Deliverable: A highly secured Mac for multiple users. Users will be able to boot into Mac OS 9 or Mac OS X. Each OS will be on a separate drive. Normal users won't be able to access the OS X partition while booted to OS 9. While booted to OS X, users will have restricted access to OS 9 system files. Open Firmware's security-mode is set to command. Therefore, the user will not be able to boot from any device except the two internal disks. This includes booting to CD, Firewire, network, single user mode, target disk mode, and misc. startup key commands.
NOTE: The following configuration only tested on pre-mirrored door G4s.
First step: Suggested readings on Open Firmware:
Link 1: http://www.resexcellence.com/hack_html_02/04-11-02.shtml
Link 2:
http://www.netneurotic.de/mac/openfirmware.html
Link 3: http://bh.udev.org/filez/mac6100/BootX.pdf
Link 4: http://www.netbsd.org/Ports/macppc/faq.html#ofw
[robg adds: Read the rest of the article for the details -- please note that I have not tested this hint, and it involves both Open Firmware and hardware changes, so things could go wrong ... make sure you have a good backup if you're going to experiment with this one!]
Second step: Start by installing two IDE hard drives (same controller / different controller - doesn't matter). With the OS X 10.2.X Disk Utility (only tested with 10.2.x, not 10.1.x), create three partitions on the disk you'll be using for OS 9. Obviously, you'll want to include the OS 9 drivers. First partition for OS 9, second is a fake boot partition (more on this later), and the third for files storage. Keep the OS 9 boot partition reasonably small. The second partition (fake boot partition) should be no more than 100 MB, as the fake system doesn't use much space. The third will be used for common ground file storage (will be able to read/write from OS 9 and X).
Now initialize the second hard drive as your OS X disk. Make sure not to install OS 9 drivers on this disk. This will prevent users from accessing it while in OS 9 (it won't be mounted). Install OS 9 on the designated OS 9 partition and OS X on the OS X disk. To save some typing, from now on I'll refer to these volumes as: OS 9 boot will be volume A, fake boot disk will be volume B, storage is volume C, OS X disk will be volume D.
Third step: Now we begin the meat and potatoes. Boot into OS X. Log in as root and go to the /System -> Librar -> CoreServices directory. Do a "Get Info" (Command I) on both of the Finder files. One will read "Fake Finder" in the version field. Copy this Finder file and the System file (also Fake) to volume B. Next, we write a short script. Open a text editor. Copy and paste, if you wish, but replace "Mac 9 HD" with the name of your volume A:
#include <stdlib.h>
#include <unistd.h>
main(void)
{
char *command="/usr/sbin/bless -folder9 '/Volumes/Mac 9 HD/System Folder/' -setOF";
char *command2="reboot";
int retrncode;
setuid(0);
setgid(0);
retrncode=system(command);
retrncode=system(command2);
return 0;
}
Save as something like switchbless.c, and compile with gcc (you'll need the Developer Tools, or download the gcc compiler). To compile, use the command gcc switchbless.c. The binary output is a.out. Put the source code in a safe place, better yet, delete it after testing. Rename a.out to switchbless, chmod it to 4750, and chown it to root.staff (or other group). This will allow normal users to execute it as root. Move the file to /usr/bin/. You may want to put an AppleScript front end on this to make it easier for your users to execute (e.g.: do shell script "/usr/bin/switchbless"). Otherwise, the user will have to go to command line and type switchbless. Test and make sure it will boot you to volume A.
<BOOT-SCRIPT>
setenv boot-device /pci@f2000000/pci-bridge@d/mac-io@7/ata-4@1f000/
@0:2,\System\Library\CoreServices\BootX
reset-all
</BOOT-SCRIPT>
Fifth step: Should still be in OS 9. Enable Multiple Users. Create a normal user account. Stay logged in as owner. Move the "Applications (Mac OS 9)" folder to Users:Shared Documents:. Since normal users will be restricted from using the startup disk control panel, we'll need to create a script as a workaround, as we did in OS X. This time we use AppleScript. You'll need to download this OSAX written by Eric Grant. Put it in your Scripting Additions folder. Next, get your hands on an earlier version of the Startup Disk control panel (version 7.7.8 from system 9.0.4 was used in this concoction). Put the control panel in the "Applications (Mac OS 9)" folder. Name it something like "Startup App" (but don't include it in the user's capabilities). Here is the AppleScript:
tell application "Finder" set startup disk to (alias "Vol B:Referral System:") using file ¬ "Vol A:Users:Shared Documents:Applications (Mac OS 9):Startup App" restart end tellReplace "Vol A" and "Vol B" with your corresponding volume names. Save it as Run-Only in the "Applications (Mac OS 9)" folder and put the source in a safe place; better yet delete it from this system after testing. Don't forget to send thanks to Eric Grant for the OSAX.
Comments (0)
Mac OS X Hints
http://hints.macworld.com/article.php?story=20030916110201384