Monthly Archives: June 2009

Mac OS X

Rerunning the Setup Assistant

Often times you will want the Mac OS X Setup Assistant to run post the initial installation or imaging. Perhaps you bake an image into machines at a retail store, installing a number of software packages, or maybe you just want a shot at entering your credit card information because you used Command-Q to quit the Setup Assistant when you first unboxed your boxen. Either way, it’s a fairly straight forward task. Simply delete the .AppleSetupDone, stored in the /var/db directory.  Note that this file is hidden and owned by root, so use the following command to remove it:

sudo rm /var/db/.AppleSetupDone

It’s also worth noting that when doing a deployment, you can create the .AppleSetupDone file to suppress the Setup Assistant even if it has yet to be run.

Mac OS X

Changing Time Machine Backup Frequency

Time Machine just does what it does and there’s not much controlin’ it aside from what’s in the System Preference pane.  Or is there?  Earlier, I covered how to disable the disk check feature, now let’s look at how to change the frequency of when backups occur.  Backups are initiated by, stored in /System/Library/LaunchDaemons.  The contents of this file are, by default:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN” “”>
<plist version=”1.0″>
<array> <string>/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper</string>

The StartInterval integer controls the frequency with which backups occur, in seconds.  You can customize this by altering the data in the line below (the integer).  For example, if you set it to 360 then backups will occur every 6 minutes instead of 60, or more likely, if you set the integer to 14400 then your backups will occur every 4 hours instead of every hour.

Mac OS X

Suppressing Time Machine on Disk Mount

By default, when you are using Time Machine in Mac OS X, every time you insert a drive the system will ask you if you would like to use that drive as a Time Machine backup destination.  If you are like me and you swap drives around a lot then this can get annoying.  So to stop it you can actually just disable a launchd System Daemon,  To do so, simply move the /System/Library/LaunchDaemons/ to another location and viola, on the next restart when you attach a disk Time Machine won’t ask you if you wish to add the disk to your Time Machine destinations.


While this is one way, reader @Chealion pointed out on Twitter that the following command will go ahead and do the same thing without monkeying with launchd:

defaults write /Library/Preferences/ DoNotOfferNewDisksForBackup -bool true;

Mac OS X

The Cut, Copy & Paste Daemon in OS X

Ever seen in a launchctl list?  Wondered what it did?  This is the infamous clipboard (aka – pasteboard, or on the iPhone the NSPasteboard server).  If you unload the pboard entry in launchctl then you will no longer be able to cut, copy and paste.  pboard relies on the existence of and the accessibility to the user that initiated pboard (ie – root) to have access to the /tmp folder.  Therefore, pboard will be wonky without /tmp and without pboard you won’t be able to paste things.  So, when troubleshooting cut, copy and paste issues, first verify that /tmp exists and then verify that pboard is running using the following command:

launchctl list | grep

And if it isn’t running, start it with:

launctl start

Mac OS X Mac Security

Disable Disk Arbitration

In Mac OS X, diskarbitrationd is the process that handles mounting disks when they are inserted into the computer (eg – firewire, USB, etc).  Diskarbitrationd runs in the background, is always on by default and is started by launchd.  New disks inserted into the computer are automatically mounted, which you might not want to happen (for example, if you are forensically imaging a system, investigating malware on a device, attempting to fix corruption, simply trying to keep users that don’t know how to manually mount a disk from accessing one, etc).

There are  number of ways to stop diskarbitrationd.  One of the easiest (and least intrusive since it doesn’t require a restart) is using launchctl.  To disable disk arbitration, first run the following command to obtain a list of currently running launchd-initiated processes:

launchctl list

That’s going to output a few too many so let’s constrain our search to those that include the string diskarbitrationd:

launchctl list | grep diskarbitrationd

You’ll now see a PID and the name of the process.  Notice it has an alphanumeric string in front of it, appearing similar to 0x10abe0.diskarbitrationd. Next, go ahead and stop it, again using launchctl but this time with the stop option:

launchctl stop 0x10abe0.diskarbitrationd

Once stopped, let’s verify that diskarbitration is no longer running:

ps aux

Once you have completed your tasks and want to re-enable disk arbitration, you can restart it using the start option in launchctl:

launchctl start 0x10abe0.diskarbitrationd

Finally, this process is not persistent across reboots.  If you will be rebooting the system you are mounting the disk onto you might want to unload diskarbitrationd and then move the plist from /System/Library/LaunchDaemons/  For example, to move it to the desktop, use the following command:

mv /System/Library/LaunchDaemons/ ~/Desktop/

sites WordPress

Bug in WordPress 2.8

In WordPress there are tags, such as the ones you see at the bottom of this article.  You enter tags when you’re writing an article in the Post Tags section of the Add New Post page.  Prior to WordPress 2.8 you could enter a bunch of tags and just hit the Publish button, the tags would be committed automatically.  Now though, you enter the tags and hit the Publish button and they are not committed.  You have to use the Add button to commit the tags, then hit the Publish button.  This has always been a feature, but both used to work.  For me, breaking a third party plug-in is only natural, so that is not a bug.  Sure, I had two plug-ins that were broken when 2.8 came out.  2.8.1 fixed one of those, but the developer I think will need to fix the other.  But the issue with the tags is a little annoying.  But the crew at WordPress rules.  My bug is submitted and I’m sure it will be addressed with all due haste.


Boobies on Facebook

Today I found a game/app in my Facebook feed called Vrais ou faux seins ? The application has blatantly exposed breasts.  I can’t speak French so I can’t tell what it is about, but the pictures sure seem to tell a pretty compelling story.  I’m sure that the good people at Facebook will end up finding the application and removing it soon enough.  But it brings up, again, the changes that the increasing globalization that the Internet has brought about. And in my standard Facebook feed…

It’s not that I care.  I don’t.   It’s more just watching culture classes as they continue to emerge.  Much like Google’s Schmidt leveraging YouTube to speak out on Iran in a way… There are positive aspects of a more open world, but there are also aspects with regard to differing values that will have be reconciled in the culture clashes that continue to happen.  Such as the appearance of boobies in little Archie’s Facebook feed…

Mac OS X VMware

Mass Deploy Parallels

Sometimes it’s just that easy. Our good friends at Parallels have developed a special Mass Deploy package, available on their site. When you control-click on it and select Browse Contents you will see a license.txt.  You can paste your license into the license.txt file and then put your virtual machine into the root of the package.
Parallels Mass Deploy, Mac OS X

Once complete, you can push this package out at will.  Additionally, you can edit the postflight shell script in the Resources directory, throwing your own commands at the tail end of the file, adding more virtual machines, customizing settings, etc.  Good luck.

Mac OS X Mac OS X Server Mac Security Mass Deployment

Shadow Mounting with hdiutil

I recently put up a post on using hdiutil to create disk images in Mac OS X.  To take that a step further let’s look at leverage a shadow mount. A shadow mount allows you to mount a read only file system (from a dmg) as a read-write structure without altering the original image, similar to how NetBoot works. This is useful for a variety of instances, most of all, forensically. To mount an image is going to be similar to how we did so previously, simply use the

It is possible the volume was dismounted dirty and Mac OS X needs to do a consistency check on the file system. The file system needs to be read-write to do the consistency check. If you shadow mount, the file system will be mounted read-write but it will leave your original image intact writing all the changes to the shadow file. In the following example, we will mount up a disk image called badguy.dmg that is stored on /Volumes/Images with a shadow mount at /Shadow. We could do so without a shadow mount using the following command:

hdiutil mount /Volumes/Images/badguy.dmg

Instead, we’re going to add a -shadow option and follow it with the location of the shadow mount:

hdiutil mount /Volumes/Images/badguy.dmg -shadow /Shadow

You can now write data into the image or remove data from the image and then unmount it:

hdiutil unmount /Volumes/Images/badguy.dmg

Remounting the image should net you an image that did not save any of the previous changes. While forensics is one place for this type of technology, there are others, such as the NetBoot environment where you don’t want users writing data anywhere except for a userland space. Similarly is the default EC2 environment, where users will be banging away on virtual machines all day long and only write changes back in if they save a copy of the machine into a local space, such as their S3 account.  It also makes for a nice way to store images (and images containing packages) during the imaging process for a number of environments.  Overall, this is technology that has been around for awhile and I look forward to seeing more ramifications in the future.


The Blind Leading the Blind

Please, please, please – if you think that something I do here will fix an issue you have, please confirm that we’re talking about the same things. Don’t run a command that will wipe out your whole Kerberos database if you’re having an issue opening a single file. Don’t demote a single Open Directory Master with no replicas when you have hundreds of users that should be logged into the OD structure at any given time. Don’t wipe out the LUN of that NetApp. Don’t rm something recursively that shouldn’t be rm’d. I realize that “Google-fu” is a great skill to have, but it is also a danger to you and those around you if the symptoms or goals don’t match up. When I post something and when others out on the world wide bandwagon do so, take the advice and experience of others with caution. Especially if what you will be doing is destructive…