Archive

Archive for the ‘Unix’ Category

Fixing Homebrew’s rsyslog on macOS Catalina

February 26, 2020 Leave a comment

As part of some recent testing, I needed to install rsyslog and the instructions I had referenced using Homebrew to do it. I used the following procedure to do it:

1. Set up a new VM running macOS 10.15.3 in VMware Fusion.

2. Inside the VM, open Terminal and install Homebrew by running the following command:

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

3. Once Homebrew was installed, install rsyslog by running the following command:

brew install rsyslog

4. Copy a pre-configured rsyslog.conf file to /usr/local/etc/rsyslog.conf.

5. Set the following permissions on /usr/local/etc/rsyslog.conf:

File permissions

Owner: root - read, write
Group: wheel - read
Everyone: read

6. Start rsyslog by running the following command with root privileges:

brew services start rsyslog

When I checked on rsyslog though, it wasn’t running or accepting logs from remote Macs like it should be. What had happened?


Update – 3-5-2020: The problem described by this post has now been fixed:


 

For more details, please see below the jump.

Read more…

Categories: Mac administration, macOS, Unix

Enabling Touch ID authorization for sudo on macOS High Sierra

November 17, 2017 10 comments

My colleague @mikeymikey brought this tweet by Cabel Sasser to my attention yesterday:

I have a Touch ID-enabled MacBook Pro and use sudo frequently, so I’ve implemented this on my own laptop. For more details, see below the jump.

Read more…

Categories: Mac administration, macOS, Unix

Disabling login to the root account by changing the root account’s user shell

March 19, 2017 1 comment

While discussing various issues with a colleague, he mentioned that he was seeing the root account enabled on several machines where it should not have been. In general, the root account on macOS is not needed for system administration and should be disabled so he asked if there was a way to use the dsenableroot command to disable the root account without also needing to provide a password.

Unfortunately, disabling the root account by using the dsenableroot -d command does require providing a password as part of the command.

Screen Shot 2017 03 19 at 4 55 17 PM

However, it is possible to disable logins to the root account without using the dsenableroot -d command. For more details, see below the jump.

Read more…

Fixing server connection issues by changing network interface order

October 25, 2016 1 comment

I had one of my customers report a problem today after applying software updates to his Mac. His Mac had been able to automount certain network shares via NFS before the updates, but was unable to access those shares following the updates.

I connected remotely to the Mac and verified that I was unable to manually mount the NFS mounts.

When I tried to run the showmount command to get a list of the available NFS mounts on the server, I also received a timeout message:

I was about to send this on to the team that handled our NFS shares, when I remembered I hadn’t verified that I could access the server. Sure enough, I couldn’t:

I could ping Yahoo however, so I could contact the internet.

So I couldn’t access an internal network resource, but I could access the internet. What made this puzzling was that I was connecting remotely to the Mac via the IP address associated with this person’s Ethernet address. This IP address should not have had issues accessing internal network resources. What had happened? For more, see below the jump.

Read more…

tty_tickets option now on by default for macOS Sierra’s sudo tool

September 21, 2016 1 comment

While working on some documentation, I noticed a behavioral change in macOS Sierra’s sudo tool that was different from how sudo behaves on OS X El Capitan.

El Capitan

if you run sudo in one Terminal session and authenticate with your password, then open another Terminal session and run sudo, you won’t be prompted for your password in either Terminal session until the normal sudo authentication timeout. To see what this behavior looks like, please see the video below:

Sierra

If you run sudo in one Terminal session and authenticate with your password, then open another Terminal session and run sudo, you’ll get asked for your password in the second Terminal session too. Meanwhile, in the first Terminal session, you won’t get prompted again until the normal sudo authentication timeout. To see what this behavior looks like, please see the video below:

The difference is that Apple has compiled sudo on Sierra to include the tty_tickets option, which ensures that users need to authenticate on a per-Terminal session basis.

Screen Shot 2016 09 21 at 3 06 19 PM

 

This option had not been included in sudo on OS X El Capitan and earlier, which had been viewed as a privilege escalation vulnerability.

If you want sudo to return to using the pre-Sierra behavior on macOS Sierra, edit /etc/sudoers to add the following option:

 

Screen Shot 2016 09 21 at 2 25 38 PM 

Exporting Unix man pages to plain text files

July 13, 2016 6 comments

While working with different versions of Mac OS X and macOS, it’s often been useful to me to be able to export the contents of a particular command line utility’s Unix man page to a plain text file. Man pages are the built-in documentation method available in Unix-based systems, so Apple documents how to use the various command line tools used by the operating system using this documentation method.

Exporting to a plain text file allows me to compare macOS Sierra’s man page for a particular command line utilty to a exported copy of the same utility’s man page from OS X El Capitan and see where changes to the man page have been made. This comparison is made by using diff, or other file comparison tools like Kaleidoscope, which helps me quickly spot where Apple has made changes to their documentation.

To export man pages to a plain text file, I use the col command line utility to read the contents of the man page in using stdin, then export out to a plain text file using stdout As an example, here’s how to use col to export the diskutil man page to a new plain text file named diskutil.txt:

man diskutil | col -bx > /path/to/diskutil.txt

In this case, col‘s -b and -x functions are used to make sure that the formatting for the diskutil man page remains intact when exported to the plain text file.

Editing /etc/sudoers to manage sudo rights for users and groups

July 11, 2016 11 comments

In some environments, it may be desirable to give users admin rights while restricting those users from being able to run commands with root privileges while using the command line.

A way to achieve this “admin user in the GUI, standard user on the command line” method is to edit the /etc/sudoers file. This is the configuration file referenced by the sudo command line tool, which allows a user with the correct sudo rights to execute a command with root privileges, or using another user account’s privileges.

By default, all user accounts with admin rights on both OS X and macOS have full rights to use the sudo tool. By removing those accounts’ rights for sudo from the /etc/sudoers file, user accounts with admin rights will not be able to run commands with root privileges using the sudo tool. For more details, see below the jump.

Read more…

%d bloggers like this: