On Mac OS X 10.6 Snow Leopard, and probably on 10.5 Leopard (but not yet tested), there’s a security issue Apple seems aware but not willing to adress.

When you boot on Single User Mode (pressing Cmd+S before the chime) a unix-like root console is provided with no security regards. You are not prompted to provide root password like in debian’s maintenance mode, it just grants the person in front of the computer a root console with root permission. You can do everything root can, except one thing: changing root password is not possible, but you can add any user to the computer or change the permissions to the existent user, or, as you have root access and maybe an ethernet connection, install a rootkit, a keyboard spy script or anything you can think of.

Yay, it’s great to have root access if you have any problems with the GUI or you forget your user password, but isn’t it too risky to have an open root console available for whomever gets two minutes alone with an Apple computer? Indeed it is. Is it possible to avoid this unsecure mode?

Prior to 10.6, it was possible to use some Unix hacks in order to be asked for a password.

One of them was taking advantage of the different environment variables of SUM so you could lock the terminal. This worked on Tiger, but the lock command is now obsolete and you cannot use it nowadays.

Another hack was about editing the /etc/ttys file and setting the console as insecure, which means that there is no physical security to the computer, so software security must be implemented. This used to be some elegant and fancy solution to the problem, but not even more works. The actual /etc/ttys file show this comment


# To secure single-user mode, enable Firmware password protection.
# http://docs.info.apple.com/article.html?artnum=106482

So, as Apple says so, the only option nowadays is to use Open Firmware password protection, which is not set by default. But whereas this option makes impossible to log in using SUM, it also disables many interesting boot modes, like verbose mode (V), booting form a dvd using (C), diagnose mode (D). You can only boot the usual way or press option key, inset root password and select the disc to boot (hard disk, optical drive, network disk..). Of course you have that security, and the option to revert it, but it takes two booting sequences to revert it while it should take none.

I tried to discuss this in Apple official forums and the only answer I got form those Apple gurus was that “physical access trumps any security”, “lock the computer and have long wires for keyboard and screen” (yes, I laughed too) or “no, it is not possible to do that”.

So, that’s it. Apple, by default, grants a password free root console and the only way to avoid that risky situation is to prevent any boot mode apart from the usual one. I am not asking for a difficult hack, just a little bit of security, which was available time ago (and still on Linux and BSD systems) without trumping the usability of advanced booting modes. Some good ad campaigns, the new intel microprocessors, games like Warhammer Online or WoW having Mac versions, and many other reasons have made Mac computers become very popular in past years, especially among european students which we can get benefits and discounts or even free iPods like in the US. But there is that backdoor.

PS: I usually post in spanish in this blog, but I recall this problem to be so important that this entry will be in english so it’s available to anyone that googles about the issue.

(Traducción. Suelo postear en castellano, pero me parece un problema de tal calado que prefiero que llegue a la mayor cantidad de gente posible que busque información sobre el tema).

Opción 1:

# iwconfig wlan1
wlan1 IEEE 802.11bg ESSID:”WLAN”
Mode:Managed Frequency:2.437 GHz Access Point: EDITADO
Bit Rate=54 Mb/s Tx-Power=20 dBm
Retry min limit:7 RTS thr:off Fragment thr=2352 B
Encryption key:EDITADO
Security mode:open
Power Management:off
Link Quality=69/100 Signal level:-49 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

$ ping -c10 10.0.0.1

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=3.95 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=2.39 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=255 time=2.02 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=255 time=2.40 ms
64 bytes from 10.0.0.1: icmp_seq=5 ttl=255 time=2.11 ms
64 bytes from 10.0.0.1: icmp_seq=6 ttl=255 time=2.12 ms
64 bytes from 10.0.0.1: icmp_seq=7 ttl=255 time=2.17 ms
64 bytes from 10.0.0.1: icmp_seq=8 ttl=255 time=2.07 ms
64 bytes from 10.0.0.1: icmp_seq=9 ttl=255 time=2.09 ms
64 bytes from 10.0.0.1: icmp_seq=10 ttl=255 time=2.44 ms

— 10.0.0.1 ping statistics —
10 packets transmitted, 10 received, 0% packet loss, time 9011ms
rtt min/avg/max/mdev = 2.025/2.380/3.950/0.542 ms

Opción 2:

# iwconfig wlan1
wlan1 IEEE 802.11bg ESSID:”WLAN”
Mode:Managed Frequency:2.437 GHz Access Point: EDITADO
Bit Rate=54 Mb/s Tx-Power=20 dBm
Retry min limit:7 RTS thr:off Fragment thr=2352 B
Encryption key: EDITADO
Security mode:open
Power Management:off
Link Quality=55/100 Signal level:-31 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

$ ping -c10 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=285 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=61.5 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=255 time=173 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=255 time=45.1 ms
64 bytes from 10.0.0.1: icmp_seq=5 ttl=255 time=90.2 ms
64 bytes from 10.0.0.1: icmp_seq=6 ttl=255 time=23.7 ms
64 bytes from 10.0.0.1: icmp_seq=7 ttl=255 time=88.7 ms
64 bytes from 10.0.0.1: icmp_seq=8 ttl=255 time=258 ms
64 bytes from 10.0.0.1: icmp_seq=9 ttl=255 time=448 ms
64 bytes from 10.0.0.1: icmp_seq=10 ttl=255 time=221 ms

— 10.0.0.1 ping statistics —
10 packets transmitted, 10 received, 0% packet loss, time 9011ms
rtt min/avg/max/mdev = 23.716/169.698/448.274/127.660 ms

Mejor sin antena que con una antena rota. Pero muuuucho mejor. ¡¡Maldita onda estacionaria!!

a esto juegan 6 contra 6.

6vs6jugando al basket

Minipunto para quien descubra el gazapo en esta imagen del 4×13 de Battlestar Galactica:

Gazapo

Pues sí. Ahora tenog blog propio de esos. Con mi propio dominio y demás estupideces.

Así qeu aquí estoy, medio pasando las cosas y tal

Eh tu! Switcher que sabes qeu hay ciertos juegos qeu funcionan también en Mac!!! ¿A que a veces resulta que la resolución de tu pantalla no está soportada nativamente en el juego? Una putada, verdad? bueno, pues en Quake III Arena pasa eso, pero te voy a contar como arreglarlo.

a) Poner el teclado el estadounidense ampliado

b) entrar al juego

c) pulsar shift+< para abrir la consola

d) escribir

/set r_customwidth 1440
/set r_customheight 900
/set r_mode -1
/vid_restart

si tu resolución es 1440×900. Si es otra, pues cambias lso números de forma adecuada para tu resolución, no me seas melón.

Le das al intro.

Hala, mata-mata-mata-mata-mata-mata

A veces, sobre todo al instalar una versión más moderna de wordpress, ocurre que a la hora de hacer login, es imposible. Te redirige siempre, siempre, siempre a la misma página, lo que da, en ciertos naveagdores y configuraciones (firefox, p ej), un error bastante imponente. La solución es:

a) hacer logout ANTES de subir al servidor la nueva versión de wordpress

o

b) hacer logout para poder hacer login una vez que te es imposible hacer login.

¿Pero como haces logout si no puedes acceder al panel de administración?

pues muy fácil, tienes qeu editar lo que aparece en la barra de direcciones y poner:

http://dominio/wp-login.php?action=logout

cambiando dominio por donde tengas alojado el blog, por ejemplo yo pondría:

http://blog.sgarciaguillen.com/wp-login.php?action=logout

Fácil, sencillo, para toda la familia y de paso sirve para actualizar el blog

Disfrutad con la versión death metal del Noche de Paz por Testament o con la versión del Run Rudolph Run con Lemmy (Motörhead), Billy Gibbons (ZZ Top) y Dave Grohl (Nirvana, Foo Fighters, etc), o a Doug Pinnick (King’s X) cantando el tamborilero.

Esto va a ser un todo un éxito en la cena de Nochebuena, te lo digo yo.

Premio para quien los adivine. Uno es continente y otro contenido.

Sí, demasiado tiempo perdido…

tienes que tener dos cosas claras. Si tu jefe no trabaja, tu tampoco. Mira el correo, lee blogs, escribe en foros, habla por el chat de gmail, etc, etc. Hasta escribe ésta entrada.