Friday, February 25, 2011

APPLESCRIPT: CHANGE SOFTWARE UPDATE SERVER

This is a bump for a hint posted by flammable over on Mac OS X hints - these AppleScripts for setting an OS X client to use a local Software Update server are so useful they deserve some new air time.


Ref this link:
http://hints.macworld.com/article.php?story=20091002190708159

Monday, February 21, 2011

TEST SMTP AUTH CONNECTIVITY

Here's a useful way to test smtp settings when troubleshooting an email client or "scan to email" settings on a multifunction copier/scanner:
Use terminal to telnet to your sendmail server, specify the port you will use to connect.  Many mail servers accept smtp auth requests on port 465 or 587. 

Once connected you can authenticate as a known user by issuing the "auth login" command - the key here is that you need to convert your plain text user credentials using base 64 encoding.  A simple conversion tool can be found at http://www.base64converter.com

Tuesday, February 15, 2011

SNOW LEOPARD SERVER BUILT-IN FIREWALL

While Macs remain inherently secure due to a variety of factors, it's still possible to have to your Snow Leopard server hacked if you've assigned it a public IP address.  Using the built-in firewall in Snow Leopard server is a quick way to achieve better security, even if it's just a temporary solution until your network can be secured using more robust technologies. 


Select the Firewall service in Server Admin and allow only traffic from "any" to these ports:

TCP (outgoing)
TCP (established)
UDP Fragments
UDP outbound and responses to same port
DNS - responses to outbound queries
Serial number support
ICMP - echo reply messages (replies to outgoing pings)
ICMP - echo requests messages (incoming pings)

Next allow local lan traffic-- in many cases the built-in 10-net or 192.168-net default settings can be used by selecting Allow All Traffic.  If your network uses a different IP range, create a group using the CIDR notation for your network range and Allow All to that group.  For example, Group Name = LAN, addresses in group = 172.16.0.0/12
That's it- save changes and hit start. Be aware that you've now blocked all external access to your server on important services such as SSH and ARD, so you'll no longer have remote control of your server. 

Monday, February 14, 2011

ALLOW NON-ADMINS ACCESS TO SYSTEM PREFS

Here's a great way to allow standard users to change settings normally reserved for admin users (such as energy settings, date & time, etc).























You'll need to be comfortable with the command line to do this but it's fairly straightforward:
Using your favorite text editor, sudo into the authorizations file at /etc/authorization and change as follows:

Old

<key>system.preferences</key>

<dict>
<key>group</key>
<string>admin</string>

<key>shared</key>
<true/>

<key>allow-root</key>

<true/>
</dict>



New



<key>system.preferences</key>
<dict>

<key>group</key>

<string>staff</string>

<key>shared</key>
<true/>

<key>allow-root</key>
<true/>

</dict>

Save changes and exit the file.  This allows non-admins access to ALL system preferences except Accounts.   As an admin, you may not want standard users to be able to change the startup disk-- you can change that by modifying that specific preference pane -- again, via the command line:

sudo chgrp -R admin /System/Library/PreferencePanes/StartupDisk.prefPane
sudo chmod -R u=rwx,g=rwx,o=r /System/Library/PreferencePanes/StartupDisk.prefPane

ref this post on MacNN Forums:
http://forums.macnn.com/90/mac-os-x/216189/editing-etc-authorization-file-panther-how/