Macintosh-Admin

While configuring a Mac OS X 10.5 Leopard Server as an Open Directory Replica of a Leopard Open Directory Master I got “Open Directory Replica Error value = 1255" when it tried to start creating the replica. This error has to do with not being able to establish an ssh connection with the OD Master, but the server in question had Remote Login enabled and, while I was using service level ACLs to limit ssh access, the admin user had ssh access.

However, although the root user and admin user share the same password by default, they’re not the same user and I couldn’t ssh in as root. Oddly, the root user isn’t an option to add to service level ACLs in Server Admin (at least for that Leopard Server installation). A quick search pulled a knowledge base article regading being unable to add the root user to service-based ACL for SSH which tells you to run the following command to add it manually:

sudo dseditgroup -o edit -a root -t user com.apple.access_ssh

Sure enough, it worked like a charm and now root shows up as “System Administrator” in the SSH service level ACLs in Server Admin:

Naturally, I was then able to ssh in as root and the Open Directory Replica creation went off without a hitch.

Apple released Security Update 2009-004 yesterday to fix an issue with the DNS Service:

By sending a maliciously crafted update message to the BIND DNS server, a remote attacker may be able to interrupt the BIND service. The issue affects servers which are masters for one or more zones, regardless of whether they accept updates[...] This update addresses the issue by properly rejecting messages with a record of type ‘ANY’ where an assertion would previously have been raised.

BIND is disabled by default in Mac OS X & Server, but if you’ve got the DNS Service enabled you’ll want to apply this update. Grab it for Leopard or Tiger Server (Universal) or pick it up via Software Update. It’s also available for Mac OS X client.

[Via Topicdesk]

Apple has the following updates for Mac OS X Server:

Mac OS X Server 10.5.8 Updater

This update includes the following improvements:

• Reliability of AFP for file services and Time Machine backups
• Propagating file system permissions
• Maintaining history of user’s previous passwords
• Ensuring consistent VPN throughput regardless of load
• Spotlight indexing and memory consumption

Further details available in this knowledge base article. Full and Combo updaters are available.

Security Update 2009-003

This Security Update is for Mac OS X  Server 10.4.11 and coincides with the security updates found in Mac OS X Server 10.5.8. Full details are available in this knowledge base article.

While both PowerPC & Intel-specific updaters are also available, we’re linking to Security Update 2009-003 (Server Tiger Universal).

Let us know how you fare with either of these updates.

Update: Topicdesk has noted in their Newsletters and on Twitter that these updates can overwrite files related to custom installations of Apache, PHP, and GD, esp. those garnered through many of their tutorials. Performing the custom installation again after applying one of the aforementioned updates should do the trick.

It appears that there some critical vulnerabilities in Java that, while fixed by Sun, have not made their way into Mac OS X, even with the newly-released Mac OS X 10.5.7. These vulnerabilities can be taken advantage of to run commands outside of the Java sandbox as the executing user.

Landon Fuller has an overview, workarounds, and a proof-of-concept and Julien Tinnes has a detailed explanation & example. The workaround? Disable Java and ‘Open “safe” files after downloading’ in Safari and other browsers. But you disabled ‘Open “safe” files after downloading’ long ago, right?

[Via Daring Fireball]

Update: This was fixed in Java for Mac OS X 10.4 Release 9 & Java for Mac OS X 10.5 Update 4 on June 15th, 2009.

Glenn Fleishmann over at Ars Technica has a great article explaining the new WPA crack. Here’s the quick & dirty explanation:

[I]t’s a method of decrypting and arbitrarily and successfully re-encrypting and re-injecting short packets on networks that have devices using TKIP. That’s a very critical distinction; this is a serious attack, and the first real flaw in TKIP that’s been found and exploited. But it’s still a subset of a true key crack.

Tews pointed out that “if you used security features just for preventing other people from using your bandwidth, you are perfectly safe,” which is the case for most home users. Someone can’t use this attack to break into a home or corporate network, nor decipher all the data that passes.

Fortunately, WPA2’s AES encryption is not susceptible to this crack, so making sure your AirPort & WiFi networks are switched over to WPA2 is best done sooner rather than later. If you still have some 802.11b/g clients that only support WPA, you’ll want to assess how much of a risk this is for your environment.

[Via Daring Fireball]