Monthly Archives: May 2008

Home Automation

Automate the Home

We’re looking at buying a new house.  When I’m on the road there’s nothing nicer than being able to log into the house and turn off the lights.  That’s why there’s this stuff for the geek in everyone:

http://www.z-wave.com/modules/Z-Wave-Start/

Mac OS X Mac OS X Server Mac Security

Mac OS X 10.5: NetInfo (or the lack thereof)

As many will already be aware, there’s no NetInfo in Leopard. So where are those pesky account settings stored? Well, local user account settings are now stored in plist files. The plist files are stored in the /var/db/dslocal/nodes/Default/users directory for users or /var/db/dslocal/nodes/Default/groups folder for groups. Password hashes are stored in the /var/db/shadow/hash folder. Inside each plist file for user accounts you can augment (or create) attributes required in order to perform certain actions. So, for example, if you want to change the location of your home folder you can open the users plist file and search for the home key and edit it’s contents.

Consulting

On the Road: Gaining Weight

It sure is a good feeling to be the one that figures out the impossible.  When you’re at a client and you can walk out of there with that kind of feeling, you feel like you own the world.  That is, until you realize you’re in a small town in the middle of nowhere and the only thing open is a Taco Bell.  Then you realize you didn’t bother to eat lunch or dinner and you scarf down more food than you really should.  That’s when you realize, sitting in your hotel room, that you haven’t worked out in months, your surfboard has run off with a boogie board (well that happened when you left it for the land of non-salty water) and you’re starting to put on a little extra weight.  Suddenly all those late nights with the clients don’t seem nearly as fun as they did before and you wonder how long it’s going to take to get back to your old self…

Windows Server

Office Unified Communications Server

Communication is the transfer or collaboration of thoughts, ideas and plans between individuals. It is essential in the organizational success of most businesses to have various easy to use methods of communication. Today’s communication varies from chatting to video teleconferencing. Combining these forms of communication into a simple easy to use interface or tool can drastically increase the flow of collaboration and communication of staff members.

Microsoft’s Unified Communication Server and Office Communicator comprise a suite of programs and services that allow businesses to integrate most communication platforms into one centralized management console. Unified Communications takes the functionality of outlook and exchange and combines email with VOIP service, voicemail, chatting, faxing and video teleconferencing. Along with the integration of all these services, Unified Communications comes with one tool to rule them all.

Office Communicator gives anyone with a laptop or Windows Mobile Smart phone the ability to switch methods of communication on the fly, without having to worry about loss of communication. This simple tool will give you ability to take your office anywhere in the world as long as you have an Internet connection. It also has the ability to attach additional phone numbers to your main office number. Chatting, faxing, emailing, calling and video teleconferencing have never been so easy.

Unified Communications and Office Communicator provide a new method of centralized communication that when implemented in your company will greatly enhance the flow of communication between the staff at your business.

Interviewing

Interview Tips: May 2008

When an interviewer asks you technical questions then you can assume that you are going to be in a fairly technical role.  Remember when you’re looking for jobs that if you are at a point in your career where you want to be management that if the line of questioning is very technical that the role might not be a good fit.  Feel free to ask questions about the role and what percentage of your time should be spent doing what if this is a concern.  Average costs to hire a new employee are estimated to be anywhere from $7,600 to $25,400.  There is no reason to waste the hiring companies resources if the job is not a great fit.  But be up front about it, which is key to leaving the door open for future opportunities.

Mac OS X

Bakbone: SysCtl and Shared Memory Hax0r to get Bakbone to Play Nice

Shared Memory Tweaking: 1GB Shared memory (set in /etc/sysctl.conf)

kern.sysv.shmall: 262144
kern.sysv.shmseg: 32
kern.sysv.shmmni: 128
kern.sysv.shmmin: 1
kern.sysv.shmmax: 1073741824 

Mac OS X Server

Mac OS X Server: Performance Evaluations

Nice little article on evaluating the performance of your server:

http://support.apple.com/kb/HT1992

Mac OS X Mac OS X Server

Mac OS X: VNC vs. VNC

The Sharing System Preference has Screen Sharing and Remote Management.  Both control VNC.  You can’t use one while using the other.  So what’s the difference.  Well, Screen Sharing, the new application in 10.5 doesn’t require that you purchase a copy of ARD if you only want to be able to control the screens of other Macs.  If you enable Screen Sharing then your Mac will show up in the SideBar of other systems in your environment.  Remote Management still works the same way it did in 10.4.

Articles and Books Mac Security

A Great Article on Sandbox by Beau

In all versions of OS X previous to Leopard, access control restrictions were limited to a security model referred to as Discretionary Access Controls (DAC). The most visible form of DAC in OS X is in it’s implementation of the POSIX file-system security model, which establishes identity-based restrictions on an object in the form of a subject’s user or group membership. Similarly Access Control Lists are a form of discretionary control, though they are far more extensible and discrete then the POSIX model. In such models,  newly created objects or processes inherit their access rights based upon those of the creating subject, so that any spawned objects are not granted access rights beyond that of their creating subject. The key idea behind the DAC model is that the security of an object is left to the discretion of the object’s owner; an object’s owner has the ability to assign varying levels of access control to that object within the confines of the DAC implementation. The DAC model has for decades been a staple in the management of both object/process creation and access across all mainstream computer systems due to it’s user-centric nature. However there is a persistent caveat in these implementations;  in all mainstream implementations of such models, there exists a superuser which has the capabilities to completely bypass access restrictions placed on objects. In POSIX-based Operating Systems such as Unix, Linux, or OS X, this superuser exists in the form of the root user. The existence of such a loophole presents a bit of a paradox. On one hand, it introduces several obvious security ramifications by providing capabilities to completely bypass the DAC model all together; any processes which are invoked by the superuser inherit the “god mode” access controls, they have free reign over the entire system. At the same time, the existence of the superuser account becomes a vital tool for the practical administration of data objects and system resources. In a perfect world, this wouldn’t necessarily be a bad thing. Unfortunately that’s not the world we live in, and it is not uncommon to hear about processes being hijacked for ill-will. If the compromised process has been invoked by the superuser, then the entire system has been compromised, including all user data with it. 

With 10.5 Leopard, Apple has introduced a new low-level access control model into their OS, based upon the mandatory access control (MAC) model. Conceptually, the MAC system implements restrictions based upon actors, objects, and actions. In such a system, the actor typically assumes the form of a process, thread, or socket. The object can be any type of resource, such as a file, directory, socket, or even a TCP/UDP network port, among others. The action is simply the request of the actor to be applied to the respective object, and varies depending on the type of object involved in the request. Referring back to the file system model; the actor would be a word processor, the object would be a .txt flat file, and the action would be a call to either read to or write to that text file. When the actor requests access to the object, the MAC authorization system evaluates security policies and decides whether the request can proceed, or if it should be prohibited. In a pure MAC model, the object or process ownership is not generally a consideration; individual users do not have the ability to override defined policy. 

Leopard enforces the MAC model via a new framework, architected from TrustedBSD’s MAC framework. This framework introduces “sandbox” access control capabilities which allow a developer or user to apply access control policies to a process, restricting privileges to various specified system resources. The restrictions are generally enforced upon acquisition, so any active file descriptors would not be immediately affected by any policy changes, however, any new open() operations would be subject to the new restrictions. In a fashion similar to the DAC model, new processes and forks will inherit the access restrictions of their parent. In Leopard, these restriction policies can be pre-compiled into any given program, or they can be applied to any executable at runtime. 

While Leopard’s MAC framework is based off of TrustedBSD’s,  it’s implementation deploys only a subset of control points provided by the TrustedBSD implementation. Noticeably absent are the majority of the Security Policy Modules available for TrustedBSD and FreeBSD implementations, such as Biba, MLS, or NSA’s FLASK/TE (implemented in SEDarwin), though perhaps some day we’ll see some of these ported to Leopard’s MAC framework.  For now, Apple has offered their own Security Policy Module dubbed “Seatbelt”, which is implemented as a KEXT installed at /System/Library/Extensions/seatbelt.kext.  As of 10.5.2, the feature set of Seatbelt seems to be very much in flux. The only documented way to apply these controls in code is via the sandbox_init() function. Utilizing this function in code provides a way for an application programmer to voluntarily restrict access privileges in a running program. sandbox_init() is very limited at this point, providing only 5 pre-defined constants: 

• kSBXProfileNoInternet  – disables TCP/IP networking.
• kSBXProfileNoNetwork – disables all sockets-based networking
• kSBXProfileNoWrite – disables write access to all filesystem objects
• kSBXProfileNoWriteExceptTemporary – disables write access to filesystem objects except /var/tmp and `getconf DARWIN_USER_TEMP_DIR`
• kSBXProfilePureComputation – all OS services are restricted

An application can utilize one of these constants to restrict capabilities in spawned processes or threads, minimizing the potential damage that can occur in the event that the process is compromised. Figure 1 shows an example implementation of the kSBXProfileNoWrite profile in code:

Figure 1.

#include 
#include 
#include 
#include

int main()
{
int sb, fh;
char **errbuf;
char rtxt[255];
char wtxt[255] = “Sandboxed you aren’tnn”;

// init our sandbox, if we don’t return 0 then there’s a problem
sb = sandbox_init(kSBXProfileNoWrite, SANDBOX_NAMED, errbuf);
if ( sb != 0 ) {
        printf(”Sandbox failedn”);
return sb;
};

fh = open(”test.txt”, O_RDONLY);
if ( fh == -1 ) {
perror(”Read failed”);
} else {
read(fh, rtxt, 255);
close(fh);
printf(”FileContents:n %sn”, rtxt); 
};

fh = open(”test.txt”, O_RDWR | O_CREAT, 0000644);
if ( fh == -1 ) {
perror(”Write Failed”);
} else {
write(fh, wtxt, strlen(wtxt));
close(fh);
printf(”Successfully wrote file!n”);
}

return 0;
}

 

 

Compiling and running this code returns the following results:
% ./sandBoxTest
FileContents:
 hello              

Write Failed: Operation not permitted

So, even though our POSIX permissions allows for read/write access to the file, the sandbox prevents it, regardless of user. Running the program even with root privileges yields the same results. 

Currently, the options provided by Apple are very all-or-nothing, particularly in the area of file system restrictions. In this way, Seatbelt acts more as a clumsy broadsword, lopping off functionality in large chunks at a time for the sake of security. In this form, Seatbelt has minimized use outside of very vertical applications or the increasingly rare applications that don’t utilize network communication in one way or another. Though these limitations will significantly limit widespread adoption, I believe it would be a mistake for a developer to shrug off Seatbelt as a whole.

Luckily, Seatbelt has an alternate application, though currently it is not officially supported. As I mentioned earlier, it is possible to apply sandbox restrictions to any pre-complied executable at runtime. This is done via the sandbox-exec binary, and uses predefined profiles housed at /usr/share/sandbox which provide for fine-grained control of resources. These profiles use a combination of allow/deny rules in combination with regular expressions to specify system resource access. There are numerous control points, such as network sockets, signals, sysctl variables, forking abilities, and process execution, most of which can be tuned with fairly decent precision by utilizing a combination of regex and static inclusion sets. Filesystem objects and processes are identified via POSIX paths; there currently is no target validation performed ether via checksums or digital signing.  

Figure 2 shows a sample sandbox profile that can be applied to restrict an application from making outbound communications and restricts file system writes to temporary directories and the user’s preferences folder. The ‘debug deny’ line tells seatbelt to log all policy violations. This proves to be very useful in determining filesystem and network activity by an untrusted program. It facilitates a quick-and-easy way to do basic forensic testing on any program acquired from an untrusted source. Figure 3 shows example log violations of a network-outbound violation, and of a file-write violation, respectively.

To apply a sandbox profile to a standard application bundle you must pass sandbox-exec the path of the mach-o binary file which is typically located in ‘Contents/MacOS/’, relative to the application’s bundle. You can specify a sandbox profile by name using the -n flag if the profile resides in /usr/share/sandbox, or you can specify a full path to a profile with the -f argument. Carbon applications may require the LaunchCFMApp wrapper to properly execute. See figure 4 for example syntax for both Cocoa and Carbon Applications.

Figure 2. Example sandbox profile

(version 1)
(debug deny)
(allow default)
(allow process*)
(deny network-outbound)

(allow file-read-data file-read-metadata
  (regex "^/.*"))
(deny file-write*
        (regex "^/.*"))
(allow file-write*
        (regex "^/Users/johndoe/Library/Preferences.*"))
(allow file-write* file-read-data file-read-metadata
  (regex "^(/private)?/tmp/"))

(import "bsd.sb")

 

 

Figure 3. Example log entries from TCP and filesystem write violations

3/4/08 12:15:10 AM kernel dig 79302 NET_OUTBOUND DENY l= unavailable r= 4.2.2.2/domain UDP 1 (seatbelt) 
3/4/08 12:43:05 AM kernel sh 79147 FS_WRITE_DATA SBF /Users/Shared/test.txt 13 (seatbelt) 

Figure 4. Using launchd to sandbox cocoa and carbon applications.  

Cocoa

% sandbox-exec -n localonly /Applications/TextEdit.app/Contents/MacOS/TextEdit

Carbon

% sandbox-exec -n localonly /System/Library/Frameworks/Carbon.framework/Versions/A/Support/LaunchCFMApp /Applications/Microsoft Office 2004/Microsoft Word

Unfortunately, the system seems to be far from finalized, and even some example profiles provided by Apple do not seem to be completely functional, or contain unimplemented control points. One example of this is seen when trying to implement IP-based network restrictions. Apple provides example entries for layer3 filtering in the included profiles, but they are commented-out and illicit a syntax error when ran. Additionally, Apple has a rather ominous warning in each of it’s provided profiles, stating that current profiles are deemed to be Apple System Private Interfaces, and may change at any time.

However, that’s no reason to completely ignore the technology. Given what has currently been implemented, and taking into consideration control points which are alluded to by Apple’s own imbedded comments, Seatbelt is showing significant promise to provide very fine-grained resource access capabilities. By utilizing these restrictions, applications and users can ensure that even in a worst-case scenario, possibilities for errant/hijacked process damage becomes mitigated and compartmentalized. There are many real-world situations where this type of access control model fits very well, particularly in complement to standard DAC systems: they can be used to mitigate privilege escalation opportunities for shell users, to confine behavior conformance of processes to defined resources (and there by protect against hacked processes), or as a forensic tool to determine software malfeasance. By providing these type of capabilities through the Seatbelt policy module, and by providing a path towards implementing more complex MAC policy modules, Leopard’s new MAC framework ushers in a new level of security and access control capabilities for OS X.

Ubuntu

Ubuntu 8.04

Originally posted at http://www.318.com/TechJournal

ubuntulogo1.pngUbuntu 8.04 is now available – the first major release since 7.10. Code named Hardy heron, 8.04 will look familiar to long-time Ubuntu users. But under the hood, 8.04 sports a new kernel (2.6.24-12.13), a new rev of Gnome (2.22), improved graphical elements (such as Xorg 7.3), a spiffy new installer (Wubi), the latest and greatest in software, enhanced security and of course more intelligent default settings. The build is free to download the desktop version from ubuntu.com.

The new Ubuntu installer comes with a new utility called Wubi. Wubi can run as a Windows application, which means that Windows users will be able to more easily transition and learn about Ubuntu. Wubi can perform a full installation of Ubuntu as a file on a Windows hard drive. This means that you no longer need to install a second drive or perform complicated partitioning on an existing drive. When you boot up Ubuntu the system reads and writes to the disk image as though it were a standard drive letter, much like VMWare would do. Ubuntu can also be uninstalled as though it were a standard Windows application using Add/Remove Programs.

The new application set is solid. Firefox 3.0 comes pre-installed. Brasero provides an easier interface for burning CDs and DVDs. PulseAudio now gets installed by default (which is arguably a questionable decision but we found it worked great for us). The Transmission BitTorrent client is now included by default. Vinagre provides a very nice and streamlined VNC client for remote administration (although the latency for remote users is still a bit of a pain compared to the Microsoft RDP protocol). Inkscape has always been easy to install and use, but the popular Adobe Illustrator-like application it now comes bundled with Ubuntu.

In order to play nicer in the enterprise, the security infrastructure of Ubuntu has also had a nice upgrade. The Active Directory plug-in is provided using Likewise Open (unlike Mac OS X which sees a custom package specifically for this purpose). There is a new PolicyKit which provides policies similar to GPOs in Windows or MCX in Mac OS X. The default settings in 8.04 are also chosen with a bit more of a security mindset. New memory protection is built into 8.04, primarily to make exploits harder to uncover and prevent rootkits. Finally, UFW (uncomplicated firewall) is now built into the system to make firewall administration more accessible to the everyday *nix fan.

Network Administrators will be impressed by the inclusion of many new features. KVM is included in the Kernel and lib-virt and virtmanager are provided to make Ubuntu a very desirable virtualization platform. iSCSI support provides more targets with which to store those virtual machines and also expanded storage for those larger filers (eg – using Samba 3). Postfix and Dovecot provide a standardized mail server infrastructure out of the box. CUPS in 8.04 now supports Bonjour and Zeroconf protocols as well as the solid standbys of SMB, LPD, JetDirect and of course IPP. Those building web servers will be happy to see Apache 2, PHP 5, Perl, Python and Ruby on Rails (with GEM) and of course Sun Open JDK (community supported). If you need the database side of things there’s MySQL, Postgresql, DB2 and Oracle Database Express.

However, if you are just starting out keep in mind that Ubuntu Server does not come with a windowing system by default – so beef up those command line skills sooner rather than later! We are also still waiting for a roadmap for integrating much of the more Enterprise or Network-oriented packages. For example, we now have the PolicyKit and a solid Active Directory client. But how do we push out en masse the policies that we want our users to have post imaging?

So if you use Ubuntu or are interested in getting to know the Linux platform then 8.04 is likely a great move. It’s solid, stable and much improved over 7. It’s easier to migrate, virtualize and work in. The developers should be proud!