Including Classic | Apple Training Series: Mac OS X v10.4 System Administration Reference, Volume 2

When deploying PowerPC-based Macintosh computers, Classic presents lab administrators with a challenge (Classic is not supported on Intel-based Macintosh computers). Mac OS 9 doesn't offer the same security structure that Mac OS X provides. For instance, a user could potentially start up a computer in Mac OS 9 to subvert the Mac OS X security structure and do considerable damage to the Mac OS X system. Even within the Classic environment, a user can inadvertently make modifications that affect the experience of other users.

To reduce the security risk, you might choose not to install Mac OS 9 at all. This situation deters a user from starting up in Mac OS 9, unless the user has a CD or a FireWire drive with Mac OS 9 installed, and the computer supports booting from a Mac OS 9 system (something that most newer Macs do not support). Alternatively, don't install the Mac OS 9 drivers when formatting your drive. This way, users can use the Classic environment, but if they attempt to start up the computer with a CD or FireWire drive with Mac OS 9, they won't be able to see the Mac OS X startup volume.

Note

To prevent users from starting up the computer with a disk other than the one designated by you, enable the Open Firmware password. This makes it necessary for a password to be entered in order to start up the computer from any other bootable device. Consider implementing this basic security step in addition to any other solutions you use to secure your computers. The pre-Mac OS X v10.4 Open Firmware Password application can be downloaded for free from www.apple.com/support/downloads/openfirmwarepassword.html and the Mac OS X v10.4 version of the Open Firmware Password application must be obtained from the install DVD or CD of Mac OS X v10.4 or Mac OS X Server v10.4.

An additional challenge is that Mac OS 9 requires all users to have read/write access to many common files in order to work as expected. For instance, Mac OS 9 maintains only one set of preferences and one Documents folder for all users. This is one way that one user's actions can affect another user's experience; documents can easily be misplaced and end up in the wrong hands, with security compromised. To further complicate matters, some Mac OS 9 applications require the ability to write back to their own folders.

Managing Preferences in Classic

The best way to manage preferences in Classic is to allow users to store Classic preferences in their own home folders, as shown in the following figure. This can be done easily in the Classic pane of System Preferences by selecting "Use Mac OS 9 preferences from your home," which stores Classic preferences in ~/Library/Classic instead of in the Classic System Folder.

Using Classic on a Disk Image

The Classic environment can start from a disk image, and can even mount a disk image automatically when Classic is started, as shown in this image.

To direct Classic to use a System Folder from a disk image, do the following:

1.	Launch Disk Utility (/Applications/Utilities), and choose File > New > Disk Image from Folder to create a disk image.
2.	Select a valid Mac OS 9 System Folder as the source of the image, and make the image Read/Write so that temporary files can write back to the image.

3.	Save the disk image in /Library/Application Support or some other location where you want it stored.
4.	Double-click the disk image to mount it.
5.	Open the Classic pane of System Preferences.
6.	Select the System Folder in the disk image volume.
7.	Close the Classic pane. Each time Classic starts, Mac OS X automatically mounts the disk image.
8.	Check for each user and set up the image preference if necessary.

Warning

Once this procedure is accomplished, the Classic pane of System Preferences should be opened only when the disk image is mounted. Opening the Classic pane when the disk image is not mounted may result in Classic's losing track of the System Folder.

Note

If a Mac OS 9 application stores its temporary files in the Mac OS 9 System Folder, the disk image may run out of space. You may wish to create a sparse disk image, where you can drag and drop copies of your Mac OS 9 System Folder and Mac OS 9 Applications folder, and then delete them from the local volume. This removes the disk-space-limitation issue.

To address the problem of the system requiring users to have read/write access to common system files, run Classic from a disk image. Script a logout process whereby the Classic disk image file, which contains the Mac OS 9 System Folder, is overwritten with a fresh copy. Additionally, include any applications that need to write to their own folders in the same image.

ShadowClassic (a free open-source tool from Mike Bombich; www.bombich.com) allows you to lock a Classic disk image file to make it read-only, thus preventing users from changing its contents. It mounts the image with a functionally writable shadow file. Instead of applications making changes to the contents of the disk image, the changes are now written to a temporary file. After a logout and login cycle, the temporary file is discarded and the Classic environment is presented to the user in a "clean" state.

There is one caveat to the ShadowClassic procedure: If you launch a Mac OS 9 application that is stored on the Classic disk image prior to launching Classic (for example, by clicking its icon in the Dock or double-clicking an alias of the application), the Finder subverts ShadowClassic and mounts the Classic disk image without a shadow file. To avoid this situation, set Classic to start up on login.