NFS. Not… Dead… Yet…


NFS may just never die. I’ve seen many an xsan covert to NFS-based storage with dedicated pipes and less infrastructure requirements. I’m rarely concerned about debating the merits of technology but usually interested in mapping out a nice workflow despite said merits. So in the beginning… there is rpc. Why? Because before we establish a connection to an nfs share, we first want to check that we can talk to the system hosting it. Do so with rpcinfo:

rpcinfo server.pretendco.com

Now that we’ve established that we can actually communicate with the system, let’s use the mount command (for more on creating mounts see `man exports`). Here, we’ll 

mount -t nfs nfs://server.pretendco.com/bigfileshare /Network/Servers/server.pretendco.com/bigfileshare

ncctl is a one-stop shop for manipulating kerberized NFS. Ish. You also have ncinit, ncdestroy, and nclist. So almost a one-stop shop. First, let’s check the list of shares you have and how you’re authoring to each:

nclist -v

ncctl list can also be used. The output will be similar to the following:

/Network/Servers/server.pretendco.com/bigfileshare       : No credentials are set

We should probably authenticate into that share. Now let’s actually set our username (assuming you’ve already kerberized via kinit or a gui somewheres):

ncctl set -p krypted@me.com

Now that spiffy nclist command should return something like the following:

/Network/Servers/server.pretendco.com/bigfileshare: krypted@me.com

Finally, ncdestroy is used to terminate your connection. So let’s just turn off the share for the evening:

ncctl destroy

Or ncdestroy is quicker to type. And viola, you’ve got a functional nfs again. Ish. 

Now that you’re connected, nfsstat should show you how the system is performing. For more on using that, see: 

man nfsstat

Limit Upload and Download Streams for Google Drive File Stream on macOS

Google Drive File Stream allows you to access files from Google’s cloud. It’s pretty easy for a lot of our coworkers to saturate our pipes. So you can configure a maximum download and upload speed in kilobytes per second. To do so write a com.google.drivefs.settings defaults domain into /Library/Preferences/com.google.drivefs.settings and use a key of BandwidthRxKBPS for download and BandwidthTxKBPS for upload (downstream and upstream as they refer to them) as follows:

defaults write com.google.drivefs.settings BandwidthRxKBPS -int 200
defaults write com.google.drivefs.settings BandwidthTxKBPS -int 200

Episode 107 of the MacAdmins Podcast: Sweet Rootkits, a Year in Review

It’s been a great year for the MacAdmins Podcast. And a special thank you to Tom, Marcus, Emily, James, and the former co-host Pepijn for continuing to allow me to be a part of something special. The last episode of the year is available at podcast.macadmins.org, using the below embedded link, or wherever you get your podcasts!

Download Older Versions of macOS and Mac OS X

I’ve posted a few old links in my time (as I near 4,000 posts it would be hard not to have some that are broken). But Apple App Store downloads seem to do better with not breaking links. So here are some to old versions of macOS and OS X, in case like me, you always seem to need some old thing for testing:

Old versions of server are actually easier. You can download OS X Lion Server: https://itunes.apple.com/us/app/os-x-lion-server/id444376097?mt=12 or macOS Server: https://itunes.apple.com/us/app/macos-server/id883878097?mt=12  and most versions are available on the developer portal at https://developer.apple.com/download/more/.

Updated My Apple Admin Conferences Page

I’ve been keeping a list of Apple Admin conferences for a few years now. I probably should have versioned it and kept each iteration, but… no need to pollute the interwebs with more outdated stuffs than I already have. So here’s the link for the latest version, updated with all the event dates announced thus far: http://krypted.com/community/macadmin-conferences/

Hope to see you at some!

Extension Attribute to Detect WindShift in macOS

Patrick Wardle has been researching WindShift and done an extensive writeup at https://objective-see.com/blog/blog_0x3B.html on the emerging malware threat. Based on his research, this extension attribute will check lsregister for usrnode.

It’s pretty basic and variants will obviously change their behavior. For example, openurl2622007 has already changed, which is why I didn’t check for that. And the file name, path, and signature are changing of course. But it does seem checking lsregister for the name of the binary appears consistent. Ergo, ymmv with how effective this is en masse, but a good early warning system since this doesn’t seem to get picked up properly by antivirus yet.

Enable The Safari Debug Menu

I can’t believe I’ve never posted this: Safari has a Debug menu. I guess I’ve mentioned the Develop menu before. But I also like to use the debug menu on my daily driver, out of the box. I’ve been enabling this thing for what seems like forever in my deployment workflows.

defaults write com.apple.Safari IncludeInternalDebugMenu 1

Once enabled, you’ll see a bunch of awesome debugging tools.

Super-Simple Bash Graphs

The sparkr gem is installed by default in macOS. To use it to produce simple graphs, simply run it followed by a series of integers:

sparkr 12 110 250 110 12

The result would be as follows:

This is useful for a quick and dirty visualization in scripts. For example, a series of 5, 10, 200 numbers that don’t have that much range where you’re just looking for a simple pattern. Like number of lines in logs, etc. Obviously, you can pay a lot of money for graphing frameworks and very fancy-schmancy tools. This is really just for me in small scripts. 

Note: sparkr isn’t installed on all Mac systems. to install it manually use:

sudo gem install sparkr

Thanks to Armin Briegel for pointing out that sparkr isn’t installed by default on the latest OSen.

Hey, So What’s This Mac App Got Access To?

Just some one-liners you may find useful… I’ve written about codesign a few times in the past. To see a detailed description of how an app was signed:

codesign -dvvvv /Applications/Firefox.app

This also gives you the bundleID for further inspection of an app. But there are a number of tools you can use to check out signing and go further into entitlements and sandboxing. You can check the 

asctl sandbox check --bundle com.microsoft.outlook

The response would be similar to 

/Applications/Microsoft Outlook.app:

signed with App Sandbox entitlements

In the above, we see that Outlook has entitlements to do some stuffs. But where do you see an indication of what it can do? There are a number of sandbox profiles located in /usr/share/sandbox and the more modern /System/Library/Sandbox/Profiles/ and Versions/A/Resources inside each framework should have a .sb file – but those are the Apple sandbox profiles. Additionally, you can see what each app has access to using the container_check.rb script:

/usr/libexec/AppSandbox/container_check.rb -c com.microsoft.outlook --for-user charles.edge --stdout

Simply strip the -c followed by the container and you’ll get a list of all apps. When you’re building and testing sandbox profiles for apps you plan to compile, you may want to test them. To do so, use sandbox

sandbox-exec -f /usr/share/sandbox/lockdown.sb /Applications/TextEdit.app/Contents/MacOS/TextEdit 

As of 10.14, any app looking to access Location Services, Contacts, Calendars, Reminders, Photos, Camera, Microphone, Accessibility, the hard drive, Automation services, Analytics, or Advertising kit will prompt the user to accept that connection. This is TCC, or Privacy Preferences. You can programmatically remove items but not otherwise augment or view the data, via the tccutil command along with the only verb currently supported, reset: 

tccutil reset SERVICE com.smileonmymac.textexpander

A couple one-liners for analyzing Mac app usage

Reporting on application usage is an interesting topic on the Mac. This is done automatically with a number of device management solutions. But there are things built into the OS that can help as well.

mdls "/Applications/Xcode.app" -name kMDItemLastUsedDate | awk '{print $3}'

Now, if you happen to also need the time, simply add ,$4 to the end of your awk print so you can see the next position, which is the time. Additionally, a simple one-liner to grab the foreground app via AppleScript is:

osascript -e 'tell application "System Events"' -e 'set frontApp to name of first application process whose frontmost is true' -e 'end tell'

That’s pretty much all I had to say about that.