Choosing Mac OS 9 (Classic) Security Options


Mac OS 9 can run in two different modes, both with undesirable security implications:

  • In Native mode, the computer boots directly into Mac OS 9. In this mode, Mac OS 9 ignores all Mac OS X file permissions and most other security measures. Mac OS 9 has some user authentication capability of its own (using the Multiple Users Control Panel), but it is far more limited than the Mac OS X capabilities. As a result, Native-mode Mac OS 9 should be disabled in a secure environment.

  • In Classic compatibility mode, Mac OS 9 runs as a process under Mac OS X control. In this mode, Mac OS 9 is constrained by the Mac OS X file permissions and other security features, but if multiple users share the same Mac OS 9 System Folder they may leak information that should be kept private. As a result, Classic mode should be disabled wherever possible. If it is required to run programs that cannot run natively under Mac OS X, special measures must be taken to prevent information leakage.

The simplest and most complete way to disable Mac OS 9 is to delete the operating systemor not install it in the first place. If access to the Classic compatibility environment is needed, there are several options available to retain Mac OS 9 but limit it to Classic mode:

  • Mac OS 9 can be installed in (or copied into) a disk image. The Classic compatibility environment can run from an image, but Mac OS 9 cannot boot natively from an image, so this provides a robust way to limit Mac OS 9 availability. The Classic environment will automatically mount the image when it is needed, making this solution convenient for the user. Also, giving each user his or her own private image will avoid information leakage.

  • The computer's hard drive can be formatted without Mac OS 9 drivers. Native-mode Mac OS 9 cannot read or boot from an ATA or SCSI hard drive that does not have appropriate drivers installed. This is not an absolute lockout, as the system can still read and boot from driverless disks over FireWirethus, putting a Macintosh into FireWire Target Disk Mode will allow its hard drive to be read or even booted to Mac OS 9.

    Note

    Enabling and disabling Mac OS 9 drivers can be done only when the hard drive is erased or partitionedthat is, when all data on the hard drive is being discarded. If this security measure is to be used, it must be configured before any other installation or setup of the computer is performed.


  • The computer's hard drive can be formatted in UNIX File System (UFS) or Case-Sensitive HFS Plus. Mac OS 9 cannot read or boot from these volume formats natively, but it can read them in Classic mode (via the Mac OS X file manager). Note, however, that running Mac OS 9 on one of these volume formats may be subject to compatibility issues.

Finding Mac OS 9 Installations

The Mac OS 9 system files normally reside in the aptly named "System Folder" at the top level of the hard drive, but a bootable Mac OS 9 System Folder can actually have any name and reside anywhere on the hard drive. The first step in removing (or even just controlling) Mac OS 9 is to get a complete inventory of installed systems. You can use the System Preferences Classic pane to generate a list of Mac OS 9 systems, but it's not always complete. To make sure you find them all, use the command line.

1.

Log in to a local administrator account and open Terminal.

2.

Enter the command

sudo find -x / -iname System -exec mdls name \ kMDItemFSTypeCode '{}' ';' | grep -B 1 ' 2054388083'


Note

This is a single command split across two lines for the purposes of fitting on a book page. The backslash at the end of the first line tells the shell to treat the next line as a continuation.

3.

Examine the command's output: It should list each system installationboth Mac OS 9 and Mac OS Xon the hard drive.

For example:

This shows the Mac OS X system file (in /System/Library/CoreServices/System) and the Mac OS 9 system file (in /System Folder/System). The live Mac OS X system will always be in /System/Library/CoreServices/System; any other system files listed are either Mac OS 9 (or older) systems or previous Mac OS X systems that were archived by performing an Archive and Install of Mac OS X. Generally, all but the live Mac OS X system should generally be deleted.

4.

If the computer has more than one volume mounted, search additional volumes with the command

sudo find /Volumes -iname System -exec mdls -name \ kMDItemFSTypeCode '{}' ';' | grep -B 1 ' 2054388083'


Note

As with the command in step 2, this is a single command split between two lines.

Removing Mac OS 9

Deleting a Mac OS 9 system is easy enough. Discard the entire System Folder (or whatever it's namedin the example above, the two folders are /System Folder and /Previous Systems/System Folder 1) into the Trash and perform a Secure Empty Trash. (Secure Empty Trash is recommended to make sure security-related information, such as passwords in the Users & Groups Data File, is not recoverable.)

However, if Mac OS 9 has ever been used on the computer, it is likely to have created additional files that should either be moved to secure locations or deleted. Many of these files and folders are invisible, so the easiest way to deal with them is from the command line.

1.

Log in to a local administrator account and launch the Terminal utility.

2.

Open the Mac OS 9 Desktop Folder and Documents folder with the following command:

open '/Desktop Folder'; open '/Documents'


If this returns "no such file" errors, ignore them.

Note

The single quotes shown in the command are very important. Omitting them could cause the accidental deletion of the Mac OS X Applications folder, which would require reinstallation to repair.

3.

The Mac OS 9 Desktop Folder and Documents folder should be displayed in the Finder, if they exist. Any files or folders stored in them need to be deleted or moved to more secure locations, depending on local policy and the files' contents. If the determination cannot be made at this time, move the files and folders to a secure temporary location, as anything left in the folder will be deleted in the next step.

4.

Purge leftover applications and data from Mac OS 9 with the following commands:

sudo rm -rf '/Applications (Mac OS 9)' sudo srm -rf '/Documents' sudo srm -rf '/Desktop Folder' sudo srm -rf '/Trash' sudo srm -rf '/Network Trash Folder' sudo srm -rf '/Temporary Items' sudo srm -rf '/Cleanup At Startup' sudo srm -rf '/TheFindByContentFolder' sudo srm -rf '/TheVolumeSettingsFolder' sudo srm -rf '/VM Storage' sudo srm -rf '/AppleShare PDS' sudo rm -rf '/Shutdown Check'


If any of these commands give "no such file" errors, ignore them.

Warning

The single quotes shown in the command are very important; omitting them could cause the accidental deletion of the Mac OS X Applications folder, which would require reinstallation to repair.

Note

The National Security Agency (NSA) has guidelines for installing and configuring Mac OS X. You may want to mirror some of their steps to secure your systems. You can find the NSA guidelines at www.nsa.gov/snac/downloads_macX.cfm?MenuID=scg10.3.1.1.

Deleting the Classic Environment

Even with all copies of Mac OS 9 purged from the computer, it is still possible for a user to copy in a Mac OS 9 System Folder and launch it in the Classic compatibility environment. Hopefully your users have more sense than that. If you don't want to count on that, it's possible to remove the components of Mac OS X that allow Mac OS 9 to run in Classic mode:

1.

Log in to a local administrator user account and open Terminal.

2.

Delete the Classic compatibility environment by entering the following commands:

cd '/System/Library' sudo rm rf 'CoreServices/Classic Startup.app' sudo rm rf 'PreferencePanes/Classic.prefPane' sudo rm rf 'UserTemplate/English.lproj/Desktop/Desktop (Mac OS 9)'


3.

Restart the system.




Apple Training Series. Mac OS X System Administration Reference, Volume 1
Apple Training Series: Mac OS X System Administration Reference, Volume 1
ISBN: 032136984X
EAN: 2147483647
Year: 2005
Pages: 258
Authors: Schoun Regan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net