krypted.com

Tiny Deathstars of Foulness

You can easily accept user provided input in bash by using the read command in bash for Linux and OS X. Here, we’ll echo out a choice to a user in a script, read the output into a variable called yn and then echo out the response:

echo "Please enter y or n: "
read yn
echo "You chose wrong: $yn"

Here, we used echo to simply write out what was chosen in the input. But we could also take this a little further and leverage a case statement to then run an action based on the choice selected:

read -p "Should the file extension change warning be disabled (y/n)? " yn
case ${yn:0:1} in
y|Y )
defaults write com.apple.finder FXEnableExtensionChangeWarning -bool false
echo "The warning has been disabled"
;;
* )
defaults write com.apple.finder FXEnableExtensionChangeWarning -bool true
echo "The warning has been enabled"
;;
esac

The options when scripting are pretty much infinite and chances are, if you’ve written any scripts, you’ll know of a better way to do this than how I’ve always done it. One of the great things about scripting is the fact that there’s always a better way. So feel free to throw any of your examples into the comments!

July 28th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Ubuntu, Unix

Tags: , , , , , , , ,

Leave a Comment

I mess computers up a lot. And that means I have to reload operating systems a lot. I’ve also been having terrible issues caused by autocorrect. So… Let’s disable it. By sending the NSAutomaticSpellingCorrectionEnabled key as a false boolean into NSGlobalDomain:

defaults write NSGlobalDomain NSAutomaticSpellingCorrectionEnabled -bool false

July 27th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , ,

Leave a Comment

Sometimes when I’m writing a script, I need something to phone home to something in the script. For example, this can tell another daemon where to ssh into when I invoke it remotely. So, let’s say I want to grab my WAN address in a script. I can use curl with a number of 3rd party sites (sites that often change. But, one that we can use here is ipecho.net. Here, we’ll look at their plain output page here:

curl ipecho.net/plain

This can then get output into a variable or file for processing in other parts of a script. For example, the output here is basically the same thing but the command is in backticks, as you might put it in when scripting:

echo `curl ipecho.net/plain`

July 26th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Ubuntu, Unix

Tags: , ,

Leave a Comment

The caffeinate command is pretty cool. It keeps your computer from going to sleep. It can run in a couple of different ways. There’s a timer that prevents sleep for a little while. You can also run another command from within caffeinate that keeps the system awake until the other command is finished. Here, we’ll scp a file called source file to a host called servername and keep the system from going to sleep until the process is finished:

caffeinate -s scp sourcefile me:servername/targetfile

Here, we’ll just use the boring command to tell the computer not to go to sleep for an hour:

caffeinate -t 3600 &

July 24th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , ,

Leave a Comment

July 24th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, personal

Leave a Comment

By default in OS X, when you change an extension for a file, you get a warning. This is somewhat annoying to me, as I do this pretty frequently and have never almost accidentally done so. So to disable, send a FXEnable ExtensionChangeWarning key into com.apple.finder as false:

defaults write com.apple.finder FXEnableExtensionChangeWarning -bool false

To then undo, simply run with a true key:

defaults write com.apple.finder FXEnableExtensionChangeWarning -bool true

July 22nd, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , ,

One Comment

As of OS X 10.9 (and in many cases more importantly in OS X Server for 10.9 and higher), OS X now performs ARP cache validation when trying to pass traffic over a router. If you are double NAT’d/use redundant gateways then the traffic can be interpreted as network redirection and cause some pretty bad packet loss/latency. You can disable this feature by turning off net.link.ether.net.arp_unicast_lim using sysctl:

sysctl -w net.link.ether.inet.arp_unicast_lim=0

That will only disable unicast arp validation until the next reboot. If it fixes a latency problem you’re having then you can go ahead and make it permanent by adding the following line into /etc/sysctl.conf:

net.link.ether.inet.arp_unicast_lim=0

If you’re still having issues with latency, you should turn it back on. To enable it again, repeat, swapping the 0 with a 1.

July 19th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

Leave a Comment

So a few months ago, closing in on 3,000 posts, the database got too big and krypted.com started suffering from innodb corruption, resulting in database outages. While I was able to get the site up, it was using a read-only database that kept me from doing any new articles or updates. It was a strange time in my life, like suddenly being single after living with someone since Y2K (when I started the site). But I got through it and was able to repair the relation… er, site. Now, with a new database that is free from corruption we’re ready to get to 6,000 posts!

Also, I had a little feedback on the usability of the site. I had thought people would scroll down to find the search box. Apparently there’s a reason most sites put it at the top. It’s now there here. I also made a couple of new pages (in addition to the articles I’ve been posting since it came back up) and removed a couple of pages. Most of the pages have gotten fresh information and had at least something retired. No changes to articles in all of this, just pages.

Finally, I know I’ve made this offer in the past, but I welcome any guest authors that would love a place to store their stuff. Talk about anything technical you’d like, from Arduino to BRU to Casper to Munki to OpenMDM to Linux to PowerShell. It should just be technical…

July 17th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags:

One Comment

The tools to automate OS X firewall events from the command line are still stored in /usr/libexec/ApplicationFirewall. And you will still use socketfilterfw there for much of the heavy lifting. However, now there are much more helpful and functional options in socketfilterfw that will allow you to more easily script the firewall.

Some tricks I’ve picked up with the Mac Firewall/alf scripting:

  • Configure the firewall fully before turning it on (especially if you’re doing so through something like Casper, FileWave, Munki, or Absolute Manage where you might kick yourself out of your session otherwise).
  • Whatever you do, you can always reset things back to defaults by removing the com.apple.alf.plist file from /Library/Preferences replacing it with the default plist from /usr/libexec/ApplicationFirewall/com.apple.alf.plist.
  • Configure global settings, then per-application settings, then enable the firewall. If a remote system, do ;wait; and then enable the first time to make sure everything works before enabling the firewall for good.
  • To debug, use the following command: “/usr/libexec/ApplicationFirewall/socketfilterfw -d”

In /usr/libexec/ApplicationFirewall is the Firewall command, the binary of the actual application layer firewall and socketfilterfw, which configures the firewall. To configure the firewall to block all incoming traffic:

/usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on

To see if block all is enabled:

/usr/libexec/ApplicationFirewall/socketfilterfw --getblockall

The output would be as follows, if successful:

Firewall is set to block all non-essential incoming connections

A couple of global options that can be set. Stealth Mode:

/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

To check if stealth mode is enabled:

/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode

Firewall logging:

/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

You can also control the verbosity of logs, using throttled, brief or detail. For example, if you need to troubleshoot some issues, you might set the logging to detail using the following command:

/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt: detail

To start the firewall:

/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

While it would be nice to think that that was going to be everything for everyone, it just so happens that some environments actually need to allow traffic. Therefore, traffic can be allowed per signed binary. To allow signed applications:

/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on

To check if you allow signed apps:

/usr/libexec/ApplicationFirewall/socketfilterfw --getallowsigned

This will allow all TRUSTEDAPPS. The –listapps option shows the status of each filtered application:

/usr/libexec/ApplicationFirewall/socketfilterfw --listapps

To check if an app is blocked:

/usr/libexec/ApplicationFirewall/socketfilterfw –getappblocked /Applications/MyApp.app/Contents/MacOS/myapp

This shows the number of exceptions, explicitly allowed apps and signed exceptions as well as process names and allowed app statuses. There is also a list of TRUSTEDAPPS, which will initially be populated by Apple tools with sharing capabilities (e.g. httpd & smbd). If you are enabling the firewall using a script, first sign your applications that need to allow sharing but are not in the TRUSTEDAPPS section by using the -s option along with the application binary (not the .app bundle):

/usr/libexec/ApplicationFirewall/socketfilterfw -s /Applications/MyApp.app/Contents/MacOS/myapp

Once signed, verify the signature:

/usr/libexec/ApplicationFirewall/socketfilterfw -v /Applications/MyApp.app/Contents/MacOS/myapp

Once signed, trust the application using the –add option:

/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/MyApp.app/Contents/MacOS/myapp

To see a list of trusted applications. You can do so by using the -l option as follows (the output is pretty ugly and needs to be parsed better):

/usr/libexec/ApplicationFirewall/socketfilterfw -l

If, in the course of your testing, you determine the firewall just isn’t for you, disable it:

/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off

To sanity check whether it’s started:

/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

Or to manually stop it using launchctl (should start again with a reboot):

launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist

If you disable the firewalll using launchctl, you may need to restart services for them to work again.

July 16th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

Leave a Comment

For a long time, we used the bless command to startup systems to a specific volume in OS X. Back in 2009 I started using the systemsetup command for more and more tasks. These days, I’m being guided to replace all of my bless options in scripts to systemsetup. The easy way to configure your startup volumes using systemsetup is to list the available volumes, set one as the startup volume and then check to see which one is the current volume. The first task is to list the available startup volumes, using the -liststartupdisks option:

sudo systemsetup -liststartupdisks

You can then set the disk as one that was listed by the above command:

sudo systemsetup -setstartupdisk /Volumes/HAVOKMELTDOWN

You can finally check the current startup disk as a sanity check in your script to verify the desired disk is the startup volume using -getstartupdisk

sudo systemsetup -getstartupdisk

July 15th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

One Comment

Next Page »