Folks,

A small selection of random stuff this time around:

Why Does Mac OS X Server Have an Active Root Account?

Mac OS X in its default state does not have an active root account. Mac OS X Server, on the other hand, does have an active root account. Why is this the case? Mac OS X Server has an active root account for one and only one reason: when you first create an Open Directory replica, the Open Directory master *must* have an active root account. The root account is not needed for normal replication, only for the initial creation of the replica. Thus, as a best practice, you should disable the root account on a Mac OS X Server. You can do this using the NetInfo Manager application, by going to the Security menu and selecting Authenticate, then selecting "Disable Root User". Alternatively, you can use the Unix command:

dsenableroot -d

Run it as an admin user and enter the admin's password when it is requested. There is no need to use sudo for this command; in fact, it should be run without sudo.

When you need to set up a new Open Directory replica, you can activate the root account temporarily by using NetInfo Manager or giving the command:

dsenableroot

Again, done as an admin user without sudo. Create the replica, then disable the root account on the master.

(By the way, do not ever, *ever*, EVER try to delete the root account. I ended up reconstructing someone else's root account from single user boot mode while wearing only a towel at 7:30 in the morning when someone tried to do that!)

JavaScript as a Spam Source

An interesting one from a colleague, Peter Yorgin:

I was reviewing a client's firewall logs and found an unusual number of intrusion detections, all labeled as 'WEB-PHP friends.php access" coming from a mac in the office. I've searched around for information on it and the only useful information I was able to find was that OS X is vulnerable to this and the recommended solution is to install a new version of vbportal. It appears that this machine has been sending out unauthorized email. I have since changed the setting on the firewall to prevent this but I want to understand what is going on and how to address the problem on the machine that is 'infected.'

The machine this is happening on (and presumably infected) belongs to the receptionist who only uses her computer for email, internet access, Office, etc. I know nothing about php or vbportal.

VBPortal is a commercial content management based on PHP.

<http://en.wikipedia.org/wiki/VbPortal>

There was a known security problem that allows e-mail to be relayed through the friends.php referral page. From the description, it sounds like the receptionist's Mac was being used to send e-mail via a friends.php page located on another server. There was nothing that could be done to upgrade or patch the VBPortal installation, as it was located somewhere else. However, it was likely that there was a script or daemon running on the receptionist's Mac that was initiating the connections to the VBPortal server.

What was going on? Again from Peter Yorgin:

I also spoke to a person at Apple about this and they suggested clearing the caches from the browser (in this case Firefox) on the machine from which the problem was occurring. It would appear that a script was installed on the browser unknowingly when the user went to some web site. I cleared the cache on the problem machine and the friends.php problems went away immediately.

I find it very interesting that a JavaScript could persist across reboots like this. I wasn't aware that it was possible. I'll definitely be investigating the potential for such problems more thoroughly in the future. Firefox in particular is suspect, as it essentially runs on JavaScript internally. I'd be interested to see how it was possible to lodge something into the cache that would persist across reboots.

Warrantless Wiretapping Again

This has been in the news again lately, both from Qwest and Verizon revealing differing levels of cooperation with authorities, but more importantly there is legislation beginning to work its way through Congress. It recently passed the House Committee on the Judiciary and the House Permanent Select Committee on Intelligence. A direct link to the text of the bill and an interesting summary of the bill's provisions is here:

<http://judiciary.house.gov/Printshop.aspx?Section=712>

It's a whole lot better than the travesty we have right now, although I still have my reservations. The President is threatening to veto the bill unless provisions are added to give retroactive immunity to telecom companies that gave more information to the government than was requested. I have a couple of points to make on this:

1. One of the principles of this United States is that no one is above the law — in this case, contract law. The telecom companies had a contractual duty to us, their customers, to protect our privacy. Why should they be protected from their own illegal actions, just because they thought were helping the authorities? I'm not talking about cooperating with the illegally over-used National Security Letters; a telecom company would have no way of knowing whether the letter was properly vetted and would have no choice but to turn over the demanded information. Instead, companies like Verizon turned over much more than was required by the administrative subpoenas, which are just requests from the FBI, not court orders that have been reviewed by a judge. And, the government retaliated against companies that did not comply, such as Qwest, which was stripped of millions of dollars of government contracts. I for one would like to have the option of suing a company that did not honor its contract with me, unless it was in part nullified by a court. Not the FBI, but a court of law.
2. The President is bullshitting us. If the bill does not become law, then the provisions for wiretapping revert to the way they were prior to 9/11/2001. If he really considers these surveillance powers to be of national security interest, then there is no way he could veto a bill regardless of whether or not it provided immunity to telecom companies. Please write to your congressional representatives and urge them to stand up and call the President's bluff.

--Paul