Tiny Deathstars of Foulness

Every now and then I need to reclaim that space in /var/vm or I need to stop a process from paging to swap files while I’m troubleshooting something else. I in no way endorse disabling swap files (which basically kills using swap files as a part of your overall virtual memory) for extended periods of time. However, it has saved me in the case of stability concerns long enough to get a system patched or something like that. To disable OS X swap files, all you need to do is stop the daemon and restart. Use launchctl to stop: sudo launchctl unload -wF /System/Library/LaunchDaemons/ Once restarted, you may need to remove the files in /var/vm as that is where the swap files are stored. To do so, rm the contents of /var/vm: rm /var/vm/swapfile* You should also be able to get rid of the sleepimage file in that directory if needed. Since this is supposed to be a temporary or troubleshooting measure, to turn swapping back on: sudo launchctl load -wF /System/Library/LaunchDaemons/

January 21st, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Xsan

Tags: , , , , , , , ,

I’ve long been a supporter of building tools in self service portals such as those provided by JAMF and Munki to provide users who don’t have administrative permissions to perform tasks that wouldn’t typically otherwise be destructive. One such example is a simple repair permissions. An administrator can simply open Disk Utility, select their disk and then click Repair Disk Permissions Screen Shot 2013-10-24 at 7.11.31 PMBut if you want to do this as a user who doesn’t have administrative privileges you would need to elevate your privileges before doing so. In a larger environment this would be incredibly annoying for dozens, hundreds, thousands or even tens of thousands of users to bring their computer to an administrator just to type in a password. But, if you have a patch management solution that has some kind of a self service portal, users could do this themselves. Typically, you would create a very small payload free package. This package might just contain a single script that might even be as short as a one-liner. For example, the following command would actually run a repairPermissions. diskutil repairPermissions / You could also send some environmental variables from your patch management tool for the boot volume, but in this simple instance we’re just going to run it, with the following type of output: Started verify/repair permissions on disk0s2 Macintosh HD Permissions differ on "Library/Application Support"; should be drwxr-xr-x ; they are drwxrwxr-x Repaired "Library/Application Support" Group differs on "Library/Printers/InstalledPrinters.plist"; should be 80; group is 0 Permissions differ on "Library/Printers/InstalledPrinters.plist"; should be -rw-rw-rw- ; they are -rw-r--r-- Repaired "Library/Printers/InstalledPrinters.plist" [ \ 0%..10%..20%..30%..40%..50%..60%..70%................ ] 74% 0:00:34 Finished verify/repair permissions on disk0s2 Macintosh HD You could get much more complicated, writing the output to syslog or even a syslog server. You can also have metapackages that just do a bunch of tasks and call them things like “Try to fix my computer.” Provided you have a patch management tool, you could also just scope some devices and push some of these things out en masse; however, for the most part, I’m a fan of self service, so that’s the example I’m using this for.

October 28th, 2013

Posted In: Mac OS X

Tags: , , , , , , , , ,

Encrypting a volume in OS X Mavericks couldn’t be easier. In this article, we will look at three ways to encrypt OS X Mavericks volumes. The reason there are three ways is that booted volumes and non-booted volumes have different methods for enabling encryption. Encrypting Attached Storage For non-boot volumes, just control-click or right-click on them and then click on Encrypt “VOLUMENAME” where the name of the volume is in quotes. Screen Shot 2013-10-08 at 10.21.41 AMWhen prompted, provide an encryption password for the volume, verify that password and if you so choose, provide a hint. Screen Shot 2013-10-08 at 10.22.16 AMOnce the encryption process has begun, the entry previously clicked on says Encrypting “VOLUMENAME” where the name of the volume is in quotes.

Screen Shot 2013-10-08 at 10.22.52 AM

Before you can encrypt a volume from the command line you must first convert it to CoreStorage if it isn’t already. As volumes on external disks aren’t likely to be CoreStorage, let’s check using diskutil along with corestorage and then list:

diskutil corestorage list

Assuming your volume was already formatted with a non-corestorage format and isn’t listed, locate the volume and document the disk identifier (in this case disk2s3). Then, run diskutil corestorage along with the convert verb and the disk, as follows (no need to run this command if it’s already listed): sudo diskutil corestorage convert disk2s3 The output should look similar to the following: Started CoreStorage operation on disk2s3 Reco Resizing disk to fit Core Storage headers Creating Core Storage Logical Volume Group Attempting to unmount disk2s3 Switching disk2s3 to Core Storage Waiting for Logical Volume to appear Mounting Logical Volume Core Storage LVG UUID: 19D34AAA-498A-44FC-99A5-3E719D3DB6FB Core Storage PV UUID: 2639E13A-250D-4510-889A-3EEB3B7F065C Core Storage LV UUID: 4CC5881F-88B3-42DD-B540-24AA63952E31 Core Storage disk: disk4 Finished CoreStorage operation on disk2s3 Reco Once converted, the LV UUID (LV is short for Logical Volume) can be used to encrypt the logical volume using a password of crowbar to unlock it: sudo diskutil corestorage encryptvolume 4CC5881F-88B3-42DD-B540-24AA63952E31 -passphrase crowbar The output is similar to the following: Started CoreStorage operation on disk4 Reco Scheduling encryption of Core Storage Logical Volume Core Storage LV UUID: 4CC5881F-88B3-42DD-B540-24AA63952E31 Finished CoreStorage operation on disk4 Reco According to the size, this process can take some time. Monitor the progress using the corestorage list option: diskutil corestorage list In all of these commands, replace core storage w/ cs for less typing. I’ll use the shortened version as I go. I know that we rarely change passwords, but sometimes it needs to happen. If it needs to happen on a core storage encrypted volume, this can be done from the command line or a script. To do so, use diskutil cs with the changevolumepassphrase option. We’ll use -oldpassphrase to provide the old password and -newpassphrase to provide the new passphrase. diskutil cs changeVolumePassphrase FC6D57CD-15FC-4A9A-B9D7-F7CF26312E00 -oldpassphrase crowbar -newpassphrase hedeservedit I continue to get prompted when I send the -newpassphrase, so I’ve taken to using stdin , using -stdinpassphrase. Once encrypted there will occasionally come a time for decrypting, or removing the encryption, from a volume. It’s worth noting that neither encrypting or decrypting requires erasing. To decrypt, use the decryptVolume verb, again with the -passphrase option: diskutil cs decryptvolume 4CC5881F-88B3-42DD-B540-24AA63952E31 -passphrase crowbar FileVault 2: Encrypting Boot Volumes Boot volumes are configured a bit differently. This is namely because the boot volume requires FileVault 2, which unifies usernames and passwords with the encryption so that users enter one username and password rather than unlocking drives. To configure FileVault 2, open the Security & Privacy System Preference pane and then click on the FileVault tab. Click on the lock to make changes and then provide the password for an administrative account of the system. Then, click on “Turn On FileVault…” Screen Shot 2013-10-08 at 10.26.31 AMIf there are multiple users, enable each user who should be able to boot the system. On a server, this only needs to be administrators as you likely don’t have the password for end users. Screen Shot 2013-10-08 at 10.27.52 AMWhen prompted with the Recovery Key, document it and then click on Continue. Screen Shot 2013-10-08 at 10.28.12 AMChoose whether to restore the recovery key with Apple. If you will be storing the key with Apple then provide the AppleID. Otherwise, simply click the bullet for “Do not store the recovery key with Apple” and then click on the Continue button. Screen Shot 2013-10-08 at 10.28.47 AMWhen prompted, click on Restart to reboot and be prompted for the first account that can unlock the FileVaulted system. Screen Shot 2013-10-08 at 10.29.12 AMOnce encrypted, the FileVault tab in the Security & Privacy System Preference pane shows the encryption status, or percent during encryption. Screen Shot 2013-10-08 at 10.48.51 AMUse the Enable Users… button to enable additional accounts to unlock the volume (note: by default accounts cannot login until their account has been added here). Screen Shot 2013-10-08 at 10.49.16 AMThat’s it. Managing FileVault 2 using the System Preferences is about as easy as it can get. But for those who require mass management, Apple has provided a tool called fdesetup for that as well. Using fdesetup with FileVault 2 FileVault 2 now comes with a nifty configuration utility called fdesetup. To use fdesetup to encrypt the boot volume, first check FileVault’s status by entering the fdesetup command along with the –status option (wait, no — required any more!): fdesetup status As with most other commands, read the help page before starting to use just in case there are any changes to it between the writing of this article and when you kick off your automated encryption. Done using the help verb: fdesetup help After confirming FileVault is off, enable FileVault with the enable option, as follows: sudo fdesetup enable Unless additional parameters are specified, an interactive session prompts for the primary user’s short name and password. Once enabled, a Recovery key is returned by the fdesetup command. You can also cancel this by just hitting Control-C so we can look at more complicated iterations of the command. It should be recorded or otherwise stored, something easily done by mounting in a script (e.g. a write-only share in a script for key escrowing). If more complicated measures are needed, of course check out Cauliflower Vest at The fdesetup command is now at version 2.36: fdesetup version Now, if you run fdesetup and you’ve deployed a master keychain then you’re going to have a little more work to do; namely point the -keychain command at the actual keychain. For example: sudo fdesetup enable -keychain /Library//Keychains/FileVaultMaster.keychain To define a certificate: sudo fdesetup enable -certificate /temp/filename.cer Adding additional users other than the one who enabled fdesetup is a bit different than the first: sudo fdesetup add -usertoadd robin To remove users, just remove them with a remove verb followed by the -user option and the username: sudo fdesetup remove -user robin The remove and add options also offer using the -uuid rather than the username. Let’s look at Robin’s uid : dscl . read /Users/robin GeneratedUID | cut -c 15-50 Yes, I used cut. If you have a problem with that then take your judgmental fuc… Nevermind. Take that GUID and plug it in as the uuid using the -uuid option. For example, to do so with the remove verb: sudo fdesetup remove -uuid 31E609D5-39CF-4A42-9F24-CFA2B36F5532 Or for good measure, we can basically replicate -user w/ -uuid for a nice stupid human trick: sudo fdesetup remove -uuid `dscl . read /Users/robin GeneratedUID | cut -c 15-50` All of the fdesetup commands can be run interactively or using options to define the variables otherwise provided in the interactive prompt. These are defined well in the man page. Finally, let’s look at -defer. Using -defer, you can run the fdesetup tool at the next login, write the key to a plist and then grab it with a script of some sort later. At logout, the user will get prompted for a sudo fdesetup enable -defer /temp/fdesetupescrow.plist Or define users concurrently (continuing to use the robin test user): sudo fdesetup enable -user robin -defer /temp/fdesetupescrow.plist FileVault accounts can also use accounts from Directory Services automatically. These need to synchronize with the Directory Service routinely as data is cached. To do so: sudo fdesetup sync This is really just scratching the surface of what you can do with fdesetup. The definitive source for which is the man page as well as a nicely done article by Rich Trouton. Encrypting Time Machine Backups The last full disk encryption to discuss is Time Machine. To encrypt Time Machine backups, use Time Machine’s System Preference pane. The reason for this being that doing so automatically maintains mounting information in the Operating System, rather than potentially having an encrypted drive’s password get lost or not entered and therefore not have backups run. To enable disk encryption for Time Machine destinations, open the Time Machine System Preference pane and click on Select Backup Disk… From the backup disk selection screen, choose your backup target and then check the box for “Encrypt backups”. Then, click on Use Disk. Screen Shot 2013-10-08 at 10.50.23 AMAt the overlay screen, provide a backup password twice and if you would like, a hint as to what that password is. When you are satisfied with your passwords, click on the Encrypt Disk button. Screen Shot 2013-10-08 at 10.50.55 AMNow, there are a couple of things to know here. 1. Don’t forget that password. 2. If you use an institutional FileVault Key then still don’t forget that password as it will not work. 3. Don’t forget that password… Conclusion Encrypting data in OS X can take on other forms as well. The keychains encrypt passwords and other objects. Additionally, you can still create encrypted dmgs and many file types have built in encryption as well. But the gist is that Apple encrypts a lot. They also sandbox a lot and with the addition of gatekeeper are code signing a lot. But encrypting volumes and disks is mostly about physical security, which these types of encryption provide a substantial solution for. While all this security might seem like a lot, it’s been in Apple’s DNA for a long time and really security is about layers and the Mac Systems Administrator batbelt needs a lot of items to allow us to adapt to the changing landscape of security threats. OS X is becoming a little more like iOS as can be expected and so I would suspect that encryption will become more and more transparent as time goes on. Overall, the options allow encrypting every piece of data that goes anywhere near a system. The mechanisms with which data is now encrypted are secure, as is the data at rest. Once data is decrypted, features like Gatekeeper and the application layer firewall supplement traditional network encryption to keep well secured.

October 22nd, 2013

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , , ,

There are some commands where you just have to wonder why. Sure, I see what this command does, but why bother? Well, I’m not going to say that xsanadmin is one of those commands, but I’m not going to say that it isn’t. At first glance, you might think that the list, stop, start and other verbs look promising. Like maybe you can actually administer a volume from a much simpler to use command line interface. However, if you want a quick and dirty of what xsanadmin does, look no further than just running the command without any verbs or operators: xsanadmin The result is help information from the serveradmin command: Usage: serveradmin [-dhvx] [list | start | stop | status | fullstatus | settings | command] [<service_key> [ = <value> ]] -h, --help display this message -v, --version display version info -d, --debug print command -x, --xml print output as XML plist Examples: serveradmin list --Lists all services serveradmin start afp --Starts afp server serveradmin stop ftp --Stops ftp server serveradmin status web --Returns current status of the web server serveradmin fullstatus web --Returns more complete status of the web server serveradmin settings afp --Returns all afp configuration parameters serveradmin settings afp:guestAccess --Returns afp guestAccess attribute serveradmin settings afp:guestAccess = yes --Sets afp guestAccess to true serveradmin settings --Takes settings commands like above from stdin serveradmin command afp:command = getConnectedUsers --Used to perform service specific commands serveradmin command --Takes stdin to define generic command that requires other parameters Why’s that? Because all the command is doing is piping information to and from the serveradmin command, thus the verbs are basically the same: list, status, fullstatus, etc. To see which services, let’s pipe settings for all to a file: xsanadmin settings all > xsanadminsettings.txt Here, you’ll notice that you have settings for the xsan/san service, file sharing and info. That’s it. You may be asking yourself, “why did you write this article then?” My answer would be that I’m not really sure. Mostly because I wasted my time trying to see if I could do cool stuff with this command and it turns out I can’t…

October 11th, 2013

Posted In: Mac OS X, Mac OS X Server, Xsan

Tags: , , , , , , , ,

You can obtain a pretty decent amount of information about leases your OS X computer gets just by looking in the Network System Preference pane, for each interface. Screen Shot 2013-10-02 at 10.16.16 PM However, you can get a little lot more information, as with most things, from the command line. First, we’re going to take a look at en0 on our host and see what the MAC address is: ifconfig en0 ether Now, we can look in the /var/db/dhcpclient/leases directory to see a list of all of the leases we have running on our system. Based on the MAC address of our computer, we should see a file there that starts with the name of our interface and finishes with our MAC address. Let’s cat this file: cat en0-1\,84\:38\:35\:63\:87\:2e The output is similar to the following (a standard plist): <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ""> <plist version="1.0"> <dict> <key>IPAddress</key> <string></string> <key>LeaseLength</key> <integer>86400</integer> <key>LeaseStartDate</key> <date>2013-10-03T02:43:36Z</date> <key>PacketData</key> <data> AgEGAPSEH9QAAAAAAAAAAMCo0pAAAAAAAAAAAIQ4NWOHLgAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEFNgTAqNIBAQT///8A MwQAAVGAAwTAqNIBBggEAgICzg0cDP8= </data> <key>RouterHardwareAddress</key> <data> ABfFg9DO </data> <key>RouterIPAddress</key> <string></string> </dict> </plist> This shows us the amount of time our lease is valid for, when the lease what provided to us, what IP was provided and the IP of our router. We can then key off of that information as needed (e.g. for other scripts/tools).

October 7th, 2013

Posted In: Mac OS X, Mac Security, Mass Deployment

Tags: , , , , , , , , , ,

Installing Roundcube to work manually with OS X Server is a bit of a pain. So definitely wanted to mention that topicdesk, who brought us mailbfr and spamtrainer have now built a Roundcube package installer to take the pain out of doing so. The installer is available at If you run mail on Mountain Lion Server and haven’t done anything for webmail, check it out!
The latest release of our Roundcube webmail installer for OS X 10.8.x Mountain Lion with Server 2.x is available for download on this page. See current changelog for a complete list of fixes and additions. Please read our FAQs as well. The Roundcube webmail installer for OS X 10.8.x Mountain Lion with Server 2.x will install a fully functioning and configured version of Roundcube 0.9.0 and the compiled Mcrypt libraries it depends on. It will also configure Postgres and a webapp which can be used via

October 3rd, 2013

Posted In: Mac OS X Server

Tags: , , , , ,

In OS X, we don’t see file extensions by default. However, in a number of environments it’s very useful to have them. To see them in the Finder, send a boolean AppleShowAllExtensions key to the NSGlobalDomain as True, then restart the Finder. defaults write NSGlobalDomain AppleShowAllExtensions -bool true; killall Finder To change back to not seeing extensions: defaults write NSGlobalDomain AppleShowAllExtensions -bool false; killall Finder

September 28th, 2013

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , ,

The first presentation I’ll be doing at MacSysAdmin today is on Windows Server in Mac OS X and iOS environments, which can be found here: MacSysAdmin_Windows The second presentation I’ll be doing today at MacSysAdmin is on iOS deployment, which can be found here: MacSysAdmin_iOS If you’re not able to attend then I hope you will enjoy. I’ll try and get them to Tycho for uploading to the official site asap.

September 13th, 2012

Posted In: public speaking

Tags: , , , , , , , , , , , ,

Thanks to Allan Sanderson for the following submission, which outlines how to install Final Cut Server in Lion and Mountain Lion Server.
In ————- Websites: Check “Enable PHP web applications” Install Java ———— Open /Applications/Utilities/Java You’ll be prompted by Software Update service to install Java, click “Continue”, provide admin credentials when promopted. Install Final Cut Server ———————— Run Final Cut Server installer. Then run Software Update to get ProApplications 2010-02 & Final Cut Server v1.5.2 updates. Check Configuration ——————- 1) Check fcsvr user has been created: dscl /Local/Default -search /Users RecordName fcsvr Output should look something like this: fcsvr RecordName = ( fcsvr ) 2) Check “fcsvr” user’s home folder location is set to “/Library/Application Support/Final Cut Server” dscl /Local/Default -read /Users/fcsvr NFSHomeDirectory Output should look something like this: NFSHomeDirectory: /Library/Application Support/Final Cut Server If it doesn’t, caorrect it with this command: sudo dscl /Local/Default -create /Users/fcsvr NFSHomeDirectory “/Library/Application Support/Final Cut Server” Customisations To Make It Work —————————— A word to the wise, I personally take a backup before making any changes to system files, Time Machine is nice ‘n all, but I’d prefer not to have to go there in the first place. 1) An out the box FCSvr install doesn’t set an “AUTH_TYPE” key/value pair in the file. Under 10.5 & 10.6 this didn’t cause any issues, but 10.7+ does seem to be an issue. So for Local and Open Directory authentication, this command will do the job: sudo defaults write /Library/Preferences/ “AUTH_TYPE” -int 2 If you’re being more daring and trying to work with an Active Directory, then you’ll want the following: sudo defaults write /Library/Preferences/ “AUTH_TYPE” -int 1 2) Because of how things have changed between 10.6 and 10.7 & 10.8, its necessary to manually copy the apache site config into a users apache space. sudo cp “/Library/Application Support/Final Cut Server/Final Cut Server.bundle/Contents/Resources/share/conf/client_apache2.conf” “/etc/apache2/users/fcsvr.conf” 3) Now in order for the apache site config to be read by apache, we need to add in the necessary direction for httpd. Append “UserDir Sites” to end of “/etc/apache/httpd.conf”, this can be done as a one-liner if you like: sudo echo “UserDir Sites” >>/etc/apache2/httpd.conf 4) Lastly we have to add in the redirection settings for 10.7+ as the installers isn’t able to do this due to file path changes between the OS revisions. So, in your /etc/apache2/sites/0000_any_80_.conf file, paste in the following lines after the IfModule for mod_ssl.c: <IfModule mod_rewrite.c> RewriteCond %{REQUEST_METHOD} ^TRACE RewriteEngine On RewriteRule .* – [F] RewriteRule ^/FinalCutServer$ /~fcsvr/Sites/webstart/index.php [NC,L] RewriteRule ^/FinalCutServer/FinalCutServer_mac.jnlp$ /~fcsvr/Sites/webstart/macJnlp.php [NC,L] RewriteRule ^/FinalCutServer/FinalCutServer_windows.jnlp$ /~fcsvr/Sites/webstart/windowsJnlp.php [NC,L] RewriteRule ^/FinalCutServer/FinalCutServer_other.jnlp$ /~fcsvr/Sites/webstart/jnlp.php [NC,L] </IfModule> ORIGINAL_SOURCES: SPECIAL_MENTIONS: Matt Geller, David Colville

September 6th, 2012

Posted In: Mac OS X, Mac OS X Server, Xsan

Tags: , , , , , , , , , , , ,

There are four ways to create users in Mountain Lion Server. The first is using the Server app, the second is using Workgroup Manager, the third is using the Users & Groups System Preference pane and the fourth is using the command line. In this article we will look at creating users in the Server app. To do so, open the Server app and connect to your server. Then click on the Users entry in the ACCOUNTS list. The list of users is displayed, based on the directory domain(s) being browsed. A directory domain is a repository of account data, which can include local users, local network users and users in a shared directory service such as Open Directory and Active Directory. The drop-down list allows you to see objects that are stored locally as well as on a shared directory server. Therefore, clicking All Users will show all of the accounts accessible by the system. Click on the plus sign to create a new account. At this point, if the server has been promoted to an Open Directory Master, the account will be a local network account, with no way of choosing a different location to store the account in the Server app. When prompted, provide the following information about the new user:
  • Full Name: Usually the first and last name of the user.
  • Account Name: A shorter representation of that name with no spaces or special characters.
  • Email address: The email address to use if the account is going over quotas, has calendar invitations sent, or used for email hosted on the server, etc.
  • Password: The password the user will use to access services on the server.
  • Verify: The password a second time to make sure there are no spelling errors.
  • Allow user to administer this server: Optional field that grants the user administrative access to the server.
  • Home Folder: Optional field that by default creates local home directories for users that use the account but that also allows you to select a directory shared using the File Sharing service as a location for home folders. Each user in OS X has a home folder, this option defines whether that folder will reside on their computer or on a central server.
  • Disk Quota: Define the amount of space an account can take up on servers.
Note: Optionally, you can also drag an image onto the image shown in the New User screen if you’d like the user to have an avatar.
Once the account details are as you would like, click on the Done button. The account will then be displayed in the list of available accounts. You can still create local accounts but must do so in the Users & Groups System Preference pane, through Workgroup Manager or through the command line. If the server has not been made an Open Directory server then you would be creating local users through the Server app. Once the account is created, highlight it and click on the cog wheel icon below the list of accounts. Here, you have the option to edit the account you just created, edit their access to services hosted on the server, configure email information and change their password. Click Edit User. Here, you have two new features. You can add the user to groups and use the checkbox for “log in” to disable the account. Click Cancel and then using the cog wheel menu again, click on Edit Access to Services. Here, uncheck each service that the user should not have access to. If the service isn’t running then it’s not a big deal. You can highlight multiple accounts concurrently and then use this option to disable services for users en masse.

September 1st, 2012

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , , , , , , , ,

Next Page »