Change the default subnet for Internet Sharing

For some time, I googled and hunted for a solution that would allow me to change the subnet that Internet Sharing (on the Sharing System Preferences panel) uses when sharing onto an Ethernet network — the default being 192.168.2.0. In my case, this also happens to be a subnet used by my corporate VPN, which is not too convenient.

The solution for Leopard turned out to be extremely straightforward, and can be found in the unix help file for InternetSharing — just type man InternetSharing to read it in Terminal:

1. Copy the plist file /Library » Preferences » SystemConfiguration » com.apple.nat.plist to your home directory, eg: sudo cp /Library/Preferences/SystemConfiguration/com.apple.nat.plist ~.
2. Use Xcode’s Property List Editor (or any other property list editor) to edit the file in your home directory.
3. Add a new key (child) to the NAT dict. Call it SharingNetworkNumberStart. The type should be String, and the value is the IP network you want to use (eg 10.168.2.0). As an example, here’s what my edited file looks like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NAT</key>
<dict>
<key>AirPort</key>
<dict>
<key>40BitEncrypt</key>
<integer>1</integer>
<key>Channel</key>
<integer>0</integer>
<key>Enabled</key>
<integer>0</integer>
<key>Extreme</key>
<string></string>
<key>NetworkName</key>
<string>pimpedwifi</string>
<key>NetworkPassword</key>
<data>################</data>
</dict>
<key>Enabled</key>
<integer>1</integer>
<key>PrimaryInterface</key>
<dict>
<key>Device</key>
<string>HUAWEIMobile-Modem</string>
<key>Enabled</key>
<integer>0</integer>
<key>HardwareKey</key>
<string></string>
<key>PrimaryUserReadable</key>
<string>HUAWEI Mobile</string>
</dict>
<key>PrimaryService</key>
<string>C42284CE-6803-42A7-9F54-627DB90321DF</string>
<key>SharingDevices</key>
<array>
<string>en0</string>
</array>
<key>SharingNetworkNumberStart</key>
<string>10.168.2.0</string>
</dict>
</dict>
</plist>

1. Save your changes.
2. Copy the edited file back to the original location. sudo cp ~/com.apple.nat.plist /Library/Preferences/SystemConfiguration/

Now you can (re-)start Internet Sharing, and it will run on your defined subnet.
Hopefully some day Apple will add this as a config option in the Sharing System Preferences panel.

Article source: http://hints.macworld.com/article.php?story=20090510120814850

A Simple Encrypted Password File on OSX

Here’s a really simple trick for keeping an encrypted file for passwords and other sensitive information on OS X or Linux. I use this to keep some basic password hints and account numbers on my computer.

Once this is set up, you’ll end up with a file called secrets.x which you can decrypt with a simple command, and an easy way to update the file if needed. You’ll also be able to embed the encrypted data in a JPG image to hide it from casual observers.

Create the Encrypted File

You shouldn’t need to install anything special for this to work, all the programs needed are built in to OS X.

First, create the plaintext file with a text editor, and call it secrets.txt. (We’ll delete this file when we’re done.)

Once you have the file, encrypt it using OpenSSL, and delete the original:

$ openssl des3 -salt -out secrets.x -in secrets.txt
$ rm secrets.txt

Running the openssl command will prompt you to create a password and verify it. After you’ve entered your new password twice, it will write a file, secrets.x which is encrypted with the password.

Choosing a Password

Because this uses des3 encryption rather than public/private key encryption, the password will be used to decrypt the file as well. Using a public key encryption method, the public key would be used to encrypt the file and the private key would be used to decrypt it instead of a password. As such, this method relies on you being able to remember the password, or if you’re sending an encrypted file to someone, being able to share the password with them in a secure manner.

Obviously sending a password to someone in plaintext isn’t a good idea. Unless, of course, the password was something that otherwise looked innocuous. You could use a URL of a web page as the password so that you could send the URL to someone and it would just look like sharing a link with them!

Decrypt the File

Now when you need to look at the contents of the encrypted file, you can decrypt it and print to the terminal with a single command:

$ openssl des3 -salt -d -in secrets.x

This will prompt you for the password you entered previously. You should see the result in your terminal.

Editing the File

If you need to make changes to the file, you can decrypt the file and output to a normal file, edit the file, and save it again.

$ openssl des3 -salt -d -in secrets.x -out secrets.txt
$ vim secrets.txt
$ openssl des3 -salt -out secrets.x -in secrets.txt
$ rm secrets.txt

Note: If you can come up with a way to edit the file in memory without saving to a temp file first please let me know! I wasn’t able to find a simple text editor that could read from stdin and write to stdout. Ideally I’d like to run a command something like this:

$ openssl des3 -salt -d -in secrets.x | interactive_editor | openssl des3 -salt -out secrets.x

Bonus: Hiding the encrypted file in a JPG image

If you’re worried about someone finding the secrets.x file on your computer and trying a bruteforce attack on it, you could try a simple technique like hiding the encrypted file in a JPG image. This is not a perfect technique, but would be simple enough that a casual observer wouldn’t notice anything unusual if they stumbled across the JPG file.

Turns out JPG files are somewhat resilient to corruption, so you can actually append arbitrary text to the end of a JPG and most programs such as OS X Preview and QuickLook will open it just fine.

Given a photo, source.jpg and a secret file, secrets.x, you can combine them into a new JPG like this:

$ (cat source.jpg; echo -n "-----"; cat secrets.x) > photo.jpg

Now, photo.jpg will open fine in most programs, and you won’t see anything unusual. But if you inspect the file, you’ll notice at the end there are five hyphens followed by your encrypted file which starts with “Salted”. To extract and decrypt this file, you can use this simple PHP script piped to openssl.

<?php
if(preg_match('/-----(.+)/sm', file_get_contents($argv[1]), $match)) {
  echo $match[1];
}
?>

Save this file as extract.php, then use it like such:

$ php extract.php photo.jpg | openssl des3 -salt -d

After entering your password, you’ll see the plaintext output of your encrypted file in your terminal!

---

Article source: https://aaronparecki.com/articles/2013/07/29/1/a-simple-encrypted-password-file-on-osx

OSX Lion, samba and windows file sharing problems

lion no longer has samba. the pain, the pain. due to the samba group switching to gplv3 apple now has their own windows file sharing technology. unfortunately it doesn’t seem quite there yet. but thanks to the joys of open source, it’s quite easy to install it yourself. here is a little recipe for completing such a task. i have tested this to stream video files to a windows 7 based pc and to a wdtv live box. this comes mostly from the nice chaps at the boxee forums and requires you to be quite happy at the command line.

• turn off windows file sharing in osx –
  • system preferences/sharing/file sharing/options
• turn off netbios in osx –
  • sudo launchctl stop com.apple.netbiosd
  • sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.netbiosd.plist
• using macports install samba –
  • sudo port install samba3
• create and edit smb.conf –
  • either copy the example file (/opt/local/etc/samba3/smb.conf.sample) or use this one.
  • you will need to change the netbios name, what you want the share called and the path. this is noted in the comments
• create the two plists to automatically load at start up. when in position, check ownership is set to root:wheel
  • org.samba.smbd.plist should be put in /Library/LaunchDaemons
  • org.samba.nmbd.plist should be put in /Library/LaunchDaemons
  • sudo launchctl load /Library/LaunchDaemons/org.samba.smbd.plist
  • sudo launchctl load /Library/LaunchDaemons/org.samba.nmbd.plist

hope that helps someone out there

Recovering a lost root password

Although there’s no real way to recover a lost root password, you can change the root password even if you do not know the current one. You must have physical access to the machine in order to accomplish this task. The following steps were originally noted on this MacNN forum, which contains a number of follow-up messages about security in general – well worth the reading time.

NOTE: The following information has been publicly disclosed on a number of Internet sites, and is not a new find. I’m simply repeating it here for the sake of completeness.

Read the detailed section of this article for step-by-step instructions on regaining access to your root account.

Originally posted by QuantumFusion on the MacNN forums, and repeated with slight readbility changes, here are the steps to regain access to root:

1. Click Restart at the login window
2. While the computer is restarting, hold down “Command-S” until you see text scrolling through the window. This boots the computer into single user mode.
3. At the Localhost% prompt type:

   /sbin/mount -uw /
   /sbin/SystemStarter

   You will then see various services starting up.

4. When the Localhost% prompt reappears, type:

   passwd root

   It will then ask you to type the new root password twice, so do so.

5. After entering the new password, type:

   reboot

At the login window, enter username root wih the new password. Once you are connected, you can use the Multiple Users application (/Applications/Utilities) to change your normal user’s password, or create a new user account.

Creating ‘secret’ user accounts

To avoid having your account show up or even be visible, both at the login screen and from the /Users folder, adopt the following steps:

1. In System Preferences, Accounts, create the user you want. Make special note of the short username; you’ll need that when you…
2. Open /Applications -> Utilities -> NetInfo Manager. Scroll the center pane down to users, click the lock and enable changes, and select the short username you just created. In the bottom pane, delete the value for the property “realname”. DO NOT delete the property itself, just click on the value entry until the text is editable and delete the name of that user. The effect of doing this will be to suppress the display of your new user in the login panel.
3. Open the terminal and type sudo setfile -a V /Users/new_short_username. This makes the home folder for the new user invisible in the /Users folder. As an aside, I did this with the “Shared” folder. I had deleted it previously but as it happens the iTunes store keeps subscriber information there.

You now have an invisible user on your machine. To log in, press the down arrow once at the login panel, and then press option-Return. You will be presented with name and password fields. Type your new short user name and your new password, and you’re in as a reasonably stealthy new user of the machine.

This is no substitute for real data privacy, of course. There’s nothing to prevent a determined user, especially with an admin password, from finding out that the account exists by typing ls -a /Users/. But it does keep a curious people from finding your account if you want to prevent that.

Remove passwords from edit-restricted PDFs

Note that this hint will not decrypt PDF files that cannot be opened without a password.

The following do not work: copying the old ColorSync from Tiger, using a virtual CUPS-PDF printer, trying to print as PDF, and dropping the PDF onto a Pages or a Keynote document to create another PDF.

Assuming you can print the file and you have administrator rights, here is one simple way to defeat this DRM.

1. In Finder, press Shift-Command-G, or select Go » Go to Folder….
2. Type /var/spool and press Return.
3. The spool folder will open, and inside there will be several folders. The cups folder will have a red Stop sign on it.
4. Select it, and then press Command-I (or use File » Get Info).
5. In the Sharing & Permissions section of the Get Info window (at the bottom), click the lock to open. You will need your administrator password.
6. Now click the “+” sign and add yourself to the list. You only need ‘read only’ privileges.
7. Now open the cups folder.

Alternatively, fire up Terminal, and type sudo chmod +r /var/spool/cups (press Return) and then open /var/spool/cups (Return again) to achieve all of the above steps. Either way, once that’s done, do this…

1. View the cups folder as a list (View menu) and sort by Date Modified.
2. Open up your favorite PostScript printer by going to Print and Fax in System Preferences and selecting it from the list on the left. If you don’t have one, install one.
3. Pause the printer.
4. Print your PDF to this printer. It will complain that the printer is paused. Click Add to Queue and not Resume.
5. The print file will show up in the cups folder at the top with an obscure name like d00023-001 (ignore the corresponding file c00023).
6. Drag this print file to your Desktop (or wherever). You will need your administrator password again.
7. Add .pdf to the end of the file name, and open with Preview.
8. Delete the print job in your PostScript printer.

But what if the file has DRM that does not allow it to be printed? There is probably a way to copy it from Display PDF or the Quartz engine. If someone knows, please post. Alternatively, you can install another PDF engine like Ghostscript. Scroll down the comments on this hint to see how to do that.

But what if Apple closes this loophole? Just set your printer to save the file after it prints, and then download it back to your computer! See this discussion for more on that subject.

How To Enable NTFS R/W In Snow Leopard

NTFS write support was apparently dropped in the final release build of SL. It turns out the support is still there, but disabled by default.

Basically, it’s running mount_ntfs with read/write option specified.

Here’s how it’s done in Terminal:

Rename the original /sbin/mount_ntfs tool by typing:
sudo mv /sbin/mount_ntfs /sbin/mount_ntfs.orig
(press Enter, then type your password in, press Enter)

Create a script by typing:
sudo nano /sbin/mount_ntfs
(press Enter)

Type this:
#!/bin/sh
(press Enter)
/sbin/mount_ntfs.orig -o rw “$@”
(press Enter)

Save the script:
(press Ctrl-O, Enter, Ctrl-X in sequence)

Now type this in:
sudo chown root:wheel /sbin/mount_ntfs
(press Enter)
sudo chmod 755 /sbin/mount_ntfs
(press Enter)

Verify by typing:

ls -al /sbin/mount_ntfs
(press Enter)

You should see:
“-rwxr-xr-x” and “root wheel”

Enjoy R/W access to NTFS volumes…

Note:
If it isn’t working for you, it may be that the NTFS partition wasn’t cleanly unmounted previously (e.g. not using safe eject in Windows). To check if this is the case, open Console in Utilities, and go to ‘All Messages’ instead of ‘Console Messages’. Search for ‘ntfs’ and you may come across an error that displays like this:
NTFS-fs error (device /dev/disk3s1, pid 435): ntfs_system_inodes_get(): $LogFile is not clean. Mounting read-only. Mount in Windows.
You need to plug the disk into Windows (XP, VISTA, 7) and do a safe eject. Then the NTFS partition will mount in read/write mode. This is because OS X has no “fsck_ntfs” to repair problems on the NTFS volume to make it “clean” again.
In Windows You can use mountvol <DRIVE>: /D to unmount the drive…
==================

In case you don’t like it:

sudo mv /sbin/mount_ntfs.orig /sbin/mount_ntfs
(press Enter)

and everything is back to R/O.

What To Do If You Accidentally Deleted Root User In Netinfo

Recently I wanted to allow root user but forgot its password. Then I decided to remove root user in Netinfo and create in anew. After deleting root user in Netinfo my computer crashes. When I tried to reboot it hanged on blue screen with “Starting Mac OSX”. I entered Internet from other computer and tried to find solution there. There was no solution except “start from scratch”, i.e., reinstall operating system. But after some manipulations I found easy solution without reinstalling operating system. If you have the same problem follow these easy steps. This is valid for Mac OSX 10.4 Tiger.

1. Boot in single mode holding Command-S keys.
2. In command line print:
   /sbin/mount -uw /
3. In command line enter the following lines:
   cd /var/db/netinfo
   nicl -raw local.nidb -create /users/root
   nicl -raw local.nidb -create /users/root name root
   nicl -raw local.nidb -create /users/root passwd \
   nicl -raw local.nidb -create /users/root realname System\ Administrator
   nicl -raw local.nidb -create /users/root _writers_passwd root
   nicl -raw local.nidb -create /users/root uid 0
   nicl -raw local.nidb -create /users/root gid 0
   nicl -raw local.nidb -create /users/root change 0
   nicl -raw local.nidb -create /users/root expire 0
   nicl -raw local.nidb -create /users/root shell /bin/sh
   nicl -raw local.nidb -create /users/root home /var/root
   reboot

After this procedure your computer will boot correctly. Then launch Netinfo and check root user. It appears with blank password so you can change its password from Netinfo.