Tuesday, February 26, 2013

Mountain Lion sharing and permissions: two things I didn't know

Didn't know, or forgot:

  • If you option click the permissions add icon, you can add permissions for System and the like but not Wheel.
  • The Groups defined in Contacts can be used to add permissions to sets of users. I think that's probably as old as OS X, but I forget it. It's odd because Apple seems otherwise to have forgotten Contact Groups exists. I wonder how it works ...

Saturday, February 23, 2013

Executing sudo as a non-admin user in macOS (OS X) and fixing "getcwd: cannot access parent directories" error

This is a weird one.

According to what I read online and in the Man pages, I should also be able to do something like this (where Fred is Admin account):
sudo -u Fred ls
That should ask for Fred's password then execute ls with Fred's privileges.

Except it doesn't. It runs against my non-admin account and fails. As though it were ignoring the -u flag. Instead I have to run
su Fred
to execute as Fred, then run sudo. [I think that su Fred sudo -u Fred ls should also work.]

I can't find anyone else who complains about this, so I assume I'm doing something wrong.
Note to test this you have to run from a non-admin account.

Update 8/23/2016: I can't get sudo to work at all in El Capitan for a non-admin users. Says: "error retrieving current directory: getcwd: cannot access parent directories: Permission denied."

Update 5/27/2018: I finally tried this in a different non-admin account. It works in Sierra in other accounts. So it wasn't El Capitan that broke this, it was something I did to my 18yo user account.

This is what I would see:
John-Air:~ myaccontname $ su Kateva
Password:
shell-init: error retrieving current directory: getcwd: cannot access parent directories: Permission denied
bash-3.2$ ls
ls: .: Permission denied
bash-3.2$
I searched around SuperUser for a while and got some hints. I deleted every user account Bash preference I could find. That didn't do anything. I repaired MacOS Sierra permissions using Onyx.app -- but as with every other time I'ver repaired permissions that produced many changes but no results. (It doesn't act on user folders.)

Eventually I realized the most likely explanation was the simplest one -- I'd somehow messed up permissions on the default account for Bash. By experimenting on my "good" non-admin user account I realized Bash default directory is the User account. So I compared User Account permissions and found this:



The problem directory was readable by 'everyone' but not by 'staff'. You'd think that 'everyone' would work ... but read this and weep. macOS permissions are a disaster. Don't even think about ACLs. It's a sign of the end-times really.

I couldn't see how to restore Staff. In the old days there was a utility for this, but that's long gone. Somewhere I found this advice to restore staff:
sudor chown $UID:staff /path/to/folder/modified/
chmod 644 !$
I ran it and staff was restored. When I logged back into my user account I was told macOS had to do something to enable me to run Applications! I entered my admin credentials and was asked again ... and again ... then I gave up and logged out. I logged back in and things .... seemed ... fine.

Now su works as it should.

Facebook's parental monitor page - aka Activity Log

For the moment, until the next state mandated revision, Facebook has a Page I can use to track #1 son's Facebook activity with a URL of the form <https://www.facebook.com/first_name.last_name.2345/allactivity>. [3]

It's currently called the 'Activity Log', if you poke around you can currently find it under 'Privacy Shortcuts' (lock icon by user name in title bar) / "See More Settings" / "Privacy". Look under "Privacy Settings and Tools" for the wee link 'Use Activity Log' [6].

As far as I know it's not intended for this purpose [4]; it's designed for users to edit their visible timeline [1] . It does, however, list most of the account owners save pages visited. There's a long list of activities including Posts, tags, hidden posts, likes, comment, friends, games, following, and, most critically for this purpose, Search. [2]

So the Activity Log is a very valuable resource for a parent or guardian who wants to track their 13+ [4] child, either because this is an exceedingly good idea or because they are that kind of parent or both [5]. A parent might, for example, schedule a weekly review of the Activity Log...

 - fn -

[1] You can hide and delete posts and change post dates. It's also available for Pages and supports viewing scheduled posts.

[2] It doesn't, however, show pages visited by link. It is, incidentally, a nice summary of a fraction of the information Facebook uses to sell you.

[3] Activity Log came with timeline, but I was unaware of it until today. It's available on Facebook.app for iOS as well.

[4] But it may be designed for this purpose. Facebook wants to support accounts for childre under 13 and this could be a part of any future support.

[5] If you can't figure out why this might be a good idea for some children and adults you have much to learn.

[6] Yes, that's mine - but if you can see it then I have a problem :-).

See also:

Legal Gmail for kids under and over 13 with Dreamhost Google Apps or Google Apps for Business

In the US, Google Account owners must be over 13, in the Netherlands it's 16 [1]. It's common to lie to get accounts for younger kids, but this can cause an account lockout and 30 day deletion. [2]

So how do kids under 13 get personal email? All services have similar rules.

The exception, of course, is Google Apps for Education. They provide Google services, including calendar and email for children of all ages. The trick is that this group is excluded from Google's predatory business model [3]; the services are paid for and the school district assumes liability.

Is there something similar that's available outside of Education?

Well, there are Google Apps for Business (and on-profits) of course. I was unable to find any age requirements for businesses that buy Google Apps for Business, nor any requirement that the business had to be, you know, a real business. Google isolates business data from its ads and data mining so I expect US laws on protection of children from being packaged and sold do not apply

At $50/user a year though, Google Apps for Business is a bit dear for a family of 5 (though the phone support is no little thing).

Unfortunately Google Apps for Nonprofits is not an option; you really do have to be a legal nonprofit.

Six years ago our family grandfathered into Google Apps through the now-defunct free option, and those users have since acquired full range of Google Services [4]. Alas, that's not an option any longer.

I think the cheapest legal option is to sign up with a hosting service that provides Google Apps for your registered domain. I can personally recommend Dreamhost for this, based on my 6+ years of experience and the (unusual) fact that they handle Domain registration for their customers [5].

At approximately $100/year ($50 for first year or $97 for two years if you use my code [7]) Dreamhost's Google Apps service for a family of five is less than half the cost of Google Apps for Business -- albeit without phone support. On the other hand, Dreamhost also provides other web services including web hosting, Wordpress (ex. kateva.org/sh), web apps, etc [6].

There are other hosting services that provide Google Apps for potential family use, but Dreamhost is the one I know.

 - fn -

[1] YouTube has an 18+ requirement for some videos, and Google Wallet is 18+. I don't believe either one is practically enforcable on most devices; maybe on Android or Chromebook depending on parental controls.

[2] It is noteworthy that Google's requirements for reversing account lockout are much more robust than their account recovery options. This says something about the power of laws and what Google could do to manage identity if they were forced to. The effective workaround is that a parent authorizes a credit card transaction on their own account, thereby technically committing fraud and assuming liability. The liability assumption is what matters.

[3] It's not that Google is particularly evil, this outcome is an inevitable outcome of their business model. They can no more resist this outcome than a species can resist Natural Selection.

[4] Not G+ though. It was once 18+ and is now 13+ regardless of Google Apps.

[5] Most hosting services have another party handle domain registration, and many of those deliver poor service.

[6] Admittedly more of a specialized interest these days.

[7] Just enter KATEVA when asked for a registration code. I set it up so users get the maximal $50/97 discount; I get a kickback but I set my kickback to maximize the user discount. Dreamhost supports Google's mutlifactor authentication framework, so I authenticate using Authenticator.app on my iPhone.

Friday, February 22, 2013

What I learned from from MacWorld's short Aperture tutorial

I got this ref from Clark, one of my favorite tech bloggers. MacWorld's 7-step edit in Aperture 3.4 is the best short Aperture tutorial I've seen.

The article is by Derrick Story; I used to read him religiously but I lost touch with him. He's got quite a few MacWorld articles - but there's no feed. There doesn't appear to be a feed on his personal business site either. [1]

(Pause while we weep silently into our keyboard.)

Maybe I lost touch with him because he developed an allergy to RSS?

In any case, here's a short list of what I learned from his tutorial - despite many months of Aperture use:

  • The control units are called 'bricks'.
  • The White Balance Brick has a drop down for different kinds of white balance (skin tone, temperature, etc). I never $#@ noticed.[2]
  • The relationship between the histogram and the Exposure brick sliders: "Exposure (highlights, right side of the histogram), Black Point (dark tones, left side of the histogram), and Brightness (middle tones). ... Once I set the Exposure and Black Point, I use the Brightness slider to adjust for taste.... always adjust Brightness after Exposure and Black Point.
  • Post brightness move highlights slider to right to recover details. (This never seems to work for me though.)
  • Color tweaking. This has always been a mystery to me. He picks a green 'swatch' then uses eye dropper to pick a green item and adjusts Hue, then tweaks with Saturation and Luminance. (Ok, it's still a mystery.)
  • Definition over Saturation and Vibrancy. I don't know what the differences really are, but I also like Definition most. Nobody seems to use the Contrast slider.
  • When he sharpens Edges he pushes Falloff and Intensity, not Edges. (I'd been doing Edges. Again, no clue.)
  • To see original image push M key (I kind of knew that).

[1] Update: O'Reilly has a feed, but it doesn't include is MacWorld articles.
[2] It was new in 3.3

Java on the Mac is malware - and how to turn ALL of Java on or off as needed.

US-CERT recommend disabling Java in all web browser on all platforms

... This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment...

They don't mention removing Oracle Java [3] entirely, and they don't specifically address the Mac. By nature, they must be sober and governmental.

I am not so constrained. I can just say ...

DO NOT PUT ORACLE JAVA ON YOUR MAC ANYWHERE, ANYTIME. IT IS MALWARE.

Let me name the ways:

  1. It always installs for all users. You can't install for a single user.
  2. It installs with root privileges in System/Library, not /Library as it should.
  3. There's no uninstaller for Oracle Java and Oracle's online instructions for manually uninstalling Java 7 only uninstall the browser plugin. Full Oracle Java uninstall requires sudo/root privileges.
  4. The Preference Panel is merely a pointer to Oracle's ugly control panel, and that control panel disregards OS X Admin/User/Managed User controls. Any user can enable Java plug-in. You can't turn off all Java, just the plug-in.
  5. You can disable the Java plug-in in Safari or Chrome, and in Chrome you can use Fretty's brilliant Click to Run Extensions in Chrome tip, but you have to do this for every user on a Mac, and they can all turn it back on regardless of privileges.

Even if we didn't know about Java's global record of frequent security failures, the implementation of Java on Mac reeks of hacks, bad design, and high risk.

This thing is bad, and most recommendations for managing the risks on a Mac are inadequate. There's really no way to make this thing safe even if:

I have to put Java on my MacBook Air for work reasons, but based on what I've learned I'm hunting it down to remove it from every machine at my home. Java-dependent Mac apps are unacceptable (Sorry Crashplan, Fugu, XMind and more).
 
Meanwhile, on my Air, I'm going to see if I can sudo into /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/bin/java and rename the Java Folder to Java_DIE to prevent it from running except when I absolutely need it. [1] [2] See Update below.

See also:

[1] su [admin_user_name], sudo mv Java java_die does the rename, but I think I need a permission fix.

[2] via GigaOM: Mac Apps that need java: Minecraft, Runescape, CrashPlan, Illustrator, OpenOffice, NeoOffice, FreeMind, Xmind, Gantt, Vuze, Screenr, Cisco and Juniper VPN Clients.

[3] - added 2/24/2013: I added the word Oracle here, because there's a big difference between Oracle/Sun's Java on the Mac, the Java JRE on the Mac, and the Java language. From a security perspective the language is no worse than most alternatives and better than many. The JRE is problematic because it bypasses the App Store/SignedCode framework that is our current best hope for the future of personal computing, but that's similar to distribution of any software outside of the App Store. The real crime is the installation of the JRE into System with root privileges.

Update 2/23/2013 (rewritten):

I asked on app.net about a way to turn ALL of Java on the Mac on or off as needed. alextrott replied and recommended these terminal commends to enable and disable (Since sudo -u doesn't seem to work on Mountain Lion, if you run from a non-admin account you have to enter "su YourAdminAccountName" first.):

disable

  • sudo chmod 000 /System/Library/Java/JavaVirtualMachines/
  • sudo chmod 000 /Library/Java/JavaVirtualMachines [on my machine this is unnecessary, there's nothing there]

enable:

  • sudo chmod 755 System/Library/Java/JavaVirtualMachines/  
  • sudo chmod 755 /Library/Java/JavaVirtualMachines [on my machine this is unnecessary, there's nothing there]

Alex tells me he's working on a small Mac app to toggle Java on or off as needed.

When I tried this on my Mac chmod 000 did disable Java. XMind wouldn't run. However my attempt to reenable failed; probably due to user error.

Which was when I realized I could easily do this in the Finder:

Screen Shot 2013 02 23 at 10 55 26 PM

I can set JavaVirtualMachines to allow No Access or Read & Write. With No Access XMind won't run, with Access it will. I put a shortcut to the Java folder on my desktop for easy access to this JVM Folder.

Update 8/29/2013: With Mountain Lion as of 8/2013, if type 'java' at the command line OS X will download Apple's version of Java 6 and will remove the old preference panel. (It's not supposed to install a browser plugin). If you go to Oracle's site and install Java 7 you get their preference panel.

Oracle's Java 7 can be uninstalled -- albeit with difficulty. (Plugin is easy to uninstall, Java 7 is not easy.)

Apple's Java 6 cannot be uninstalled. It has permissions like this:

- system: read & write

- wheel: read only

- everyone: read only.

Curiously when I unwittingly installed Apple's Java 6 there was no option from a non-admin account to set Privileges to 'No access'. From an admin account I could set to "no access" or "write only" but command line java still ran. So clearly there's much of this I don't understand.

Sunday, February 17, 2013

Flickr has a Snapfish problem

I've been hearing reassuring sounds on app.net about Flickr's resurrection. Since I've been unhappy with Picasa Web's disinterest in Aperture/iPhoto the app.net support meant I gave Flickr a try. Not least because Aperture has built in Flickr sharing features.

I signed up for the 3 month pro service. It auto-renews, but if you "cancel" you effectively turn off the auto-renewal and continue the term of your subscription.

I liked the Aperture integration, but Flickr felt old and clumsy. Worse, the sharing settings are difficult to revise for Sets, and there's no true equivalent of Google's share-by-unguessably-large-unique-URL.

I could live with that, more or less, but Snapfish did me in. 

Twice I sent "Sets" to print via Snapfish, and twice a few photos were "unavailable" (all seemed well in Flickr). Worse, when I tried to delete my new Snapfish account, I learned terminating a Snapfish Account isn't easy. That's a flagrant violation of clause 1 of Gordon's Laws for services.

Since I couldn't delete, I set a very long password, removed all my photos, and tried to change my email to my spam account. Alas, now I was forced to enter a (fake) postal address. 

Sorry Flickr, that's too many problems; I'll suffer with Picasa a bit longer. Call me back when you have a different print partner.