Tuesday, October 23, 2012

Chrome enterprise policy controls

Chrome comes with a bunch of enterprise controls. These enable you to, amongst other things, whitelist/blacklist/force-install extensions. Also, if you want to install extensions automatically, but allow users to disable or remove them, there is an alternate way to get them installed.

Wednesday, October 17, 2012

Minimal OpenVPN setup: ubuntu server, OS X client

There are some good instructions for setting OpenVPN up quickly on ubuntu here, and I've also covered it previously on this blog. Because of a bug I was getting this error from pkitool when building the ca:
The correct version should have a comment that says: easy-rsa version 2.x
The solution was just a symlink, no need to mess with the vars file:
ln -s openssl-1.0.0.cnf openssl.cnf
To route all traffic through the VPN uncomment this line in the server.conf:
push "redirect-gateway def1 bypass-dhcp"
And then you'll want to add a NAT so that traffic comes back to the right clients, this iptables config also allows some services through:
# Generated by iptables-save v1.4.12 on Wed Oct 17 21:32:01 2012
*nat
:PREROUTING ACCEPT [293:18619]
:INPUT ACCEPT [3:148]
:OUTPUT ACCEPT [6:508]
:POSTROUTING ACCEPT [6:508]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Oct 17 21:32:01 2012
# Generated by iptables-save v1.4.12 on Wed Oct 17 21:32:01 2012
*filter
:INPUT DROP [1:42]
:FORWARD ACCEPT [571:142706]
:OUTPUT ACCEPT [589:168958]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth+ -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth+ -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth+ -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth+ -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth+ -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth+ -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -s 10.8.0.0/24 -i eth+ -j ACCEPT
-A INPUT -s 10.8.0.0/24 -i tun0 -j ACCEPT
-A INPUT -j LOG
COMMIT
# Completed on Wed Oct 17 21:32:01 2012
To ssh to the server while the VPN is active, use:
ssh 10.8.0.1
On the client side (a mac), first install tunnelblick. You can use it to create an example config, which is a directory where you dump the ca and client cert. The most important bit in the config you need to set is:
remote myserver.com 1194

Tuesday, October 16, 2012

OS X Packaging (Luggage) Tutorial: hello world

Apple ships a GUI utility called PackageMaker to help you create .pkg files for deployment. It isn't included in newer versions of XCode, you'll need to download it, it's in the 'Auxiliary tools for XCode' package.

The problem is that reproducing builds with many different project collaborators is a PITA, enter The Luggage.

Here's a hello world.

Download git and clone and install the luggage.
git clone https://github.com/unixorn/luggage
cd luggage
make bootstrap_files
Write a simple Makefile (this assumes you have copied PackageMaker.app Auxiliary tools into /Applications):
include /usr/local/share/luggage/luggage.make
TITLE=Hello_World
REVERSE_DOMAIN=com.testing.something
PAYLOAD=pack-usr-local-bin-hello_world
PACKAGEMAKER=/Applications/PackageMaker.app/Contents/MacOS/PackageMaker
Create a dummy file to install, and build the dmg:
touch hello_world
make dmg
You'll get a Hello_World-20121016.dmg containing Hello_World-20121016.pkg, that when installed will create /usr/local/bin/hello_world

Monday, October 15, 2012

Registered mime-types and default handlers on OS X

Which application is the default handler for file type .blah on OS X? Turns out this is actually a pretty complicated question.

Launch Services keeps a database, into which applications can register themselves as mime handlers, using CFBundleDocumentTypes and CFBundleURLTypes in Info.plist in their application Contents, which are parsed periodically (not sure when). Here is part of Safari's:
$defaults read /Applications/Safari.app/Contents/Info.plist 
{
    "Application-Group" = "dot-mac";
    BuildMachineOSBuild = 12A251;
    CFBundleDevelopmentRegion = English;
    CFBundleDocumentTypes =     (
                {
            CFBundleTypeExtensions =             (
                css
            );
            CFBundleTypeIconFile = "document.icns";
            CFBundleTypeMIMETypes =             (
                "text/css"
            );
            CFBundleTypeName = "CSS style sheet";
            CFBundleTypeRole = Viewer;
            NSDocumentClass = BrowserDocument;
        },
                {
            CFBundleTypeExtensions =             (
                pdf
            );
            CFBundleTypeIconFile = "document.icns";
            CFBundleTypeMIMETypes =             (
                "application/pdf"
            );
            CFBundleTypeName = "PDF document";
            CFBundleTypeRole = Viewer;
            NSDocumentClass = BrowserDocument;
        },
[snip]
Also as an aside, safari has a list of file types that it will automatically open with the registered mime handler because they are considered 'safe'. The list is stored in:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System
Where:
  • LSRiskCategorySafe: Safari will automatically open these files after download
  • LSRiskCategoryNeutral: Not auto-opened, no warnings
  • LSRiskCategoryUnsafeExecutable: Warning displayed when opened by the user.
  • LSRiskCategoryMayContainUnsafeExecutable: e.g. zip files. This will trigger a warning if Safari can't determine that the contents are safe or neutral
Back to the LaunchServices database. You can use API calls to register a mime-type, and there is also a helper utility called lsregister that provides a simple interface to the database. This command will dump the contents of the database, there are also options to force a registration:
There is also an app (RCDefaultApp) that presents a more usable grapical frontend to the data.
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | less
The user also has some control over mime-type registration, and that information is stored in:
$ defaults read ~/Library/Preferences/com.apple.LaunchServices
{
    LSHandlers =     (
                {
            LSHandlerRoleAll = "com.google.chrome";
            LSHandlerURLScheme = http;
        },
                {
            LSHandlerRoleAll = "com.google.chrome";
            LSHandlerURLScheme = https;
        },
                {
            LSHandlerContentType = "public.html";
            LSHandlerRoleViewer = "com.google.chrome";
        },
                {
            LSHandlerContentType = "public.url";
            LSHandlerRoleViewer = "com.google.chrome";
        }
    );
}
Reading the output of the database query and the plist above, it is difficult to determine which handler will fire for certain files where multiple handlers are registered. Apple provides some documentation, about how the mime handler is chosen for files and URLs in the case of multiple handers, but the flow chart ends with:
If two or more candidate applications remain after all of the foregoing criteria have been applied, Launch Services chooses one of the remaining applications in an unspecified manner.
The quickest way to check is to use 'open', which according to the man page:
opens a file (or a directory or URL), just as if you had double-clicked the file's icon.
So, creating a dummy css file and running open like this should pop up safari:
open blah.css
Find out a file's mime type with:
$ mdls -name kMDItemContentType -name kMDItemContentTypeTree test.dmg 
kMDItemContentType     = "com.apple.disk-image-udif"
kMDItemContentTypeTree = (
    "com.apple.disk-image-udif",
    "com.apple.disk-image",
    "public.archive",
    "public.data",
    "public.item",
    "public.disk-image"
)

Disable OS X auto-login after Filevault 2 unlock

Interesting nugget from the munki-dev list, a description of how to stop the auto-login that occurs after FileVault 2 unlock (I haven't tested this yet). You essentially disable the credential forwarding from the disk unlock window to the login window.
Edit /etc/authorization
Find the "system.login.console" array.
Find the "mechanisms" array within this.
Remove the line "builtin:forward-login,privileged".
Save and reboot.