Copyright Copyright © 2003 by Sams Publishing All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. Library of Congress Catalog Card Number: 2001098212 Printed in the United States of America First Printing: May 2003 06 05 04 03 4 3 2 1 Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Sams Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an "as is" basis. The author(s) and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book. Bulk Sales Sams Publishing offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside of the U.S., please contact: International Sales +1-317-581-3793 [email protected] Credits Acquisitions Editor Shelley Johnston Development Editor Damon Jordan Managing Editor Charlotte Clapp Project Editor Elizabeth Finney Copy Editor Margo Catts Indexer Ken Johnson Proofreader Eileen Dennie Technical Editor Jessica Chapel Michael Kirkpatrick Brian Tiemann Team Coordinator Vanessa Evans Designer Gary Adair Page Layout Kelly Maish Dedication This book is dedicated to Famotidine and Ibuprofen. Although they are hardly ever mentioned by authors, they are responsible for the successful and painless completion of many books, including Mac OS X Maximum Security. Top About the Authors John Ray is an award-winning developer and technology consultant with more than 17 years of programming and network administration experience. He has worked on projects for the FCC, The Ohio State University, Xerox, and the State of Florida, as well as serving as IT Director for a Columbus, Ohio– based design and application development company. John currently serves as Senior System Developer/ Engineer for The Ohio State University Extension and provides network security and intrusion detection services for clients across the state and country. His first experience in security was an experimental attempt to crack a major telecom company. Although he was successful, the resulting attention from individuals in trench coats made him swear off working on the "wrong side"of the keyboard forever. John has written or contributed to more than 12 titles currently in print, including Mac OS X Unleashed and Maximum Linux Security. Dr. William Ray is a mathematician turned computer scientist turned biophysicist who has gravitated to the field of bioinformatics for its interesting synergy of logic, hard science, and human-computer- interface issues. A longtime Macintosh and Unix enthusiast, Will has owned Macs since 1985, and has worked with Unix since 1987. Prior to switching his professional focus to the biological sciences, Will spent five years as a Unix programmer developing experimental interfaces to online database systems. He left this position when his desktop workstation was cracked, then used to attack other businesses' computers. The incompetence of his employer's system administrators resulted in his being accused of perpetrating the attacks, and a series of visits from the men in trenchcoats, nice suits, and dark glasses for him as well. As a result, Will has developed an enduring disgust for employers, system administrators, and users who don't take system security, and their responsibilities with respect to it, seriously. Shortly after migrating to biophysics, Will developed a Macintosh and Unix-based computational biology/graphics laboratory and training center for The Ohio State University's College of Biological Sciences. At the facility, which he managed for five years, Will introduced hundreds of students and faculty to Unix, and provided training and assistance in the development of productive computing skills on the paired Macintosh and Unix platforms. Will is currently an Assistant Professor of Pediatrics at the Columbus Children's Research Institute, Children's Hospital in Columbus, Ohio, and the Department of Pediatrics, The Ohio State University, where he is studying tools that work at the interface between humans, computers, and information, and working to build a core computational research and training facility for his institute. Top Contributing Author Joan Ray is a Unix system administrator and Webmaster for the College of Biological Sciences at The Ohio State University. Joan has a degree in French from OSU, and is working toward additional degrees in Japanese and Geology. Exposure to Apple's Power Macintosh computers at SIGGRAPH '93 transformed Joan from an unenthusiastic workplace-user of DOS to a devoted Macintosh hobbyist. In 1997, when her husband left the college's computing facility to concentrate on his doctoral studies, Joan decided to apply to manage the facility. To her surprise, the interview committee hired her as the new administrator, and Joan began her training as a Unix system administrator. With her husband as the trainer, it was a rather intensive training period. There was no rest, even at home. Now, when she is not helping write computing books, Joan is administering a cluster of SGI and Sun Unix workstations and servers, helping and providing training for users with Unix, Classic Mac OS, and Mac OS X questions, and serving as college Webmaster. Top Acknowledgments Many thanks to the helpful people at Sams Publishing who made this book possible, and who helped to ensure the quality and accuracy of the text. Our assorted editors, Shelley Johnston, Damon Jordan, Brian Tiemann, Elizabeth Finney, and Margo Catts have been instrumental in producing an accurate text, accessible to a wide range of Mac users with varying levels of security experience. Special thanks are also due to The Ohio State University's Network Security Group, and particularly Steve Romig and Mowgli Assor, for their ongoing development and promotion of best practices for keeping Unix secure. Top We Want to Hear from You! As the reader of this book, you are our most important critic and commentator. We value your opinion and want to know what we're doing right, what we could do better, what areas you'd like to see us publish in, and any other words of wisdom you're willing to pass our way. You can email or write me directly to let me know what you did or didn't like about this book—as well as what we can do to make our books stronger. Please note that I cannot help you with technical problems related to the topic of this book, and that due to the high volume of mail I receive, I might not be able to reply to every message. When you write, please be sure to include this book's title and author as well as your name and phone or email address. I will carefully review your comments and share them with the author and editors who worked on the book. Email: [email protected] Mail: Mark Taber Associate Publisher Sams Publishing 201 West 103rd Street Indianapolis, IN 46290 USA Top Reader Services For more information about this book or others from Sams Publishing, visit our Web site at www. samspublishing.com. Type the ISBN (excluding hyphens) or the title of the book in the Search box to find the book you're looking for. Top Introduction Computer security—who would ever have thought that Macintosh users would have to worry about computer security? Macs were the computer for "the rest of us"—for the folks who didn't want to have to read complicated manuals, learn complicated commands, or worry about complicated technical subjects. Apple promised us computers that would get out of our way and let us do our jobs, enjoy our hobbies, or do whatever else we wanted. For years Apple delivered. For years, Macs were the easiest machines to use. From a security standpoint, they might as well have been toaster ovens: They didn't have a shred of security built in, and didn't need it either, because there wasn't a thing you could do to compromise a toaster oven. But we, the users, weren't satisfied. We didn't want toaster ovens. We wanted more: more power, more functionality, more accessibility, more software. We heard industry buzzwords like "preemptive multitasking" and "protected virtual memory," and we wanted our Macs to have these nifty new features. Industry pundits and the media made fun of Macs because of their "backwards" OS. Worse, after that other big OS manufacturer finally figured out that users wanted mice and graphical user interfaces, they also started working on adding other advanced OS features to their systems. We heard the taunts and shouted for Apple to give us more. How dare that other OS vendor make a system that could legitimately claim to be "almost as good as a Mac"? Worse, how could their users actually get to enjoy features that were more advanced than what we had on our Macs? Apple listened, better than some of us hoped, better than many of us expected.