Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Build a secure multi-user dual-booting Mac System
Deliverable: A highly secured Mac for multiple users. Users will be able to boot into Mac OS 9 or Mac OS X. Each OS will be on a separate drive. Normal users won't be able to access the OS X partition while booted to OS 9. While booted to OS X, users will have restricted access to OS 9 system files. Open Firmware's security-mode is set to command. Therefore, the user will not be able to boot from any device except the two internal disks. This includes booting to CD, Firewire, network, single user mode, target disk mode, and misc. startup key commands.

NOTE: The following configuration only tested on pre-mirrored door G4s.

First step: Suggested readings on Open Firmware:
Link 1: http://www.resexcellence.com/hack_html_02/04-11-02.shtml
Link 2: http://www.netneurotic.de/mac/openfirmware.html
Link 3: http://bh.udev.org/filez/mac6100/BootX.pdf
Link 4: http://www.netbsd.org/Ports/macppc/faq.html#ofw

[robg adds: Read the rest of the article for the details -- please note that I have not tested this hint, and it involves both Open Firmware and hardware changes, so things could go wrong ... make sure you have a good backup if you're going to experiment with this one!]

Second step: Start by installing two IDE hard drives (same controller / different controller - doesn't matter). With the OS X 10.2.X Disk Utility (only tested with 10.2.x, not 10.1.x), create three partitions on the disk you'll be using for OS 9. Obviously, you'll want to include the OS 9 drivers. First partition for OS 9, second is a fake boot partition (more on this later), and the third for files storage. Keep the OS 9 boot partition reasonably small. The second partition (fake boot partition) should be no more than 100 MB, as the fake system doesn't use much space. The third will be used for common ground file storage (will be able to read/write from OS 9 and X).

Now initialize the second hard drive as your OS X disk. Make sure not to install OS 9 drivers on this disk. This will prevent users from accessing it while in OS 9 (it won't be mounted). Install OS 9 on the designated OS 9 partition and OS X on the OS X disk. To save some typing, from now on I'll refer to these volumes as: OS 9 boot will be volume A, fake boot disk will be volume B, storage is volume C, OS X disk will be volume D.

Third step: Now we begin the meat and potatoes. Boot into OS X. Log in as root and go to the /System -> Librar -> CoreServices directory. Do a "Get Info" (Command I) on both of the Finder files. One will read "Fake Finder" in the version field. Copy this Finder file and the System file (also Fake) to volume B. Next, we write a short script. Open a text editor. Copy and paste, if you wish, but replace "Mac 9 HD" with the name of your volume A:

#include <stdlib.h>
#include <unistd.h>

main(void)
{
  char *command="/usr/sbin/bless -folder9 '/Volumes/Mac 9 HD/System Folder/' -setOF";
  char *command2="reboot";
  int retrncode;
  setuid(0);
  setgid(0);
  retrncode=system(command);
  retrncode=system(command2);    
  return 0;
}
Save as something like switchbless.c, and compile with gcc (you'll need the Developer Tools, or download the gcc compiler). To compile, use the command gcc switchbless.c. The binary output is a.out. Put the source code in a safe place, better yet, delete it after testing. Rename a.out to switchbless, chmod it to 4750, and chown it to root.staff (or other group). This will allow normal users to execute it as root. Move the file to /usr/bin/. You may want to put an AppleScript front end on this to make it easier for your users to execute (e.g.: do shell script "/usr/bin/switchbless"). Otherwise, the user will have to go to command line and type switchbless. Test and make sure it will boot you to volume A.

Fourth step: Set your startup disk pane to boot to volume D (OS X). Boot into Open Firmware. Type printenv boot-device and hit Enter. Write down the numbers just before the first comma (e.g. @0:2). Boot into OS 9. Create a System Folder on volume B named something that looks important, like Referral System. Copy the Mac OS ROM file from your volume A System Folder to this folder. Also, put the fake System and fake Finder files (you copied them over in step three) in this folder with the Mac OS ROM file. Now, download BBedit. Launch it. With BBedit, open the Mac OS ROM file you just copied to the volume B Referral System folder (use the "All Files" filter to see it). Look for the BOOT-SCRIPT block. The second line below (starting with setenv and ending in BootX) should be one line with no added spaces. Change the numbers preceding the first comma to the ones gathered earlier this step (e.g. @0:2). The second argument (after comma) points to the OS X bootloader and should be changed to exactly as appears here, if it isn't already. On the second line, type reset-all. Save the ROM file. Do not use Save As, as it changes the file type.

<BOOT-SCRIPT>
setenv boot-device /pci@f2000000/pci-bridge@d/mac-io@7/ata-4@1f000/
  @0:2,\System\Library\CoreServices\BootX
reset-all
</BOOT-SCRIPT>
Fifth step: Should still be in OS 9. Enable Multiple Users. Create a normal user account. Stay logged in as owner. Move the "Applications (Mac OS 9)" folder to Users:Shared Documents:. Since normal users will be restricted from using the startup disk control panel, we'll need to create a script as a workaround, as we did in OS X. This time we use AppleScript. You'll need to download this OSAX written by Eric Grant. Put it in your Scripting Additions folder. Next, get your hands on an earlier version of the Startup Disk control panel (version 7.7.8 from system 9.0.4 was used in this concoction). Put the control panel in the "Applications (Mac OS 9)" folder. Name it something like "Startup App" (but don't include it in the user's capabilities). Here is the AppleScript:
tell application "Finder"
  set startup disk to (alias "Vol B:Referral System:") using file 
  "Vol A:Users:Shared Documents:Applications (Mac OS 9):Startup App"
  restart
end tell
Replace "Vol A" and "Vol B" with your corresponding volume names. Save it as Run-Only in the "Applications (Mac OS 9)" folder and put the source in a safe place; better yet delete it from this system after testing. Don't forget to send thanks to Eric Grant for the OSAX.

Step Six: Boot into Open Firmware, set the password, enable security-mode, and set it to "command" (see instructions on page six of link #3 above (the BootX PDF)). Now, as a normal user you should be able to switch back and fourth from OS X and OS 9 using the scripts you created. If this is working for you, congratulations! However, you still don't have a secured system. All you really have is Open Firmware protection and a way to switch startup disks for a normal user.

Final Step: Think like a mischievous normal user trying to bypass security. Where would you start to circumvent the security the way it is now? Open the box, pull the RAM, zap PRAM, and boom you have OF access. So, you need a way to deal with physical security or all the work your doing here is for not. Consider padlocking the case, adhesive tamper evident security seals, a snare, explosives, whatever.

Where would you go now, if you can't get in the case? Perhaps disabling the Multiple Users extension in the OS 9 System Folder while booted into OS X? That'd get you full rights on the OS 9 side. You could then install and run FWSucker, etc. to retrieve the OF password. Therefore, you need to secure the System Folder on volume A for when users are booted in OS X. I found the only way to do this is to use chflags command line utility with the sappnd flag so only admins can append this volume. You also don't want the user mucking with the Referral System folder. So, you'll need to do the same to it too. Keep in mind the user will need volume C as a common ground for moving/storage of files between OS 9 and X. In OS 9, I found that copying each user's folder along with their Documents folder to the Users folder on volume C gives them read/write access to this volume per their Documents folder only.

Additionally, you'll want to tweak the user's capabilities in OS 9 and X so the user can only execute applications that you choose. This will help prevent them from installing additional software that could allow them to compromise the system. At this point, your Mac should be much more secured than it would have been otherwise. This document is meant to get you most of the way to securing a Mac. I'm sure there is still more tweaking and securing to be done. After all, it is a job that is never done ... Good luck!

Note: In this configuration, you can expect a slightly irritating OS 9 multiple user bug.
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[14,765 views]  

Build a secure multi-user dual-booting Mac | 0 comments | Create New Account
Click here to return to the 'Build a secure multi-user dual-booting Mac' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.