Jaharmi’s Irreality renewable hyperlinks with 0% transfat since 1999

The Lullabot Web site has a clever way to help answer the question of “Is that site running Drupal?” Angie Byron mentions that the HTTP “Expires” header returned by Drupal corresponds to a specific default date. Look for that date in the HTTP headers, and you can make a reasonable guess that a site is a Drupal site — or at least one that hasn’t modified one of the core files.

Some commenters posted notes about how to do the same thing with wget and then curl. I expanded on the curl instructions to make them a little more robust (especially in the case of redirects or URL rewriting), and here’s the result:

$ curl -fsIL http://jaharmi.com/ 2>&1 | grep -q -m 1 "Expires: Sun, 19 Nov 1978 05:00:00 GMT" && echo "Yes, this appears to be a Drupal site." || echo "No, this does not appear to be a Drupal site."
Yes, this appears to be a Drupal site.

In trying to determine the age of the command file on a Radmind client — in this case, a Mac OS X 10.5 Leopard system — I learned that its modification date is the same as on the server. This is true on multiple clients I examined, so I believe it to be both consistent and intentional. It also makes sense.

What timestamp, then, can you use to determine how old your command file is, or when your client last updated?

Let’s look into this. For example, here is the command file on a client:

[RadmindClientA]$ ls -ul /private/var/radmind/client | grep command.K
-rw-r--r-- 1 root wheel 667 Jun 3 05:30 command.K
[RadmindClientA]$ ls -cl /private/var/radmind/client | grep command.K
-rw-r--r-- 1 root wheel 667 May 29 10:28 command.K
[RadmindClientA]$ ls -l /private/var/radmind/client | grep command.K
-rw-r--r-- 1 root wheel 667 May 29 10:21 command.K

And the same file examined on the server:

[RadmindServer]$ ls -ul /private/var/radmind/command | grep selected-client-command.K
-rw-r----- 1 root wheel 667 Jun 3 05:27 selected-client-command.K
[RadmindServer]$ ls -cl /private/var/radmind/command | grep selected-client-command.K
-rw-r----- 1 root wheel 667 May 29 10:21 selected-client-command.K
[RadmindServer]$ ls -l /private/var/radmind/command | grep selected-client-command.K
-rw-r----- 1 root wheel 667 May 29 10:21 selected-client-command.K

The status change time (ls -cl) is a little bit harder to understand. I’ve seen it minutes apart from the modification time on a client, but it is the same as the modification time when viewed on the server.

The access time (ls -ul) of the command file on the client, however, simply corresponds to when ktcheck last ran.

For good measure, another client:

[RadmindClientB]$ ls -ul /private/var/radmind/client/ | grep command.K
-rw-r--r-- 1 root wheel 1188 Jun 5 05:08 command.K
[RadmindClientB]$ ls -cl /private/var/radmind/client/ | grep command.K
-rw-r--r-- 1 root wheel 1188 Jun 3 14:13 command.K
[RadmindClientB]$ ls -l /private/var/radmind/client/ | grep command.K
-rw-r--r-- 1 root wheel 1188 Jun 3 14:09 command.K

And its command file on the server:

[RadmindServer]$ ls -ul /private/var/radmind/command | grep another-selected-client-command.K
-rw-r--r-- 1 root wheel 1188 Jun 4 05:13 another-selected-client-command.K
[RadmindServer]$ ls -cl /private/var/radmind/command | grep another-selected-client-command.K
-rw-r--r-- 1 root wheel 1188 Jun 3 14:09 another-selected-client-command.K
[RadmindServer]$ ls -l /private/var/radmind/command | grep another-selected-client-command.K
-rw-r--r-- 1 root wheel 1188 Jun 3 14:09 another-selected-client-command.K

I looked into this because I was wondering why ktcheck -C (to “clean” the /private/var/radmind/client directory) wasn’t having the effect I expected. I thought it cleared out the client directory and started with fresh files, which would all have new timestamps because they were new to the client. When I didn’t get the new timestamps I anticipated, I worked through what I saw until I settled on this explanation.

The result? The main means you have of determining whether the command file has been updated is its access time. The access timestamp corresponds with the date and time of the last ktcheck action. This appears to be the case no matter which flags I’ve used with ktcheck — even with ktcheck -n (where “no files are modified”).

The modification time, for all intents and purposes, only indicates when the file was last changed on the server. Testing this out — with command files that have been overwritten with the exact same contents (using cat), as well as command files deleted on the client before ktcheck — I have reached the conclusion that the modification time changes only when the file contents do.

So, I don’t have solid explanations for all of this. But, I’m now armed with the knowledge that the access timestamp is the most important when you’re looking for the age — or at least the last refresh time — of a Radmind client’s command file.

Under normal circumstances, the latest Radmind tools that communicate with the server report client status updates in the Radmind server’s system log. These standard messages can include ones like:

May 8 03:14:56 RadmindServerHost radmind[7890]: report radmind-client.example.com 192.168.7.42 - - ktcheck No updates needed
May 15 03:15:25 RadmindServerHost radmind[24531]: report radmind-client.example.com 192.168.7.42 - - ktcheck Updates retrieved
May 15 03:21:48 RadmindServerHost radmind[24534]: report radmind-client.example.com 192.168.7.42 - - lapply Changes applied successfully
May 15 03:31:07 RadmindServerHost radmind[24356]: report radmind-client.example.com 192.168.7.42 CertificateCN - lapply Error, changes made

The Radmind repo, or “report,” tool provides the ability to send arbitrary messages to the Radmind server process. But how are these messages formatted and sent?

$ repo -e "Debug" -h radmindserverhost.example.com -w2 "Test message"

… results in the system log message:

May 15 03:31:56 RadmindServerHost radmind[25236]: report radmind-client.example.com 192.168.7.42 CertificateCN - Debug Test message

Here, we can see that an entry created with repo looks like the standard Radmind log messages above. The client hostname and IP address are reported after the “report” text. The CertificateCN for the client — if the highest authorization level is specified (with the -w2 flag) — is also listed; if not, a dash takes its place. I haven’t seen a case where the second dash is substituted, however.

Finally, where the Radmind command/tool used would normally be, the “event” specified by repo will printed. After that, the message text appears.

The value proposition is that if you’re using Radmind, the repo command can help you send arbitrary messages to the server for logging. As bonus, if you’ve taken the time and effort to build the certificate infrastructure for Radmind, you can send these messages securely between the clients and the server cloaked in SSL.

If you’re using multiple servers, you may want to combine their logs in one location so that you can get all of the clients’ reports in one location. You may also want or need to retain these reports for more time. In either case, determine what policies you should apply to the syslog or Apple System Logger (ASL, for Mac OS X) configuration for your server systems.

Whether or not you use repo, it’s good to know that the tools do some logging. The logging can be followed to try to determine the status of your clients, or whether they are failing their updates.

Unfortunately, the most common client failures I have seen tend to involve the lapply tool, and the default level of detail I’ve seen reported back to the server does not provide an indication of what problem has been encountered. You see only that there was an error. Still, even though you may not get enough detail to remotely resolve the problem, it’s something for you to go by find problems in the first place.

There are occasionally times in system administration where I feel as if I’m on the bleeding edge. They are not frequent … which probably puts me somewhere much closer to the lunatic fringe. These are also the times when no one else probably cares about the same things — but no matter, I generally have my own pragmatic reasons for them. This is one of those times, and I have waited for this particular feature for a while. I’m happy to have discovered it.

Let’s set up a scenario: you have a Mac OS X Tiger system bound to an Active Directory. All of the thousands of Active Directory users are available on that Tiger system; any one of them could log in to that computer. This isn’t bad if you only allow logins at the login window. However, if you enable any sharing services, the game changes and your exposure widens.

What if you don’t want everyone in your enterprise directory to log in? This gets a little scary to think about. What if you want to limit those who can log in, particularly for services like SSH? How do you let some users in but keep others out — even going to the point of denying access to whole classes of users?

There are a number of things you can do, some at the client and some in the directory. Unfortunately, some kinds of configuration must be done at the client. There isn’t a great way I’m aware of to distinguish between local and network accounts, complicates the situation for the administrator. With Open Directory in Tiger, any user from any directory service was as valid as any other. There will probably be some manual effort — ongoing effort at that — required to restrict access.

Enter Mac OS X Leopard. It now has “computational groups” in its Open Directory client. They are like smart groups in your local node. The memberships of these groups are calculated, rather than static. They are more like query-based groups.

For the scenario above, the two computational groups that provide the most utility are probably “localaccounts” and “netaccounts.” They allow you to distinguish users who are in the DSLocal database from those in Active Directory. This magic gives the glue we need to maintain finer-grained access controls automatically over time; you could use these groups for the sshd server configuration or in the authorization database at /private/etc/authorization, as examples.

Let’s try the groups out with dsmemberutil, with which we can determine whether or not a user is a member of a specific group. What about the first local user, typically created by the Mac OS X Setup Assistant?

$ dsmemberutil checkmembership -u 501 -G localaccounts
user is a member of the group
$ dsmemberutil checkmembership -u 501 -G netaccounts
user is not a member of the group

Digging further, all of the computational groups I’ve found had the same comment. We can search for that to find the rest, to find all of the computational groups that ship with a Leopard client.

$ dscl . -search /Groups Comment "Group membership calculated by system" | awk '/user|account/ { print $1 }'
authedusers
consoleusers
interactusers
localaccounts
netaccounts
netusers

From that list, we can determine more information about the groups:

Unfortunately, I couldn’t find any other documentation about the computational groups. If you do find some, I’d love to hear about it.

Never let it be said that Apple’s Open Directory command lines tools make complete sense. After all, why would you think to use the new dsmemberutil tool in Leopard to find the Universally Unique Identifier (UUID) for a user account?

You would have if you had read the first line of its man page, maybe, where it outlines exactly how miscellaneous — and I say that in the kindest possible way — the command is: “dsmemberutil — various operations for the membership APIs.”

Enough lead in; the UUID for a user (as well as a group) can be found with this tool:

$ dsmemberutil getuuid -u 501
E4BDC9C9-AD89-4CD6-BE25-16B197669B47

Choose a user with either -u with the userid, or -U with the short username.

One way this can be exceedingly useful is if you want to track down the shadow password file corresponding to a specific user account:

$ sudo ls -1 /private/var/db/shadow/hash | grep `dsmemberutil getuuid -u 501`
E4BDC9C9-AD89-4CD6-BE25-16B197669B47
E4BDC9C9-AD89-4CD6-BE25-16B197669B47.state

Hey, look, the UUIDs match, saving a trip to dscl!

There are times when you need to determine whether a user is a member of a group or not. Knowing the membership of a group can have an impacts on security or operation of system administration scripts. The dsmemberutil tool in Mac OS X Leopard lets you perform checks like this on the command line or in scripts.

You feed it a group and a user, and the tool tells you whether or not the user is a member of the group. This works with group nesting, thanks to the wonder of the memberd functionality first available in Mac OS X Tiger.

$ dsmemberutil checkmembership -u 501 -G admin
user is a member of the group
$ dsmemberutil checkmembership -u 502 -G admin
user is not a member of the group

Unfortunately, you must parse the output, which hinges on whether “not” appears in the text. The exit code for both commands above is “0,” for success.

When I come across software I might need to add into Mac OS X that requires compilation, I typically want to produce one Universal Binary. Make it a four-way UB and you get both 32- and 64-bit support.

A single binary is ideal for a Radmind transcript (or other package, if you wanted to bundle it into an installer) that can be deployed on both PowerPC and Intel Macs on Leopard.

Since rsync 3.0.2 with some patches is apparently working quite well at preserving Mac OS X data and metadata — passing the Backup Bouncer tests — I thought I’d try my hand at a four-way Universal Binary.

What worked for me, using a Mac Pro 4x2.8 GHz with Mac OS X 10.5.2 and Xcode 3.0, was to start with Mike Bombich’s instructions and modify them with some fairly standard Universal Binary build steps. The configure and compile were both less than a minute on this system.

$ ./prepare-source
$ env CFLAGS="-O -g -isysroot /Developer/SDKs/MacOSX10.5.sdk -arch i386 -arch ppc -arch ppc64 -arch x86_64" \
LDFLAGS="-arch i386 -arch ppc -arch ppc64 -arch x86_64" \
./configure --prefix=/usr/local --disable-dependency-tracking
$ make
$ sudo make install

I have seen the use of “-Wl,-syslibroot,/Developer/SDKs/MacOSX10.5.sdk,” in the LDFLAGS environment variable when compiling some applications but this did not work for me with rsync; when I removed it, rsync 3.0.2 configured successfully for me.

The result of the above build process appears to be a full four-way UB:

$ lipo -info /usr/local/bin/rsync
Architectures in the fat file: /usr/local/bin/rsync are: i386 ppc7400 ppc64 x86_64

A local transfer on the build system appears to have worked correctly. I did not test with Backup Bouncer, sync with a non-Mac system, or when shuttling data between architectures. So, accept these results with a grain of salt; I’m just happy I got rsync to compile for now.

Microsoft released Service Pack 1 to update Office 2008 for Macintosh on Tuesday, May 13. The update makes a significant number of changes — spread across Entourage, Word, Excel, and PowerPoint — so if you are a system administrator, I would recommend examining the full description of Office 2008 for Mac Service Pack 1 (12.1.0) in its release notes.

The update is downloadable via Microsoft AutoUpdate (invoke that helper program with Help > Check for Updates in any of the Office applications, or look inside /Library/Application Support/Microsoft in the file system) as well as the Microsoft Office for Mac Web site.

I’ve found that trying to explain the Mac OS X keychain at all tends to make peoples’ eyes glaze over. The keychain is poorly-understood overall, perhaps because it tries to bridge the gap between security and convenience.

A few thoughts:

• A keychain has its own password which may or may not be set to the same as the password for the login account.
• The keychain password is completely independent of the login account’s password, even if it is the same text as the login account’s password. They can be changed independently. When they are the same, they are just two passwords which happen to be the same.
• User keychains are created within user home directories, and are protected by file system permissions while they are enforced.
• Keychain keys are further protected by 3DES encryption. Directory or metadata information is in cleartext.
• The Mac OS X Setup Assistant and Accounts System Preferences both create accounts whose login passwords and keychain passwords will match.
• If the password is shared between the login account and that account’s default keychain, the keychain will be unlocked during the login process. This is the default for accounts created by the Mac OS X Setup Assistant and Accounts System Preferences.
• If the default keychain’s password does not match the login account’s password, the keychain will not be unlocked automatically during the login process. The user may be prompted to unlock it, using the keychain password, if other applications require a key stored within.
• The only time that a password change for a login account changes that user’s default keychain password is when the login account is logged in and changes its own password through Accounts System Preferences.
• If the computer is bound to a directory service, a login account may be tied to that. However, the keychain is not. Changing the login account’s password through a directory service does not reset the keychain’s password. The keychain’s existing password will remain until or unless it is changed.
• A third-party software utility, Keychain Minder, can help to keep login and keychain passwords in sync, if desired. This may be especially helpful in a directory service environment, where you are more likely to change account passwords externally rather through Mac OS X’s built-in means. It also provides an opt-out capability for those who specifically want different login and keychain passwords.
• If the computer is bound to a directory service, and a directory service-based login account was compromised, there is a chance that the password for the default keychain in that account is also compromised. Changing the password for the login account in the directory service will protect the login account. However, that will not necessarily protect the keychain stored within the account’s home directory on disk. Whether or not the keychain password was the same as the former password for the login account — the keychain’s password should probably also be changed.
• The long-term use of the same password for a keychain can be a risk; as it gets stale, it lessens the protection on each key in the keychain.
• There is currently no policy enforcement mechanism, akin to pwpolicy, for keychain passwords.

I was reviewing the pre-release CIS guide for securing Leopard today, and was struck by the many ways people refer to the action of logging in to a computer. This is really a situation calling out for consistent usage based on a style sheet.

So, here are my personal observations on the matter:

• Login is the noun of the bunch. The New Oxford American Dictionary (handy to use, since it’s built into the Dictionary application on Mac OS X) agrees with me here, calling it “an act of logging in to a computer system.” They also list “logon” as an alternative, and I agree. “He used his login credentials to access the system,” would be a usage example.
• Log in is the verb form. The NOAD backs me up, listing it and “log on” as “phrasal verbs” whose meanings are, “go through the procedures to begin use of a computer system, which includes establishing the identity of the user.” For an example phrase, “Security procedures require that you log in to the computer.”
• Log into should not be used, as far as I’m concerned. “Log onto” would be its close brethren, also to be avoided. The NOAD has no listing for either. My proposed alternatives would simply be to add a space: “log in to” or “log on to.” Then, you’re using the phrasal verb.

As I was examining the document, I decide to see what Apple does. I was using the dictionary data they bundle with the operating system, and reviewing a document about their software. They are usually hip with consistency and thus a good example, I thought.

In this case, they aren’t entirely consistent. I found one case — in Accounts System Preferences while editing the Guest account — where they use both “log into” and “log in to,” all on the same screen.