Newton’s Lore

A look in /etc/authorization reveals some interesting things that can be authorized:

• Used by CoreRAID to allow access to administration functions of RAID devices
• Checked when changing parental controls for Safari.
• This right is used by Xcode to invoke a setuid tool to run launchctl as root to change distcc sharing on this machine
• Used by Activity Monitor to authorize killing processes not owned by the user.
• For administrative access to the Application Server management tool.
• For user access to the Application Server management tool.
• Used to allow admin reading of I/O space via the CHUD framework
• Used to allow admin writing of I/O space via the CHUD framework
• Used to allow user reading of the PCI configuration space via the CHUD framework
• Used to allow admin writing of PCI configuration space via the CHUD framework
• Used to allow admin access to physical memory addresses via the CHUD framework
• Used to allow user reading of CPU special purpose registers via the CHUD framework
• Used to allow admin writing of CPU special purpose registers via the CHUD framework
• For privileged file operations from within the Finder.
• Used by Xcode to restrict access to a daemon it uses to install and update documentation sets.
• For making administrative requests to the QuickTime Streaming Server.
• For modifying Trust Settings in the Local Admin domain.
• For modifying per-user Trust Settings.
• Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights.
• Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file).
• Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication.
• Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication.
• Wildcard right for deleting system rights.
• See authopen(1) for information on the use of this right.
• For burning media.
• Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).
• For creating, changing or deleting local user accounts and groups.
• Checked when changing authentication credentials (password or certificate) for a local user account.
• Checked when changing authentication credentials (password or certificate) for the current user’s account.
• Checked when user is installing in admin domain (/Applications).
• Checked when admin is installing in root domain (/System).
• Checked when user is installing in root domain (/System).
• Used by the Security framework when you add an item to an unconfigured default keychain.
• Used by Keychain Access when editing a system keychain.
• Login mechanism based rule. Not for general use, yet.
• The owner or any administrator can unlock the screensaver.
• Checked by the Admin framework when making changes to certain System Preferences.
• Checked by the Admin framework when enabling or disabling the Accessibility APIs.
• Checked by the Admin framework when making changes to the Accounts preference pane.
• Checked when making changes to the Parental Controls preference pane.
• For printing to locked printers.
• authenticate-Used by AuthorizationExecuteWithPrivileges(…). to run a tool as root (e.g., some installers).
• Used by task_for_pid(…). authorize access to the program of another user.
• Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching.
• For making Directory Services changes.
• Checked when making changes to the Sharepoints.
• Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching.
• Authenticate as an administrator.
• Authenticate as the session owner.
• Authenticate either as the owner or as an administrator.
• Verify that the user asking for authorization is an administrator.
• Verify that the user asking for authorization is an lp administrator.
• Verify that the process that created this AuthorizationRef is running as root.

In Leopard if you try to connect to a remote server in the Finder and have ‘%’ in the password, NetAuthAgent will crash with a bus error. As reported on Macintouch (and indirectly on MacEnterprise). I’m not sure if this behaviour persists in 10.5.1.

Safari in Leopard seems to forget my logins (for my Wordpress blog for example) on a daily basis. It’s not asking me to enter my keychain password. My workmate has also noticed this. Anyone else experiencing this?

Safari also doesn’t seem to be handling paragraph breaks in the tinymce Wordpress editor.

Apple have posted a list of some 300 new features in Leopard.
Looking through them, the interesting ones that I haven’t noticed being mentioned before (well, mainly) are listed below. Notable absence of mentions go to Java, iTunes and QuickTime.

• Transparent overlay of DVD playback in DVD player (ala TransLucy)
• Screen sharing from the Finder (sort of a poor man’s Apple Remote Desktop?)
• Share any folder (just like in the days of System 6,7,8,9…). The cool part is that you can authorize people in your AddressBook to use the shared folders
• Braille support (presumably external Braille ‘displays’?)
• DVD playback in Front Row
• 20 new CoreImage Filters, CoreImage enhanced for multicore processors, support for colourspace information from EXIF tags
• iChat - Recording, Screen Sharing, Low Delay AAC-LD codec, iChat Theatre, SMS Forwarding
• Image Capture - More tethered camera support, more Canon and Nikon models supported, Wireless image importing, Sharing of scanners over Bonjour.
• Instruments - (Originally called X-Ray I think), lets developers analyse performance metrics and record and replay user interface events.
• Mail.App - Data Detectors - Another System 8 technology back from the dead. Photo Browsing of your iPhoto Library. Sync Mail Notes via .Mac. Archive your Mailbox.
• International - Russian, Polish and Portugese, better multilingual Spotlight indexing, Pinyin and Zhuyin input methods, Russian and Danish Spell Checkers.
• Networking - New Airport Menu, Automatic TCP buffer size adjustment
• Parental Controls - Set time limts for kids, violate their privacy by logging websites and applications used, list people who have chatted and keep a transcript (I hope nobody uses it on adults!) Control parental controls remotely, and filter profanity from the Wikipedia (That should prove amusing).
• PhotoBooth - Make video clips, add backdrops, export animated GIFs for use on your website.
• Preview - Better leverage of Core Animation. Add better annotations, including links to websites or other pages inside the PDF. Highlight text. Save your annotations (really wouldn’t be much good without that last feature would it?). Relevancy ranking of PDF searches. Automatically add your name to annotations for collaborative work. Remove Alpha background or select irregular shapes. Adjust white and black levels automatically. Re-order PDF pages. Perform batch image operations. Send images to iPhoto. Use GPS Metadata support to open a photo’s location on a Map or in Google Maps. Woohoo!
• Printing - Simplified by making common settings presets (Yay!). Kerberos authenticated printing. Location-aware printing (so it doesn’t print your home porn to the work IP printer over the internet Support for printer driver updates via Software Update.
• Safari - Presumably you’re already using the Beta
• Screen savers - Arabesque, Shell, Word of the Day, Clock Overlay, Collage or Mosaic from your Picture screen savers.
• Security - Downloaded applications are tagged and you’re prompted when you open them. Apple Applications are signed (Hmm… That could make modding stuff more difficult!). Application specific firewalling. 256-bit AES encryption (previously only 128-bit) for disk images. VPN client supports Cisco Group Filtering, DHCP over PPP. Sandboxing of applications (Bonjour, Quick Look and Spotlight indexer are sandboxed) to restrict what they can do. Multiple user certificate support. Smart cards to unlock FileVault volumes and the keychain. Supports PIV standard for Feds and contractors to them. I hope FileVault is finally ready to use without hosing your files! Library randomisation to frustrate hacking attempts (and cause developers to find more bugs :). Windows SMB packet signing.
• Spotlight - Search any Mac on your network (woohoo, great for those of us with big numbers of documents on a central server). Now understands boolean searches, dates and category labels. Also (like Google) does dictionary definitions and calculations). Recently visited web pages are indexed too. Search by Filename (ala System 6, etc.). Search system files.
• System - Icon mode in open and save panels (Yay!). iLife browsing from open panel. Live partition resizing in disk utility (assuming you’ve got space Auto-purging guest accounts (Yay!). Grammar checking. Scroll non-active windows (yay! Although we move ever closer to focus follows cursor). Empty Trash button (Yay!) Eject some or all partitions of external USB or FireWire volumes.
• System Preferences - Hot corner for sleep display. Control click accounts for advanced (ie dangerous, unixish) account options (User ID, login shell, home directory)
• Terminal - International character support (Use vi on your Mandarin Save multiple terminal window locations and settings as a workspace.
• TextEdit - Autosave. Open Document and Word 2007 formats. Hyperlinks. Go to Line. Print header and footer. Smart quotes. Smart copy and paste (meaning it now confirms to Apple’s HI Guidelines?)
• Time Machine - Asks you if you want to backup to a drive when you connect it (My, that will get annoying when you want to copy one file and disconnect!). Automatically stops and resumes. Browse other time machine disks. Use Migration Assistant to move users from a Time Machine backup. Manual Backup if you can remember to hold down the control key and cilkc the Time Machine icon in the dock.
• Universal Access - Braille support during OS install. Support JAWS and Windows-Eyes numeric keypad commands. Portable VoiceOver prefs via flash drive (Hmm… I wonder if that could be parlayed into a security problem). Notification of changes in screen hotspots. Drag and drop via keyboard only. Audio misspelling alerts. Audio positional cues. Enhanced VoiceOver accessibility in new Leopard Apps.
• UNIX - AutoFS to mount/dismount network filesystems, Separately threaded (Yay!). Wide Area Bonjour. Streaming IO (Is this TCP streams?)

The Australian Government’s free copy of the Mac compatible “Safe eyes” filter is available here.

Of course the best way to safeguard your kids is to keep the computer in the living room and supervise their browsing. That way you’re on hand to answer any questions they have about anything they might see (including when they subvert the net nanny filter).

Combining AppleScripting the Indigo home automation software with an Asterisk VoIP server, some phones and some home automation gear gets you a lightweight home security solution.

After a recent transfer of our server, ownership (and thus access) of newly created files was being assigned to the creator. Old files could still be accessed by members of the group. It seems the solution to this was to use Workgroup Administrator to change the AFP sharepoint so that it used “Inherit permissions from parent” rather than the “Standard POSIX behaviour” (which in standard UNIX style is probably more secure but less useful
Fortunately this seemed to work so I didn’t have to enable and implement appropriate ACL’s

Apparently Apple’s Security Update 2007-004 may break some applications that rely on the DYLD_LIBRARY_PATH
environment variable, including SQL Anywhere 9, and IBM Workplace Forms Viewer. The workaround is to edit the application’s Info.plist file.

Macintouch is reporting that the latest Mac OS X Server security update 2007-004 is  disabling the DNS service. Solutions range from editing the plist file to turning the service back on manually from the Server Admin application.

So, those pesky people are trying to frame you for war crimes and you don’t want to get busted? Try srm, the secure version of rm. Allows you to chose between 7 or 35 pass erasure, depending on how long they’re trying to put you away for.