tip” on how to handle this situation. To quote one user’s forum post:

It´s so ridiculous … a Backup-Application that cannot read it´s former backup-sets

What I learned from this upgrade path is that I will never ever sell Retrospect again. I’m using Archiware P5 instead!

Fix Filemaker 9′s & 10′s “Open Remote” on Mavericks

Mac OS X, Tipps No Responses »

Nov 022013

More than a year ago I wrote about how to get Filemaker 9’s “Open Remote” functionality working under Lion and Mountain Lion.

This trick still works for Mavericks! Check it out here.

Connect Windows Vista/7/8 to Lion/ML L2TP/IPsec server

Mac OS X, Software, Tipps, Windows No Responses »

Jul 302013

It sounds like a simple task to configure a Windows client to connect to a L2TP/IPsec server hosted by Mac OS Server. However it’s not.

Requirements

To setup the connection you need the following informations:

Username and password of a VPN enabled account
the L2TP/IPsec shared secret
official IP or hostname of the VPN server
Administrator account on the Windows machine

Setup

The first step it the most important one. Open the registry editor (regedit) on the Windows PC as administrator and add the DWORD AssumeUDPEncapsulationContextOnSendRule with a hex value of 00000002 within HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent. To apply the changes you have to reboot.

Then add a new VPN connection using the Set up new connection or network assistant in the Network and Sharing Center. Be sure to enable the checkbox Don’t connect now, just set it up so I can connect later.

To finish the last step open the Properties dialog of your newly created VPN connection. Within the Security tap change the type to L2TP/IPsec and set the shared secret within the Advanced settings. Furthermore change the dropdown menu Data encryption to Optional encryption.

Now you are able to connect to the VPN service!

OS X: How to use an iMac as Monitor

Mac OS X, Tipps, Tools 42 Responses »

Jul 192013

Think about the following rather unusual scenario: You own a current generation MacBook Air and a new iMac that you don’t use. This blog post will show you how you can use the iMac as a pure monitor without any manual intervention.

Introduction

The current generation iMacs (21″ and 27″) can be used as a Thunderbolt display using Target Display Mode. To enabled this mode you have to boot both Macs and connect them using a Thunderbolt cable. After that you have to press [Command]+[F2] on the keyboard of the “display” iMac. Although this feature is great for rare usage – it’s not very comfortable if you want to use the iMac as a permanent secondary display.

iMacMonitor

To solve this problem I created iMacMonitor. It’s a small application running on the “display” iMac that monitors the Thunderbolt bus and automatically switches to Target Display Mode if necessary. Thereby one only has to connect the main computer to the Thunderbolt cable and a few seconds later the iMac can be used as a secondary monitor. This works because Mac’s wake from standby if a Thunderbolt device is connected. As soon as the main computer is disconnected the display will sleep again. Be aware that you should not shutdown the “display” computer as it won’t switch to Target Display Mode anymore.

Setup

First you have to download iMacMonitor.app on the “display” iMac and set it as Login Item.
Then make sure that a user is automatically logged in (see this link).
Restart
Voilà

Now you can connect a Thunderbolt enabled Mac and the “display” iMac will switch to Target Display Mode automatically.

Sourcecode

As I have written this application for fun you can also download the Xcode project. It’s released under the MIT licence.

Update: Here’s the Xcode 5 Project for 10.9

CentOS: yum downloads very slow in Austria

Tipps 3 Responses »

May 242013

Recently I switched some servers from Debian to CentOS because of it’s better hardware vendor support. Apart from the smaller software catalog, especially yum downloads were annoyingly slow. At first I blamed yum’s fastestmirror plugin, however after reading the documentation I discovered that the “fastest” mirror is chosen based on the mirror’s latency not throughput. The mirror hosted by TU Wien (gd.tuwien.ac.at) offers the best latency in Vienna but provides only a throughput of about 200KBps.

Luckily, yum allows you to exclude mirrors matching a given pattern. To add such an exclusion, one has to edit the file “/etc/yum/pluginconf.d/fastestmirror.conf“. Add the following line to exclude all mirrors hosted in Austria:

exclude=.at

After updating the local repository (yum update) the download speed increased instantly. Stjepan also had this problem and solved it the same way.

UNIX & PHP: Configure sendmail to forward mails

Uncategorized No Responses »

Apr 082013

I do have quite a few customers who still have PHP websites that use the quite old mail function.
This function uses the local sendmail application on UNIX based systems to forward mails.

Therefore if the responsible mailserver for a given domain is not installed on the same server the mail will be rejected by most recipients. Two possible solutions exist:

You can add the webserver as an additional authorized mail server…
… or configure sendmail to relay mails through your already working mailserver.

I always choose option 2, as it’s easier to configure and maintain. You only have to have a valid SMTP user for the existing mailserver and root access to the webserver. The following steps show how to set mail relaying up:

Install sendmail

Before we can start we have ensure, that sendmail is installed. This can be running the following command:

whereis sendmail

If it is installed the full path to the executable will be printed. Otherwise you can install it using your distributions’s package manager. On Debian-style distributions you can use the following command:

sudo apt-get install sendmail

The installation can take quite some time on slow internet connections.

Configure relay credentials

Now we have to configure the mailserver and the corresponding user credentials. This is done by appending the following line to /etc/mail/authinfo using your favorite text editor.

AuthInfo:your_mail_server.your_domain.tld "U:your_username" "P:your_password"

You have to replace the dummy information.

Updating the sendmail configuration

This step updates the sendmail configuration to include the previously added server credentials. Add the following lines in the file /etc/mail/sendmail.mc after the “FEATURE(`access_db’, , `skip’)dnl” directive.

FEATURE(`authinfo',`hash /etc/mail/authinfo')
define(`SMART_HOST', `your_mail_server.your_domain.tld')

Replace the hostname!

Saving the configuration

Use the following commands to save the configuration. After that you should be able to send mails through PHP.

cd /etc/mail/
sudo makemap hash authinfo < authinfo
sudo m4 sendmail.mc >sendmail.cf
sudo /etc/init.d/sendmail restart

Older Entries Newer Entries