Tuesday, October 23, 2012
Chrome enterprise policy controls
Chrome comes with a bunch of enterprise controls. These enable you to, amongst other things, whitelist/blacklist/force-install extensions.
Also, if you want to install extensions automatically, but allow users to disable or remove them, there is an alternate way to get them installed.
Wednesday, October 17, 2012
Minimal OpenVPN setup: ubuntu server, OS X client
There are some good instructions for setting OpenVPN up quickly on ubuntu here, and I've also covered it previously on this blog. Because of a bug I was getting this error from pkitool when building the ca:
The correct version should have a comment that says: easy-rsa version 2.xThe solution was just a symlink, no need to mess with the vars file:
ln -s openssl-1.0.0.cnf openssl.cnfTo route all traffic through the VPN uncomment this line in the server.conf:
push "redirect-gateway def1 bypass-dhcp"And then you'll want to add a NAT so that traffic comes back to the right clients, this iptables config also allows some services through:
# Generated by iptables-save v1.4.12 on Wed Oct 17 21:32:01 2012 *nat :PREROUTING ACCEPT [293:18619] :INPUT ACCEPT [3:148] :OUTPUT ACCEPT [6:508] :POSTROUTING ACCEPT [6:508] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Wed Oct 17 21:32:01 2012 # Generated by iptables-save v1.4.12 on Wed Oct 17 21:32:01 2012 *filter :INPUT DROP [1:42] :FORWARD ACCEPT [571:142706] :OUTPUT ACCEPT [589:168958] -A INPUT -i lo -j ACCEPT -A INPUT -i eth+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth+ -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth+ -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i eth+ -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i eth+ -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i eth+ -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i eth+ -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -s 10.8.0.0/24 -i eth+ -j ACCEPT -A INPUT -s 10.8.0.0/24 -i tun0 -j ACCEPT -A INPUT -j LOG COMMIT # Completed on Wed Oct 17 21:32:01 2012To ssh to the server while the VPN is active, use:
ssh 10.8.0.1On the client side (a mac), first install tunnelblick. You can use it to create an example config, which is a directory where you dump the ca and client cert. The most important bit in the config you need to set is:
remote myserver.com 1194
Tuesday, October 16, 2012
OS X Packaging (Luggage) Tutorial: hello world
Apple ships a GUI utility called PackageMaker to help you create .pkg files for deployment. It isn't included in newer versions of XCode, you'll need to download it, it's in the 'Auxiliary tools for XCode' package.
The problem is that reproducing builds with many different project collaborators is a PITA, enter The Luggage.
Here's a hello world.
Download git and clone and install the luggage.
The problem is that reproducing builds with many different project collaborators is a PITA, enter The Luggage.
Here's a hello world.
Download git and clone and install the luggage.
git clone https://github.com/unixorn/luggage cd luggage make bootstrap_filesWrite a simple Makefile (this assumes you have copied PackageMaker.app Auxiliary tools into /Applications):
include /usr/local/share/luggage/luggage.make TITLE=Hello_World REVERSE_DOMAIN=com.testing.something PAYLOAD=pack-usr-local-bin-hello_world PACKAGEMAKER=/Applications/PackageMaker.app/Contents/MacOS/PackageMakerCreate a dummy file to install, and build the dmg:
touch hello_world make dmgYou'll get a Hello_World-20121016.dmg containing Hello_World-20121016.pkg, that when installed will create /usr/local/bin/hello_world
Monday, October 15, 2012
Registered mime-types and default handlers on OS X
Which application is the default handler for file type .blah on OS X? Turns out this is actually a pretty complicated question.
Launch Services keeps a database, into which applications can register themselves as mime handlers, using CFBundleDocumentTypes and CFBundleURLTypes in Info.plist in their application Contents, which are parsed periodically (not sure when). Here is part of Safari's:
There is also an app (RCDefaultApp) that presents a more usable grapical frontend to the data.
Launch Services keeps a database, into which applications can register themselves as mime handlers, using CFBundleDocumentTypes and CFBundleURLTypes in Info.plist in their application Contents, which are parsed periodically (not sure when). Here is part of Safari's:
$defaults read /Applications/Safari.app/Contents/Info.plist
{
"Application-Group" = "dot-mac";
BuildMachineOSBuild = 12A251;
CFBundleDevelopmentRegion = English;
CFBundleDocumentTypes = (
{
CFBundleTypeExtensions = (
css
);
CFBundleTypeIconFile = "document.icns";
CFBundleTypeMIMETypes = (
"text/css"
);
CFBundleTypeName = "CSS style sheet";
CFBundleTypeRole = Viewer;
NSDocumentClass = BrowserDocument;
},
{
CFBundleTypeExtensions = (
pdf
);
CFBundleTypeIconFile = "document.icns";
CFBundleTypeMIMETypes = (
"application/pdf"
);
CFBundleTypeName = "PDF document";
CFBundleTypeRole = Viewer;
NSDocumentClass = BrowserDocument;
},
[snip]
Also as an aside, safari has a list of file types that it will automatically open with the registered mime handler because they are considered 'safe'. The list is stored in:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/SystemWhere:
- LSRiskCategorySafe: Safari will automatically open these files after download
- LSRiskCategoryNeutral: Not auto-opened, no warnings
- LSRiskCategoryUnsafeExecutable: Warning displayed when opened by the user.
- LSRiskCategoryMayContainUnsafeExecutable: e.g. zip files. This will trigger a warning if Safari can't determine that the contents are safe or neutral
There is also an app (RCDefaultApp) that presents a more usable grapical frontend to the data.
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | lessThe user also has some control over mime-type registration, and that information is stored in:
$ defaults read ~/Library/Preferences/com.apple.LaunchServices
{
LSHandlers = (
{
LSHandlerRoleAll = "com.google.chrome";
LSHandlerURLScheme = http;
},
{
LSHandlerRoleAll = "com.google.chrome";
LSHandlerURLScheme = https;
},
{
LSHandlerContentType = "public.html";
LSHandlerRoleViewer = "com.google.chrome";
},
{
LSHandlerContentType = "public.url";
LSHandlerRoleViewer = "com.google.chrome";
}
);
}
Reading the output of the database query and the plist above, it is difficult to determine which handler will fire for certain files where multiple handlers are registered. Apple provides some documentation, about how the mime handler is chosen for files and URLs in the case of multiple handers, but the flow chart ends with:
If two or more candidate applications remain after all of the foregoing criteria have been applied, Launch Services chooses one of the remaining applications in an unspecified manner.The quickest way to check is to use 'open', which according to the man page:
opens a file (or a directory or URL), just as if you had double-clicked the file's icon.So, creating a dummy css file and running open like this should pop up safari:
open blah.cssFind out a file's mime type with:
$ mdls -name kMDItemContentType -name kMDItemContentTypeTree test.dmg
kMDItemContentType = "com.apple.disk-image-udif"
kMDItemContentTypeTree = (
"com.apple.disk-image-udif",
"com.apple.disk-image",
"public.archive",
"public.data",
"public.item",
"public.disk-image"
)
Disable OS X auto-login after Filevault 2 unlock
Interesting nugget from the munki-dev list, a description of how to stop the auto-login that occurs after FileVault 2 unlock (I haven't tested this yet). You essentially disable the credential forwarding from the disk unlock window to the login window.
Edit /etc/authorization Find the "system.login.console" array. Find the "mechanisms" array within this. Remove the line "builtin:forward-login,privileged ". Save and reboot.
Subscribe to:
Posts (Atom)