Tuesday, July 04, 2006

Dashboard advisory networking

A number of sites/posts/blogs/etc have recently reported about Apple's new "phone home" feature in Dashboard, added with 10.4.7. While any feature like this really should be optional, and off by default, this will discuss more of the what than what's wrong.

Read on for more detail

The Pieces
There are several pieces to this advisory stuff. There is the mach_init part,, defined by /etc/mach_init.d/dashboardadvisoryd.plist. This is the part which actually communicates back to Apple's website. Renaming this is one method mentioned for disabling the whole show.

The next piece is a launchd daemon,, which is the part that is actually kicked off every eight hours (regardless of whether you actually run any Dashboard widgets). Unloading this through launchctl is another method for disabling the phone-home stuff. This queries the mach_init service above.

Finally are a couple of files placed in /var/db by this set of programs. First is .dashboardadvisory.database which is a sqlite3 database and can be viewed with

$ sudo sqlite3 /var/db/.dashboardadvisory.database
SQLite version 3.1.3
Enter ".help" for instructions
sqlite> .schema

This is obviously where it will store interesting stuff, though mine is currently without any entries. The other interesting file, which doesn't exist by default, is .dashboardadvisorydisabled which, when present, is meant to keep the daemon from doing anything.

It looks like there are several URLs which are contacted while it is
is a signed list of "advisories" that will eventually populate (my theory) the .dashboardadvisory.database database. It is simply a bunch of sqlite3 commands (which, to me, seems a bit funky).
Next is
contains nothing; it, as I write this, is empty.
appears to be something not yet setup, as it gives the good ol' "Page Not Found" error. Seems like they're still in the process of making things actually work...

Hopefully Apple will (perhaps with a security update, or in 10.4.8) switch this to default off, and add a preference to enable it. Also, it'd sure be nice to see a little documentation on how it's meant to work in full. Especially if it's meant to be a Dashbaord widget security part, as I'm sure most know how well closed-door security works in the world of computing.


Thursday, March 02, 2006

Getting >console to work in 10.4

Since 10.4, using the >console login from the login window has been, at best, sporadic. Many times, the error "Operation not supported by device" for /dev/console will be given. Here is a kludge to make it work, but must be repeated anytime the machine is restarted.

Read on for more detail

First, you must login as a normal user through the login window. Once here, open up a Terminal window and cd to /etc. There is a file, ttys which controls what actually handles /dev/console (among other things). Temporarily changing this file, handling a basic getty login, then changing the file back is the kludge here.
While in /etc, run

sudo cp -p ttys ttys.orig

to have the original on hand. Next, edit ttys with your preferred editor (emacs, nano, pico, or vi and don't forget the sudo). What you want to do is uncomment the first line with console in it, which looks like

#console "/usr/libexec/getty std.57600" vt100 on secure

and make it look like

console "/usr/libexec/getty std.57600" vt100 on secure

Then comment-out the second line about console, which should look like

console "/System/Library/CoreServices/" vt100 on secure onoption="/usr/libexec/getty std.9600"

and make it look like

#console "/System/Library/CoreServices/" vt100 on secure onoption="/usr/libexec/getty std.9600"

Save and quit.

Now, tell launchd (successor to init) to reread the file:

sudo kill -1 1

Now logout, and a basic console-only login should be presented instead of the normal graphic login window.

Back to normal
Login to the console, then switch the ttys back and tell launchd again:

sudo mv /etc/ttys.orig /etc/ttys
sudo kill -1 1

Logout again, and the graphic login window should be working again. However, using >console should also work as it once did.

On reboots
Just remember, this works until the machine is restarted, then it'd have to be done again, but until then, >console should work.

Update (2006-04-17)
Three things: First, when you do this you may see the "Operation not supported by device" several times before a login prompt shows. Each time this happens, you have to wait thirty seconds, so it could take a couple minutes.

Second, don't reboot with this setting in place, as otherwise you'll be sitting and staring at the "Starting Up" window forever. If you do have to reboot for whatever reason, be sure to boot in single user to put the ttys.orig back in place, otherwise you'll need to be able to ssh into the machine to fix it. This would entail putting the ttys back in place, HUPing launchd, and killing off getty and possibly a WindowServer process.

Finally, be sure to read Wout's comment below if you use ARD.


Wednesday, November 16, 2005

Finding Preferences

Finding all the preferences a given application uses can be done very easily for a Cocoa-based application. All it takes is a bit of debuggerry (with gdb in this case).

This allows one to find all the various preferences, but not how they are used. Use can be found either by inferring from the preference name, or when it is unhelpful, actually changing the value for the given preference and watching what happens.

Read on for more detail

Finding Boolean Preferences
The NSUserDefaults class has several methods allowing an application to save and retrieve preference values. One of these is boolForKey: when the preference is a simple on/off type setting.

Here's how to find all the boolean preferences in Safari (chosen for examples since it's pretty ubiquitous these days...):

  • First run Safari from within gdb (in Terminal):

    $ gdb /Applications/

  • Now we set a breakpoint at NSUserDefaults' boolForKey::

    (gdb) break [NSUserDefaults boolForKey:]

    Sometimes when setting a breakpoint prior to running the app, you'll be asked about "pending on future shared library load"; as long as you entered the class and method names fine, you can answer yes to the question.

  • Next, since we only care about the names of preferences and don't need to do more serious debugging, we set a couple of commands to run when the breakpoint is hit. These commands print out the name of the preference, then tell gdb to continue running the program.

    (gdb) commands 1
    >print-object $r5

    (gdb's helpful help output is elided from the code bits). The important bit is print-object $r5 which prints out the string which was passed to boolForKey:, namely, the name of the preference; $r5 is actually general register 5, r3 has self (the instance of NSUserDefaults), and r4 the selector (basically, a representation of boolForKey:.

  • Now, run Safari:

    (gdb) run

    At this point, Safari will start up (more slowly than usual), and you'll see a bunch of output in Terminal from gdb like:

    Breakpoint 1, 0x928c4074 in -[NSUserDefaults boolForKey:] ()

    The second line is the name of a preference (in this case TabbedBrowsing). From here you can either guess at the functionality affected by the preference (TabbedBrowsing should be somewhat obvious), or set/unset the preference to see what happens.

  • Note that quite a few of the preferences are manipulated from the application's Preferences menu item, so be sure to try and figure out which, as those are less interesting. The more interesting ones are those which aren't settable by the normal means.

Finding Other Preferences
NSUserDefaults has other methods besides boolForKey:; most are specialized like boolForKey: in that they return a specific type. However, to truly find everything, look to objectForKey: which is used by the others to actually read the data from the preferences. Of course, you have to do more work just to find out the type (integer, string, boolean), but it'll give all of them. It'll also further slow the running of Safari.


Tuesday, October 11, 2005

Spotlight Control

Spotlight currently has only minimal configuration options: result types to show and their order, and a list of folders not to search. Other folders can be searched which aren't by default, but this option is not exposed through System Preferences.
There are currently three property list files (.plist) which control Spotlight: _IndexPolicy.plist, _exclusions.plist, and _rules.plist.
These files reside in the directory named .Spotlight-V100 on the volume in question. This directory is readable only by root for the primary boot volume, so you'll need to be able to use sudo even to look at them. These, unlike application preference files, are still in plain text so can be viewed easily.

Read on for more detail

This file contains policy information, which is stored in just one key: Policy.
I've currently only figured out two possible settings for this so far:

  • Enabled
    Setting this to a 5 means Spotlight is enabled for the given volume

  • Disabled
    Setting this to a 3 means Spotlight is disabled for the given volume

Enabled example (this is how it should appear by default in most cases):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "">
<plist version="1.0">

This contains information about which folders not to search, which are listed in one key: EXCLUSIONS. The value for this is an array of strings, each string being a path to exclude from Spotlight searching.

Example including several paths to not search (in this case, the folders are the DarwinPorts build directory, the system temporary directory, and my user temporary directory):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "">
<plist version="1.0">

_rules.plist includes both paths to include and to exclude (which makes it a bit redundant with _exclusions.plist). The paths to include are only for cases where Spotlight would otherwise ignore them (it has several paths which it is hardcoded to ignore, see the Known Exclusions section below).
When adding a path which is otherwise skipped, simply updating _rules.plist will not cause anything to happen. Once _rules.plist is as you like, you'll first need to restart mds by stopping it:

sudo killall mds

It will restart automatically. Then, you need to tell mds to import each new path:

sudo mdimport /path/to/files

This will then cause mds to import everything under /path/to/files. If there are many files, it could take some time. You'll need to do this for each new path.
This file can contain several keys:

    An array of strings, each string being a path to exclude (like EXCLUSIONS in _exclusions.plist).

    Another array of strings, this time being paths to specifically search (to override the hardcoded exclusion list).

  • NOTE
    This is a note, read it and move on.

There are several other values which may be keys. The functionality of each has not yet been found, but some may be obvious (the *_USER ones at least): INCLUDE_USER, EXCLUDE_USER, INCLUDE_BOOTABLE, EXCLUDE_BOOTABLE, INCLUDE_GENERAL, EXCLUDE_GENERAL, CLASSIC_LOCATIONS.

My _rules.plist which gets the *nix path of /etc (AKA /private/etc on Mac OS X) and the whole suite of Xcode documentation:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "">
<plist version="1.0">
<string>/Developer/ADC Reference Library</string>
<string>Specify paths to include or exclude, preceeding rules which target user-homes with ~/</string>

Known Exclusions
These are the paths I know to be excluded by default by Spotlight (there may be others I've missed):

/Developer/ADC Reference Library
/Previous Systems.localized
/System Folder
/System/System Folder
/Classic System Folder 9.2.2

Note the *nix paths are included, so don't expect to use Spotlight to search man pages or HTML docs which can be found in /usr/share/*.


Sunday, October 02, 2005

Controlling WebKit and Safari through Preferences

Mac OS X has a centralized preferences system (stuff in ~/Library/Preferences) which, for some apps, contains hidden settings. Some of these can be quite useful, interesting, or annoying. This is coverage of such settings for Safari and the underlying WebKit.
First, a warning. None of these settings are in any way guaranteed to work after this is written, nor are they safe from blowing up your keyboard when entered. If you test any of these, be sure to keep track of which, especially when OS/Safari/WebKit updates come from Apple, as otherwise very strange things could happen.
I'm not going to cover how to change defaults (hint, Terminal's defaults or Property List Editor) as that's covered nicely elsewhere. All these should be done only to (at least initially) so you don't break other apps which use the system's WebKit.
Except for CustomUserAgent, the Safari list does not cover items which can be set through the Debug menu (but does include enabling said menu). This also does not cover basic AppKit-level preferences (those beginning with NS, like NSNavLastRootDirectory).

Read on for more detail

WebKit Preferences
WebKit preferences can be set in Safari's preferences to avoid affecting other WebKit-based applications. They can also be set in those apps' preferences if needed, or even in the global domain to affect everything. To be safe, start off just changing Safari's prefs.
If you want the definitive reference for WebKit preferences (and other things WebKit), please check the source.

  • WebKitHistoryItemLimit (number)
    This (which is by default 1000) sets how much history is remembered and is a simple page count.

  • WebKitHistoryAgeInDaysLimit (number)
    The number of days an item on the history list lives, after which it is removed (defaults to 7). This plus WebKitHistoryItemLimit allow you to control the history list either with a simple count, or age. To be safe with the age (if you do lots of browsing), you may want to increase the item limit so it doesn't kick in before the age limit.

  • WebIconDatabaseEnabled (boolean)
    Whether storing web site icons (favicon.ico files) are kept (defaults to YES). When enabled, see WebIconDatabaseDirectoryDefaultsKey for where they go.

  • WebIconDatabaseDirectoryDefaultsKey (string)
    When web site icons are enabled (via WebIconDatabaseEnabled), this specifies where the database is located. WebKit sets this to ~/Library/Icons, but Safari changes it to an app specific ~/Library/Safari/Icons.

  • BufferTextDrawing (boolean)
    Enables some form of text drawing buffering, which may or may not be fully implemented yet (currently defaults to NO).

  • WebKitOmitPDFSupport (boolean)
    Use to disable handling PDF within WebKit (defaults to NO, or support PDF). When PDF is handled by WebKit, it displays the PDF in the view where HTML shows (eg, the normal display area in Safari). When not handled, Safari simply downloads the PDF.

  • WebKitLogLevel (string)
    This is a mask value, and is not enabled in Safari.

  • WebKitPageCacheSizePreferenceKey (number)
    Specifies the size of the page cache; first thing to note is that it is somewhat dependent on the amount of memory on the machine (1G or more of memory, this value is used; between 0.5G and 1G, and one less is used; under 0.5G and two less is used). This is the page cache, not what's stored on disk, so it's quite small (default is 3).

  • WebKitObjectCacheSizePreferenceKey (number)
    Indicates the size of the object cache; like WebKitPageCacheSizePreferenceKey, this is dependent on system memory (1G or more multiplies this by four, 0.5G by two, and less does no multiplication). Default is 8388608, which is 8M.

  • WebKitShouldPrintBackgroundsPreferenceKey (boolean)
    When YES (defaults to NO), for any page which uses a background image, will include that image when printing.

  • WebKitTextAreasAreResizable (boolean)
    Appears to be unused so far (defaults to NO).

  • WebKitAllowAnimatedImagesPreferenceKey (boolean)
    Appears to be unused so far (defaults to YES).

  • WebKitAllowAnimatedImageLoopingPreferenceKey (boolean)
    Appears to be unused so far (defaults to YES).

  • WebKitBackForwardCacheExpirationIntervalKey (number)
    How long a cached page can be used when going back/forward through history (defaults to 1800 seconds).

  • WebKitRespectStandardStyleKeyEquivalents (boolean)
    When YES, allows certain keyboard shortcuts to turn on/off certain styles (like bold and italic). NO is WebKit's default, but Safari sets it to YES.

  • WebKitShowsURLsInToolTips (boolean)
    If set to YES, shows a link's URL in a tooltip; default is NO.

  • WebKitPDFDisplayMode (number)
    Should be the style used for displaying PDFs, but it seems to have no effect.
    This and WebKitPDFScaleFactor can be set (for the current session only) by Ctrl-/right-clicking when viewing a PDF and selecting the appropriate setting.

  • WebKitPDFScaleFactor (number)
    Should set the scaling used when displaying PDFs, but seems ignored.

Safari Preferences
These are for Safari only so will not do much of anything for other WebKit-based applications.

  • IncludeDebugMenu (boolean)
    When YES, includes the Debug menu (to modify some of Safari's behaviour). Default is NO.

  • Log (boolean)
    If set to YES, logs some syndication information to stderr (console log if you run Safari in the normal ways). Default is NO.

  • Log.SPI (boolean)
    Logs more detailed syndication information when YES (also to stderr). Defaults to NO

  • CacheDirectory (string)
    Where Safari places its on-disk cache files. Default is ~/Library/Caches/Safari. Note, in my testing, when changing this, Safari will create both the new location and the default, but not actually write anything in either location.

  • DebugShowBuildNumberInWindowTitles (boolean)
    When YES, adds the current build number (eg, 'v412.5') in window titles.

  • CustomUserAgent (string)
    Allows control over what Safari sends as its user agent string back to web servers; default is "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/412.7 (KHTML, like Gecko) Safari/412.5" as of Safari 2.0.1/412.5. The Debug menu allows you to set some canned values for this, but setting it through preferences lets you use any old string you wish.

  • BackForwardListSizeLimit (number)
    Controls the size of the back/forward history list; defaults to 100. Do not set to anything under 100, or Safari will become confused, except for 0 which disables the back button altogether. Values over 100 are acceptable.


Friday, September 23, 2005

Security Update 2005-008 for 10.4.2 Details

The 2005-008 (for 10.4.2) security update modifies several OS components: CoreServices' CoreTypes and SecurityAgent, ApplicationServices' ImageIO and QD frameworks, Message framework, System framework, prebinding info, ruby's xmlrpc, and securityd.

Read on for more detail

Two bits are updated here: the CoreTypes bundle and the SecurityAgent app.

  • CoreTypes bundle
    CoreTypes.bundle helps the OS (and apps which use OS-provided interfaces) in identifying file types from various bits of information (eg, file extension, MIME type, UTI) as well as providing icons for those files. Not sure which issue is fixed by this, perhaps that bit at the very end about Safe Download Validation?


  • SecurityAgent app handles several sensitive bits related to (duh!) security (eg, changing certain passphrases, authenticating the user for various tasks). This is the fix labeled SecurityAgent on Apple's description.


Two parts are updated in ApplicationServices: the ImageIO framework and the QD framework.

  • ImageIO framework
    ImageIO.framework covers part of the CoreGraphics image system (reading and writing images). Fix labeled ImageIO on Apple's description.


  • QD framework
    QD.framework is the QuickDraw framework, graphics programming from older Mac OS made available on Mac OS X. This is the fix labeled QuickDraw Manager on Apple's description.


Message framework
Message.framework is the framework which contains messaging functionality (email mostly, or perhaps exclusively). This MAY fix what's labeled Mail about auto-reply and encrypted messages on Apple's description. I say MAY since it's not completely obvious, but this doesn't seem to apply to any other listed fixes, and makes sense.


System framework
System.framework is the very low level stuff for the OS. Most likely fixes the fix labeled malloc on Apple's description.


prebinding info
A list of files of interest to the prebinding system was updated here, no idea why.


ruby's xmlrpc
Ruby (the scripting language) has a module for XML-RPC, which is what's been updated for the fix labeled Ruby on Apple's description.


securityd (née Security Server) handles some low-level bits for the SecurityAgent app. Fixes what's labeled securityd on Apple's description.



Tuesday, September 20, 2005

Special Logins in Mac OS X

The login window application (/System/Library/CoreServices/ is what runs the login window (hey, something actually logical here). It has a few "special" accounts which start with the greater-than sign (>) and need no password. These have been documented in various locations, practically since 10.0, so this article will also show how to try and find new ones whenever is updated.

Using These Accounts
First, these are only usable if you have the login window display as Name and password instead of the default List of users. This setting is available in System Preferences, under Accounts then Login Options (bottom of the pane on the left list where accounts are shown). You'll need to be an admin and use the lock at the bottom to authenticate prior to changing this setting.

The Accounts
As of 10.4.2, there are four special accounts and one that may or may not be one. Their function can usually be inferred from the name:

  • >power
    Does a power-down of the system

  • >restart
    Simply restarts the OS

  • >exit
    Exits which then respawns, so acts like a "restart"

  • >console
    Switch to command-line interface console; useful if you like that kind of thing or need to do work outside the Aqua interface (changing some configuration information, removing cache files, etc).

  • >switch-user
    This is the one for which I have yet to find an actual function, if it is in fact a special account at all. It acts like a normal user account from the main window, and judging from context of where it's located in (see below), I thought maybe the screensaver username/password window, but no go there either.

Finding These Special Accounts
While the list of special accounts hasn't really changed since 10.0 or perhaps 10.1 (console, exit, restart, and power were there since at least 10.1) there's always the possibility of new accounts in the future. This is a description of how I've found these in the past and how to (possibly) infer functionality, or at least where they are used.

First, these accounts don't really exist anywhere (eg, in NetInfo where accounts usually live on Mac OS X), but are hardcoded into To find them, first fire up Terminal, then run

strings /System/Library/CoreServices/ | more

What this does is pull out the interesting strings from the binary then send it to more so we can easily scroll through it.

What we're looking for is anything which starts with the greater-than sign, so (using more's search facility) we'll look for a greater-than sign at the beginning of a line. Typing


then Return will do it (that's / search for, ^ at the beginning of the line, a >; see any handy reference on regular expressions for more information, man re_format if you're still in Terminal and either comfortable with *nix technical manpages or are a masochist).

If you're following this in Terminal, the result will be at the top of the window, and should show the four well-known special logins: power, restart, console, and exit (greater-than sign removed for easy HTML editing here). If you use the k or up-arrow key to scroll up a few lines, you'll note there's nothing too interesting around them, suggesting a global use for these (we're assuming).

The n key will go to the next match, so hit it until you get just past exit, which should show (on 10.4.2) the unknown switch-user string. Again, using the k or up-arrow key, you'll note this one is around some stuff referring to the screen saver. Since the switch-user account doesn't work in the main login window window (that sounds funny), perhaps it works for the screen saver since it seems to live in code relating to it. Note there's even a button Switch User... on that window, so perhaps we're on to something. However, it doesn't seem to work here either. There's a good chance this is just a coincidence, and switch-user isn't a special login user at all.

Using the n key again to get past switch-user will show that this is the final match, ending our search.

What Happened?
Basically, what we've just done is look for interesting data in what's actually a binary, non-human-readable file ('s actual executable). In this case, we found four known special logins and one that may or may not be one (it doesn't work on the main login window, nor the screen saver one). If others are added in the future, this procedure should help in quickly discovering what they are called, and actually trying them should determine what they do.


Friday, September 16, 2005

ssh slowdown after 2005-007 update

To anyone who's noticed an odd slowdown in ssh since the 2005-007 security update on 10.4.x, and you've seen gssapi-with-mic in a verbose use of ssh, your problem may be that you don't need the GSSAPI authentication stuff enabled.

To test this theory, try running ssh -o GSSAPIAuthentication=no hostname to see if things work faster. If so, you can add the line

GSSAPIAuthentication no

to your ~/.ssh/config file. If you don't yet have one, create it with the following lines:

Host *
GSSAPIAuthentication no

so that the GSSAPI setting applies to all hosts.


Sunday, September 11, 2005

IPSec Interoperability Warning

For anyone trying to make IPSec work between Mac OS X (at least on 10.4.2) and OpenBSD (3.7), note that you need to be careful when choosing your cryptographic algorithm. Among the choices both OS's offer is AES (aka Rijndael), in the standard key sizes of 128, 192, and 256 bits. 128 bits is fine, but it seems (in my testing) that using AES-192 or AES-256 just does not work between Mac OS X and OpenBSD.

Since the 128 bit size works, it can't be a basic AES issue. Also, Blowfish works up to 448 bits, so it's not just a keysize issue either.

The neat trick is to figure out which side is "wrong" if one is...


NetInfo groups and group membership

If (on 10.4.x) you've added a new group and/or added a user to a group via NetInfo Manager (or the command line), but things like id don't seem to show that group, the problem may be a daemon called memberd.

This daemon (I believe new with 10.4) is a helper for group memberships (see the manpage for memberd for full information).

To tell it to reset its cache (so it sees new stuff), simply

sudo /usr/sbin/memberd -r

The user will still need to logout & back in, but this should get the group information updated properly.