Shellsock patching for Munki admins

On the night of September 29th Apple released three updates for the latest versions of OS X to fix the famous Shellshock vulnerability.

As soon as it was released all the Mac admins started to inform tell each other (as always thanks for the heads up!) and one of the most common responses I read in twitter and IRC was

“oh! but I don’t see it in my SUS. Is it not a security update?”

Short and straight answer is

“No. deal with it”

So as soon as I got on hold of the packages, I imported them into my Munki and started to apply the fix, which doesn’t even require a restart and you can install silently with no undesired effects (to my knowledge).

Here my three pkginfos

BashUpdateLion-1.0.1.1306847324.pkginfo

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>autoremove</key>
	<false/>
	<key>unattended_install</key>
	<true/>
	<key>catalogs</key>
	<array>
		<string>common</string>
	</array>
	<key>category</key>
	<string>Business</string>
	<key>description</key>
	<string>This update fixes a security flaw in the bash UNIX shell.

For more information on the security content of this update, see http://support.apple.com/kb/HT1222.</string>
	<key>developer</key>
	<string>Apple</string>
	<key>display_name</key>
	<string>OS X bash Update</string>
	<key>icon_name</key>
	<string>Generic.png</string>
	<key>installed_size</key>
	<integer>3906</integer>
	<key>installer_item_hash</key>
	<string>7d90d7a70fdfe7464207345848377b3a2f5df1067a89cac7ce0abc5ff0003c52</string>
	<key>installer_item_location</key>
	<string>Apple/BashUpdateLion-1.0.1.1306847324.pkg</string>
	<key>installer_item_size</key>
	<integer>3310</integer>
	<key>minimum_os_version</key>
	<string>10.7.5</string>
	<key>name</key>
	<string>BashUpdateLion</string>
	<key>receipts</key>
	<array>
		<dict>
			<key>installed_size</key>
			<integer>6010</integer>
			<key>packageid</key>
			<string>com.apple.pkg.update.os.bash.lion.1.0.163-3</string>
			<key>version</key>
			<string>1.0.1.1306847324</string>
		</dict>
	</array>
	<key>uninstall_method</key>
	<string>removepackages</string>
	<key>uninstallable</key>
	<false/>
	<key>version</key>
	<string>1.0.1.1306847324</string>
</dict>
</plist>

BashUpdateMountainLion-1.0.0.0.1.1306847324.pkginfo

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>autoremove</key>
	<false/>
	<key>unattended_install</key>
	<true/>
	<key>catalogs</key>
	<array>
		<string>common</string>
	</array>
	<key>category</key>
	<string>Business</string>
	<key>description</key>
	<string>This update fixes a security flaw in the bash UNIX shell.

For more information on the security content of this update, see http://support.apple.com/kb/HT1222.</string>
	<key>developer</key>
	<string>Apple</string>
	<key>display_name</key>
	<string>OS X bash Update</string>
	<key>icon_name</key>
	<string>Generic.png</string>
	<key>installed_size</key>
	<integer>3859</integer>
	<key>installer_item_hash</key>
	<string>d5d12742d1e1ca6e46842467fcf503a824f8abcb4e460a1f33fbfd8a5c7ece52</string>
	<key>installer_item_location</key>
	<string>Apple/BashUpdateMountainLion-1.0.0.0.1.1306847324.pkg</string>
	<key>installer_item_size</key>
	<integer>3182</integer>
	<key>minimum_os_version</key>
	<string>10.8.5</string>
	<key>name</key>
	<string>BashUpdateMountainLion</string>
	<key>receipts</key>
	<array>
		<dict>
			<key>installed_size</key>
			<integer>5938</integer>
			<key>packageid</key>
			<string>com.apple.pkg.update.os.bash.mountainlion.1.0.58.0.30-3</string>
			<key>version</key>
			<string>1.0.0.0.1.1306847324</string>
		</dict>
	</array>
	<key>uninstall_method</key>
	<string>removepackages</string>
	<key>uninstallable</key>
	<false/>
	<key>version</key>
	<string>1.0.0.0.1.1306847324</string>
</dict>
</plist>

BashUpdateMavericks-1.0.0.0.1.1306847324.pkginfo

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>autoremove</key>
	<false/>
	<key>unattended_install</key>
	<true/>
	<key>catalogs</key>
	<array>
		<string>common</string>
	</array>
	<key>category</key>
	<string>Business</string>
	<key>description</key>
	<string>This update fixes a security flaw in the bash UNIX shell.

For more information on the security content of this update, see http://support.apple.com/kb/HT1222.</string>
	<key>developer</key>
	<string>Apple</string>
	<key>display_name</key>
	<string>OS X bash Update</string>
	<key>icon_name</key>
	<string>Generic.png</string>
	<key>installed_size</key>
	<integer>3724</integer>
	<key>installer_item_hash</key>
	<string>1ec1d1644e1e023cd75d43cfc872f83b2e7ec0b042a05e2c109305252864da42</string>
	<key>installer_item_location</key>
	<string>Apple/BashUpdateMavericks-1.0.0.0.1.1306847324.pkg</string>
	<key>installer_item_size</key>
	<integer>3231</integer>
	<key>minimum_os_version</key>
	<string>10.9.5</string>
	<key>name</key>
	<string>BashUpdateMavericks</string>
	<key>receipts</key>
	<array>
		<dict>
			<key>installed_size</key>
			<integer>5730</integer>
			<key>packageid</key>
			<string>com.apple.pkg.update.os.bash.mavericks.1.0.2.1.15.24-3</string>
			<key>version</key>
			<string>1.0.0.0.1.1306847324</string>
		</dict>
	</array>
	<key>uninstall_method</key>
	<string>removepackages</string>
	<key>uninstallable</key>
	<false/>
	<key>version</key>
	<string>1.0.0.0.1.1306847324</string>
</dict>
</plist>

Then this would go in the specific(s) manifest

	<key>conditional_items</key>
	<array>
		<dict>
			<key>condition</key>
			<string>os_vers == "10.7.5"</string>
			<key>managed_installs</key>
			<array>
				<string>BashUpdateLion</string>
			</array>
		</dict>
		<dict>
			<key>condition</key>
			<string>os_vers == "10.8.5"</string>
			<key>managed_installs</key>
			<array>
				<string>BashUpdateMountainLion</string>
			</array>
		</dict>
		<dict>
			<key>condition</key>
			<string>os_vers == "10.9.5"</string>
			<key>managed_installs</key>
			<array>
				<string>BashUpdateMavericks</string>
			</array>
		</dict>
	</array>

With these, so far after more than a thousand systems have been patched I have not heard any complain, even if they had the terminal open :)

PS: There is one thing that can potentially go wrong with these. If Apple decides to release a cumulative security patch, if that patch does not increase the system version, if your systems get that cumulative patch _before_ this bash update, and if this bash updates fail to install due to the system being already up-to-date and the pkg receipt does not stick in the clients… that would make your Munki clients report install failures and loop trying to install them again and again.

It is unlikely, but can happen. So make sure you review this if the day comes

 

Posted in IT and stuff Tagged with: , , , , ,

Get prompted when connecting to a shared folder

I am posting this because it doesn’t look like it is widely, or widely enough, known.

When you are bound to directory service like Active Directory, and you try to connect to a shared folder on a kerberized server/computer, in the background you computer gets a ticket and tries to authenticate to gain access. In OS X if this fails you don’t get prompted to enter a valid set of credentials and an error message is presented.

The error reads something like:

There was a problem connecting to the server “server1.nbalonso.com”

You do not have permission to access this server.

error

The Windows folks are used to this. They usually go to PC, map network drive, use different credentials.

But when they have to do it on a Mac… they have no clue!

Well here is how to do it.

Go to Finder–> Go –> Connect to Server (or (⌘) + K)

And enter the server details with this format:

smb://username:*@server1.nbalonso.com

This way you will force the connection to use a different set of credentials and prompt you for the password.

You could replace the asterisk with the actual password to avoid even get asked for it, but is not a good practice to type your password in places other than password boxes.

At the same time you could  replace the username with an asterisk to force it to prompt you also for that. So this is also valid and will prompt you for both in an AFP connection:

afp://*:*@server1.nbalonso.com

Posted in IT and stuff Tagged with: , , , , , ,

How to quickly lock your Mac

Many Windows users are used to lock their computers with a keyboard combination when they leave their desks, which is a very good practice (not talking about RAM content here, let’s move on!). One thing I’ve got asked a couple of times is how to do the same thing on a Mac, and well the thing is that there are a couple of options to secure your computer when you are away but are not exactly like the Windows.

Because of this I though of writing this article and enumerating  the ways you can accomplish this.

  1. (⌘) + (⌥) + (⏏) : Immediately sleep your Mac.
  2. (⌘) + (⇧) + Q : Then enter to logout gracefully
  3. Close the lid of you laptop. D’oh!
  4. System Preferences –> Mission Control –> Hot Corners… –> Start Screen Saver
  5. /Applications/Utilities/Keychain Access.app –> Preferences –> Show keychain status in menu bar –> Click –> Lock Screen
  6. And finally the last method I learned recently with the help Greg Neagle:
  • Open Automator and create a new Service; A services that receives no input in any application.
  • System Preferences –> Keyboard –> Shortcuts –> Services; Scroll to the bottom, click on add shortcut for your new service and press your desired key combination.

Automator Keyboard

Here the code portion

try
	tell application "Finder" to if exists file "CGSession" of folder "Resources" of folder "Contents" of document file "User.menu" of folder "Menu Extras" of folder "CoreServices" of folder "Library" of folder "System" of startup disk then
		do shell script "/System/Library/CoreServices/Menu\\ Extras/User.menu/Contents/Resources/CGSession -suspend"
	end if
end try
Posted in IT and stuff Tagged with: ,