I noticed when reading back through the issues of ten years ago (see our anniversary article "TidBITS Goes to Eleven" in TidBITS-576) that we did a sporadic column reporting bits of information related to the just-released System 7. That release was a huge deal in the spring of 1991, and I’m embarrassed our coverage of the actual release was so minimal. But the parallels with Mac OS X’s recent release are striking: in both cases, applications needed to be rewritten to support new features, the actual release came several months before the operating system was installed by default, both were slow on low end Macs that didn’t have enough RAM (a 4 MB minimum for System 7 versus Mac OS X’s 128 MB minimum), and numerous tips and tricks were necessary to make the most of the new operating system. The main difference seems to be that Mac OS X has suffered far more negative comments. There was some moaning about a few specific technologies in System 7 (such as balloon help and publish & subscribe), but the overall response was positive because System 7 clearly addressed well-perceived needs, like multitasking and access to more physical RAM.
Whatever the similarities or differences, it’s time for another sporadic column to distill otherwise unrelated bits of information about Mac OS X from the extensive discussions on TidBITS Talk and other places.
Mac OS X FTP Vulnerability? On 10-Apr-01, CERT issued an advisory identifying a problem with the way various FTP servers can be compromised to enable intruders to execute code on the machine running the FTP server. The bug affects FTP servers in a variety of Unix implementations, including the FreeBSD version which Apple uses in Mac OS X. FreeBSD, Inc. has acknowledged the bug and fixed it, and other vendors have also investigated the situation. Unfortunately, Apple has made no statements to CERT as to whether or not Mac OS X is vulnerable, requests for clarification on Apple’s DarwinOS-Users mailing list went unanswered, and Apple has failed to reply to our direct email queries as well. However, Larry Rosenstein <[email protected]> tells us that the version control log for Darwin shows that the FTP server was imported from the FreeBSD project in July of 2000, and his reading of the code indicates a likely vulnerability. He also noted what might be an attempt at a fix in the current version of the FTP server source code.
Since Mac OS X’s Sharing control panel offers an option to allow remote FTP access using this server code, we recommend you leave that option off (as it is by default, thank goodness) to be safe until Apple closes this security hole. If you do need FTP access on, don’t allow anonymous FTP access (by creating an account named "ftp") and make sure users have strong passwords.
My advice to Apple: with Mac OS X, you chose to hop into bed with the open source Unix community, and now you have to suffer the bedbugs which didn’t bite previous versions of the Mac OS. Deal with them like an upstanding member of the community: acknowledge problems quickly, provide interim workarounds, fix the bugs, and distribute the fixes widely through the Software Update control panel. Attempts to conceal problems or execute PR spin won’t fly – Mac OS X will likely become the most popular version of Unix on the planet before long, and with that reach comes a heavy responsibility to protect Mac OS X users.
No MacBinary in Mac OS X FTP — While we’re on the topic of Mac OS X’s FTP server, I discovered last week that the silly thing doesn’t support MacBinary file transfers. That means that if you upload a Macintosh file with a resource fork (like all Classic applications, Carbon applications that also run under Mac OS 9, and some documents) the resource fork will be stripped during upload, damaging the file. We expect more attention to detail from Apple; hopefully they’ll add this functionality in a future release.
In the meantime, there are two workarounds. Either use the slower AppleShare instead, since it copies the resource fork with no trouble, or stuff the file with a recent version of StuffIt Deluxe or DropStuff before uploading to combine the resource and data forks in the data fork-only StuffIt archive.
Timbuktu Pro for Mac OS X Released and Released Again — With Netopia’s preview release of Timbuktu Pro for Mac OS X, we have another essential piece of software necessary to turn Mac OS X into a production operating system. New features include an Aqua interface (along with other basic Mac OS X elements, such as tooltips and support for file and folder permissions), support for multi-gigabyte files, additional security, the capability to force quit applications on remote Mac OS X machines, and improved display performance. Limitations include no support for AppleTalk-based connections, no DirectDial functionality for connecting directly via modem, no way to wake up a sleeping display (forcing use of the Mac OS X screensaver – unfortunately, Mac OS X has no basic black screensaver built in), no support for Mac OS X’s long file names, no way to restrict incoming access when Timbuktu is running, no drag & drop with Mac OS X host computers, no support for the Hide Desktop Pattern feature, and compatibility only with version 4.8 and higher of Timbuktu Pro for Macintosh and Timbuktu 2000 for Windows (earlier versions may work but are not officially supported). The preview release costs $30 from Netopia’s online store and expires on 18-Jun-01; Netopia plans to offer special upgrade pricing on the final version to those who purchase the preview release.
In testing, Timbuktu Pro for Mac OS X worked well for both controlling existing Macs and being controlled. However, Netopia today acknowledged a serious security hole that allows a user with physical access to the computer to bypass Mac OS X’s password security. Netopia immediately released 6.0b2 to correct the problem; it’s available at the URL sent in the confirmation email purchasers received. We strongly recommend against installing the 6.0b1 software on any computers for which physical security is a concern, and we recommend anyone with 6.0b1 installed download 6.0b2 immediately. Although this hole provides additional evidence of the security concerns raised by a multi-user operating system, kudos to Netopia for acknowledging and responding to this issue so quickly.
Here’s how the hole works. Timbuktu for Mac OS X is designed to allow remote access even when a computer set up for multiple users is sitting at the login screen, a state at which the operating system has fully loaded but is waiting for user authentication. Even then, Timbuktu displays an annoying free-floating icon (Control-drag to move it to the least obtrusive location since it floats on top of all other windows and even the Dock) that duplicates the menu items of the Mac OS 9 Timbuktu menu bar icon. Select one of those menu items, the Timbuktu application launches, and the Mac OS X menu bar becomes visible. Unfortunately, now that the Mac OS X menu bar is visible, the user has full access to the Apple menu, including the System Preferences tool, whose Users pane allows the creation of new user accounts with administrative privileges. Version 6.0b2 eliminates the problem by not displaying the Mac OS X menu bar if there’s no logged-in user.
ConceptDraw 1.6 Goes Carbon — CS Odessa has released ConceptDraw 1.6, adding no new features but making it run natively under Mac OS X as a Carbon application and supporting the Aqua interface. Performance in Mac OS X is also improved when working with large documents. CS Odessa also has a non-carbonized version of ConceptDraw for people using Mac OS 8.1, and folks running Mac OS 8.5 to Mac OS 9.1 may want to consider the non-carbonized program, since it’s somewhat faster than the carbonized version. There are a few minor bug fixes that might make the free upgrade to 1.6 worth the 3.9 MB download even for those not using Mac OS X.
Playing the Mac OS X ShellShell Game — Many people have expressed concern regarding how Mac OS X provides access to the underlying Unix command line, fearing that developers and support technicians will rely on it rather than graphical Macintosh tools (see the recent debate in TidBITS Talk between frequent TidBITS contributors Chris Pepper and Travis Butler). Robert Woodhead of Wizardry and Virex fame has muddied the waters in a welcome way with his just-released ShellShell utility, which puts a graphical interface on top of Unix shell commands. Robert created a scripting language for representing all the options and dependencies of a Unix command; ShellShell turns such a script into a configuration panel for that command. Choose your options, decide if the command needs to be sent from the root account, and click the Run button to send the command to Mac OS X’s Unix underpinnings. The arcane textual Unix results come back in a second pane. The other limitation to ShellShell is that it comes with scripts for only some Unix commands; it’s up to the community to contribute additional ones. ShellShell is LegoWare (send Robert’s kids Lego blocks if you use it) and is a 600K download.