Apple Still Has Not Patched the DNS Hole

Steve Shockley notes an article up at TidBITS on Apple's unexplained failure to patch the DNS vulnerability that we have been discussing for a few weeks now. "Apple uses the popular Internet Systems Consortium BIND DNS server, which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."

Typical Apple Situation

Waiting for the port.

Re:Typical Apple Situation

[actionbastard]

"Waiting for the port."

Stop waiting and patch your server you insensitive clod!

Re:Typical Apple Situation

[dgatwood]

If your server is configured as it should be, the exposure here should be pretty limited. AFAIK, issues with cache poisoning can be dramatically reduced in risk by limiting requests for recursion to hosts within your own network. In environments where the network is untrusted, of course, that's not sufficient, though it is still a good stop-gap to reduce your exposure.

options {
allow-recursion { a.b.c.d/xx };
};

Re:Typical Apple Situation

[tonyray]

Being one of the first to download and install the patch, it can confidently tell you the service crashes - frequently - where the unpatched version was solid as a rock. I don't blame Apple for waiting.

Re:Typical Apple Situation

Waiting for the random port for randomizing ports, which may come at a random time.

Is it really so hard?

[techwizrd]

They've had a while... What's keeping them? Do they WANT Mac OS C Server to suck more than it does already?

Re:Is it really so hard?

[MrNaz]

Personally, the brazen "stomp everywhere and expect the world to bow to their whims" attitude reminded me of Microsoft in the mid 90s.

Now, complacency with regards to security confirms it: Apple are following Microsoft's path 15 years after them.

It's just a matter of time until geeks wake up and start hating them. Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie. Everyone wanted to be Bill Gates back then, he was the noble knight/geek taking on the world and bringing down empires like IBM and DEC with his accessible to all consumer computers. It was only after Linux came on the scene that geeks turned on him like the fickle fashionistas that they claim they aren't.

Face it, Apple, like Microsoft before the, are just the flavor of the month.

Re:Is it really so hard?

[ktappe]

Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie.

Fail. I was a vocal opponent of Windows 3.1, calling it the abomination it was. Also, you seem to think there are no geeks hating on Apple now. I'm not sure what blogs/newsgroups/boards you read, but if you can't find plenty of anti-Mac/Apple hate, you must have some pretty good filters.

Re:Is it really so hard?

[quacking+duck]

It's just a matter of time until geeks wake up and start hating them. Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie. Everyone wanted to be Bill Gates back then, he was the noble knight/geek taking on the world and bringing down empires like IBM and DEC with his accessible to all consumer computers. It was only after Linux came on the scene that geeks turned on him like the fickle fashionistas that they claim they aren't.

I don't know where you get off speaking for me or anyone else. I started off completely neutral on them when I got my first computer in 1991, but considering it was a Mac, it was perhaps inevitable.

My first foray into programming was MacBASIC, on a Mac Plus at school. It was friendly to new programmers, not only breaking on the line causing the error and giving the error type, but also what specifically the error was--much like Firefox does today with Javascript errors. IIRC it even went as far as to suggest fixes to the problem.

The next grade up used Microsoft BASIC--and its error messages were just shit compared to MacBASIC. My favourite was "Syntax error" and the line number. Fast forward 15 years... gee, Internet Explorer's Javascript error handling is just as useless!

I'm not going to argue the merits of MS BASIC and IE forcing us to actually think and learn; bottom line is that compared to MacBASIC and Firefox, Microsoft's do-the-minimum-we-can-get-away-with mentality grated on me.

Then I learned Microsoft's role in killing the superior version. Then they foisted Office 6 for the Mac in '94--a bloated piece of garbage so slow, you could supposedly run the PC version under Windows emulation faster. A whole bunch of little things formed a pattern and coalesced into an avalanche of negative perception against them.

So I *know* I hated Microsoft well in advance of their Windows 95 launch, thank you very much--and Apple advocates have just as much reason to hate them as Linux ones. Bill Gates was never a hero of mine--by the time I learned who he was, the company he was in charge of had already been tainted in my eyes.

Re:Is it really so hard?

[RulerOf]

but if you can't find plenty of anti-Mac/Apple hate, you must have some pretty good filters.

I find plenty of Apple/Mac hate all the time. The problem with the majority of it is that rather than actually disliking the company or the platform for a logical reason, the justification for said hate usually revolves around the assumed sexual preference of said platform's users.

The point being that most* Apple hate I encounter is based off of sheer ignorance, and not raw technical comparison.

*Generally speaking. Slashdot is a notable exception.

Re:Is it really so hard?

Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie.

Well, the Mac fans hated Microsoft back then ...

It was only after Linux came on the scene that geeks turned on him like the fickle fashionistas that they claim they aren't.

Linux, of course, came on the scene October 1991, about four years before Win95 came out ...

But I do kinda get where you're coming from ...

Re:Is it really so hard?

[rts008]

I have to take issue with your over rated false opinion, but I installed Open Linux Base 1.1 back in 1992 because I figured it HAD to be better than Gates' POS crapware (I was right). Had nothing to do with 1995- that was still 3 years into the future at that time.

Yes, Linux was around prior to 1995.

*Stupid Git!*

Re:Is it really so hard?

Wouldn't it be less Mac/Apple hate, and more fanboi hate? God knows they irk me to no end. Of course, all religions that are vocal irk me to no end. The concept of "opinion" doesn't factor into their lives at any point.

Re:Is it really so hard?

[stewbacca]

Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie.

Well, the Mac fans hated Microsoft back then ...

So.Not.True. If anything, our superiority complexes where even higher (hint, that's sarcasm) given the huge disparity in Mac OS 7 vs. Win3x. Also, Microsoft was Apple's bread-and-butter in the late 80s and early 90s due to the fact that those were the best years of Microsoft Office ever (Mac version only, PC versions were pretty good around Win95 too, but MS has given way to massive bloatware since).

Re:Is it really so hard?

[Killjoy_NL]

I hated all apple until I had to fix them thingamajigs. Since then I've started to like them more, especially since OSX was released.

(Still sticking with my PC though)

Re:Is it really so hard?

[mweather]

Everyone wanted to be Bill Gates back then, he was the noble knight/geek taking on the world and bringing down empires like IBM and DEC with his accessible to all consumer computers.

Before Gates, all my home PC software was free, so no, I wasn't a fan.

Re:Is it really so hard?

[brkello]

"You either die a hero or you live long enough to see yourself become the villain" - Two Face

If only Bill died young! ;)

Re:Is it really so hard?

[Mister+Whirly]

And Apple isn't helping this a bit with the stupid "I'm a PC/I'm a Mac" commercials either. And to be blunt, Apple has never really had the "raw technical comparison" edge - they rely on the "hipness quotient" of their products, and usually clever* advertising.


*see first sentence for the exception

Re:Is it really so hard?

[RulerOf]

I hated all apple until I had to fix them thingamajigs.

I actually find the opposite. I like using Macs, but I don't like fixing them... it's sorta like fixing a problem on a Linux distro... Google is your [only] friend.

Windows, on the other hand, I can fix in my sleep.

Re:Is it really so hard?

[telvox]

it's sorta like fixing a problem on a Linux distro... Google is your [only] friend. Windows, on the other hand, I can fix in my sleep.

I found the hardest part is that you get to points where mac is "protecting" you from knowing whats going on. Where windows will give you an error code the mac just says "no". I get really frustrated with it's hand holding attitude.

Re:Is it really so hard?

[RulerOf]

Where windows will give you an error code

Heh...

IRQL_NOT_LESS_OR_EQUAL
[blah blah blah]
0xA3466EBC - 0xA3466EBC, 0xA3321EBC, 0x00000142

Sometimes they're helpful ;)

Of course, that is infinitely better than "[Zomg,] We apologize, but you have to reboot your computer," in four languages.

Re:Is it really so hard?

Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie.

Prior to 1995 (well, maybe not at 1995 anymore, but not too long before) everyone was a fanboi of their particular computer. Every Amiga owner was a hater of MS. Every Mac owner was a hater of MS. And every (home) MS user was a hater of Amigas, Macs, and whatever else.

Although by 1995 Commodores and TI's and most other computers had dropped out. So unless you gave up on your and got a shiny PC (which by that time, most people did), you were a hater.

Since back then nothing was compatible, my theory was that everyone hyped the system they used, as the most popular system had more software. I suspect that still holds true in the linux and mac worlds, and for that matter, in the console worlds.

Re:Is it really so hard?

[kjart]

Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie.

Fail. I was a vocal opponent of Windows 3.1, calling it the abomination it was.

Wow, if I hated every company who put out a product I didn't like, I'd sure be full of hate and very little else.

Re:Is it really so hard?

[Yaztromo]

Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie.

You, sir, obviously weren't part of the OS/2 scene back in the v2.1 and v3.0 "WARP" days. Whereas everyone now knows about Microsoft's monopolistic practises long after the fact, we knew that it was Microsoft's per-processor licensing fees that prevented vendors from pre-installing our OS of choice, and that those vendors who did pre-install charged us for the copy of MS-DOS and Windows 3.1, even though it wasn't installed, making their OS/2 based systems quite a bit more expensive than they should have been.

It's funny how virtually everyone ignored us back in 1992 when we complained about MS's predatory practises, and how some "Johnny-Come-Lately" Linux users[0] act like they were the ones to discover these abuses in the late 90's. Please don't re-write history; there were many of us who hated MS's business practises well before Windows 95 was thrust upon the world stage.

Yaz.

[0] - Certainly not a put-down to Linux users in general, many of whom were refugees from the OS/2 world.

Re:Is it really so hard?

[Yaztromo]

I found the hardest part is that you get to points where mac is "protecting" you from knowing whats going on. Where windows will give you an error code the mac just says "no". I get really frustrated with it's hand holding attitude.

This is something you can change in the system. If you have the OS X developer tools installed, just run /Developer/Applications/Utilities/CrashReporterPrefs.app, and change the setting from "Basic Mode" to "Developer Mode".

Alternately, you can always look up the reason for the crash in the Console application (/Applications/Utilities/Console.app). Or if you prefer to do it the Unix way, grep through /var/log.

Just because you don't know how to do it, doesn't mean it can't be done :).

Yaz.

Re:Is it really so hard?

[konohitowa]

Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie. It was only after Linux came on the scene that geeks turned on him like the fickle fashionistas that they claim they aren't.

You might want to check your Linux history before bandying about dates. The pre 1.0 kernels were quite usable and the Slackware distributions worked quite well.

Re:Is it really so hard?

Actually, I've hated Microsoft since Windows 1.0 came out.

A hole that needs patched

Stud dogs go about the whole sex thing rather differently than primates (or equines). Unlike us, male canines don't have an orgasm that involves a short, intense ejaculation. Instead, once they have become fully erect, they will have a continuous orgasm for from 10 to 45 minutes or longer. The "standard" procedure for dogs, when they are mating, is that the male "ties" with the bitch - which means that, after he has penetrated fully, his penis will develop a knot at its base that is several times wider than the rest of his shaft.

For reference, a 80 pound Golden stud dog might have, let's say, a cock that is 7 or 8 inches long when erect - but his knot will be at least as big around as a tennis ball. This knot swells inside the bitch, and so long as he remains erect the dogs are "tied." No, this isn't painful for her - canine females long ago developed an entire set of muscular supports for this process. Generally, once they are tied, most stud dogs prefer to step off and over, so he and the bitch are tail-to-tail. Theories abound on why this evolved - I have yet to see one that was truly convincing. Anyway, they'll stand like this, with the male having a continuous orgasm during the whole tie - until he starts to shrink and they pop apart. Bitches also have orgasms, and she'll likely have quite a few during the tie, as well - research has shown that her orgasms are essential to increasing the chances of pregnancy, due to muscular contractions.

Anyway. if a guy like me has a stud dog partner, one form of intimacy is for him to tie with us, anally. As young teenagers, many of us learned the hard way about the knot, and the tie - particularly back in pre-interweb days. So we'd suddenly find ourselves locked together, with this tennis-ball width cock inside us. Nowadays, I suspect most young zoos know all about this. However, some folks still have eyes bigger than their stomach, err their you-know-what.

It would not be accurate to say that I have a stream of visitors who show up at my house just for sex with my canine partners. However, it is true that I do not exercise any sort of unilateral control/ownership over the relationships my canine boys might develop with other people - they are adults, and if they desire to get frisky with another two-legger and I judge that the person is respectful and unlikely to do anything mean or stupid, I have no moral ground on which to say "oh, no, you aren't allowed - he can only have sex with me." That just makes no sense, so if there's a time when a friend is visiting and there's a spark between them and one of my partners, I'm ok with that. In truth, I think it's great to have the boys' enjoy other positive relationships and I love to see them happy, whatever the circumstances.

Many years ago, a friend was visiting - a zoo who had been active with his own stud dog for quite a few years. His boy was a breed that is not small, but is also somewhat known by old-school zoos as being, well, on average not so well-endowed relative to their body size. This friend had tied with his partner on a number of occasions - and he often talked about how intense and rewarding the experience was, for both of them. That's great, I said - while thinking that he'd probably not fare so well with a larger breed.

As it turns out, he and one of my canine friends hit it off quite clearly right from the get-go - the chemistry was there and the two of them seemed like they'd known each other for ages. After several visits, I could see that they were sort of getting closer and closer - my friend was worried that I'd feel he was somehow intruding into my relationship with this handsome stud dog - who had been in my own family for close to a decade. Of course not, I told him - if you guys hit it off and things get steamy, I'd hardly throw cold water on it just so I can be all possessive and insecure. HOWEVER, I warned him, that handsome boy with whom you're making goo-goo eyes is much bigger than your own long-time partner.

I tried to be nice about this, but some zoos get the

Re:A hole that needs patched

You sick fuck! Slashdot should ban all anonymous cowards. My children like to read slashdot, you perv. Please die in a fucking fire, asshole.

Re:A hole that needs patched

Or maybe you kids should browse at +1. Won't someone think of the children?

Re:A hole that needs patched

A story about an alternative lifestyle offends you to the point where you want to ban anonymous speech because you claim your children might read it, but you don't have a problem with your children readign a post in which you anonymously direct violent, vulgar, and abusive language at an anonymous poster on slashdot.

Apple meet real world

Whatever happened to Apple being 'secure'...

Re:Apple meet real world

[sxeraverx]

apple was never secure. It was just unused. The exact same thing is going ATM with their X server. Not so much a security flaw (though it might be) as much as a major bug. If you send too many events at once (not insane amounts, just a lot) it simply crashed, bringing down all the X apps with it. Upstream was fixed over a year ago, they just refuse to roll out an update. I guess it's an attempt to make debs port to coco/carbon/whatever-it's-called, but for some of us, that's just not an option. More specifically, it's a program developed by part of a university bioinformatics lab, and we just don't have the manpower or the grant support to do it. So we're either stuck with only supporting Linux, trying to find a wrkaround, or just ignoring it and hope it doesn't happen to often. The last option is what we ended up choosing.

Re:Apple meet real world

Whatever happened to Slashdot being relevant?

Re:Apple meet real world

http://xquartz.macosforge.org/trac/wiki/Releases

They're waiting for xorg to stop sucking.

Re:Apple meet real world

[catmistake]

I had trouble with the Leopard X server, but being that the OS was new (10.5.2 at the time) I went around IRC asking and found that others were downgrading their x servers to a more stable previous version (of xquartz & X11). So that's what I did. Still buggy, but crashes occur far less often.

FYI When stability is critical with Mac OS, gotta stay with the 10.x.9,10,11 and wait for the 10.x.3 to grow up to those numbers before upgrading. If machines came preinstalled, gotta bite the bullet and go back and install what's stable.

Re:Apple meet real world

[spir0]

apple was never secure. It was just unused.

And do you believe in God, Santa, and the Tooth Fairy too?

People will hack anything. Think about that for a little while before you hit reply. No. read it again. People will hack ANYTHING.

PSP was hacked very early. Sod all sales, definitely fewer than Macs.
iPhone was hacked very early. They have fewer users than the Macs.
GP32 (gamepark - a handheld game console) was hacked. Hasn't sold anywhere near what Macs have.
Xbox (original) was hacked very quickly, as was playstation, and even gamecube, and even sega dreamcast.

People will hack anything, just to say they did. Kids brought up on Macs at schools who don't have stupid anti-apple biases will try to hack their school computers. Or maybe even if they do have anti-apple biases.

But nobody has yet been able to hack a Mac convincingly.

Think with your head, not with your bias. Security (or lack thereof) is not directly proportional to market share.

Re:Apple meet real world

But nobody has yet been able to hack a Mac convincingly.

Think with your head, not with your bias. Security (or lack thereof) is not directly proportional to market share.

wow I can't believe there are still people out there as totally clueless as yourself. how about you do a little bit of research and you can find yourself some nice hacks for MAc's or you could download the latest explout kits that target this vulnerability and go to town on OS X servers out there.

eg here is an old article from a few years ago which came at the top of my search
http://www.zdnet.com.au/news/security/soa/Mac-OS-X-hacked-under-30-minutes/0,130061744,139241748,00.htm

come out from under your rock and join the real world, OS X has some very real security issues, over 200 vulnerabilities in the last 12 months combined with slow patching and poor handling of real world issues.

Re:Apple meet real world

[sxeraverx]

Ok, first of all, you're confusing 'hacks' with 'cracks.' People 'hack' hardware, software, etc., on their own personal devices to make them do what they want. So of course people will hack anything, or try to. Everything you listed has indeed been hacked. Cracking, however is a different matter. People 'crack' other people's hardware, software, or devices to make them do what the cracker wants without the owner knowing. The PSP has not been 'cracked.' The iPhone has not been 'cracked.' The Xbox has not been 'cracked.' Macs have been hacked, and cracked, convincingly, as sibling mentions. I agree that security, or lack thereof is not directly proportional to market share. I'm just saying that if market share is small, security is irrelevant. Apple has gotten used to it being irrelevant. On another, slightly off-topic note, it's people like you who give Linux and hackers a bad name. Stop it. On another, slightly more off-topic note, I'm writing this from my new (jailbroken) iPhone, which I am pleased of.

Re:Apple meet real world

And do you believe in God, Santa, and the Tooth Fairy too?

no but obviously you do!

PSP was hacked very early. Sod all sales, definitely fewer than Macs.
iPhone was hacked very early. They have fewer users than the Macs.
GP32 (gamepark - a handheld game console) was hacked. Hasn't sold anywhere near what Macs have.
Xbox (original) was hacked very quickly, as was playstation, and even gamecube, and even sega dreamcast.

Gee I wonder if all these were targetted for a very specific reason, like wanting to play copied/priated games.

If I leave my front door unlocked and no body walks through it I don't automatically assume it is secure and safe pratise to do so, It would be nice to live in the world you seem to live in where tooth fairy is real and where security is defined as how many times you have been attacked.

Re:Apple meet real world

[toddestan]

PSP was hacked very early. Sod all sales, definitely fewer than Macs.
iPhone was hacked very early. They have fewer users than the Macs.
GP32 (gamepark - a handheld game console) was hacked. Hasn't sold anywhere near what Macs have.
Xbox (original) was hacked very quickly, as was playstation, and even gamecube, and even sega dreamcast.

People will hack anything, just to say they did. Kids brought up on Macs at schools who don't have stupid anti-apple biases will try to hack their school computers. Or maybe even if they do have anti-apple biases.

But nobody has yet been able to hack a Mac convincingly.

Wow, talk about a stupid argument. The common thing with all of those you listed is they were "hacked" so you could load your own software/games onto them. Ignoring the fact you can do that already in OSX, people have been hacking Macs to run Windows/Linux/whatever for years, and this was before Apple made it easy to do so. Similarly, people have been hacking Apple's OS to run on non-Apple hardware for years too. So if that's your definition of "hacking", then there have been "hacks" out there for Macs for decades. Obviously none of this has anything to do at all with network security, so I don't even know why you brought it up.

Re:Apple meet real world

[Phroggy]

apple was never secure. It was just unused.

Au contraire - classic Mac OS was vastly more secure than most Linux distributions at the time, at least from external attacks. Classic Mac OS was never secure from local users with physical access to the box, and of course there have been security holes here and there. However, when RedHat was shipping with dozens of ports open and who knows what daemons listening on them, Mac OS had zero ports open, out of the box. Large web sites like www.army.mil running on Mac OS were certainly the exception rather than the rule, but that's not the only reason Macs enjoyed better network security than much of their competition.

Re:Apple meet real world

[Lennie]

What I don't understand is, why don't they release security fixes.

I think they use bind, there are atleast some patched out (although they are slower than the original bind).

This also happends with a lot of other parts of the system. There is a patch out there but Apple doesn't apply and release it.

I don't know their policy, but this is a really odd way of doing things.

Re:Apple meet real world

On Macs at school reboot to single user then mount -uaw / next rm /var/db/.applesetupdone the power it off and wait for the next poor noob to turn it on and be confused and not want to fill out that registration form. It's Funny.

Re:Apple meet real world

GP32 (gamepark - a handheld game console) was hacked.

lol what? The GP32 and its successor, the GP2X, are designed to run homebrew, emulators etc with 100% raw hardware access out of the box. That's pretty much the entire point of them, given the scarcity of commercial titles.

Re:Apple meet real world

[stewbacca]

Modded -1 for the best retort to a stupid claim (security through obscurity)!!!! What the hell is going on here today? By the way, said "stupid anti-mac bias" would ENCOURAGE hacking Macs more than normal. Funny how that doesn't work out though.

Re:Apple meet real world

[stewbacca]

What I don't understand is, why don't they release security fixes.

Short answer: they do, just not as fast as the tin-foil hat crowd would like. Read up on project management and risk assessment. You'll find that security isn't always (nor does it need to be) the number one priority in a business model, regardless of what slashdot group-think tells you.

Re:Apple meet real world

[Yvan256]

Mod AC up as informative please.

Re:Apple meet real world

[mweather]

If I leave my front door unlocked and no body walks through it I don't automatically assume it is secure and safe pratise to do so

If I did it for decades and nobody walked through, I might assume it is safe.

Re:Apple meet real world

[spir0]

so a jailbroken iPhone is not cracked? enabling users to do what the manufacturer doesn't want you to do?

and the PSP hasn't been cracked to enable people to run pirated games and homebrew software, against the wishes of the manufacturer?

The Xbox has been cracked to allow modchips to run.

it's people like you who give Linux and hackers a bad name.

no, it's people like you who are doing that. I'm a Linux user. Most of my computers at home run Linux, and I am a Linux sysadmin by day, so don't presume I'm anti-Linux. I'm just anti-stupidity.

Re:Apple meet real world

[spir0]

My definition of hack is making it do what it was not intended to do. Which in this instance is broad enough to cover hacking an operating system to make it do what it wasn't supposed to: ie; run malicious software.

Re:Apple meet real world

[spir0]

but too many people scream "ooo.. apple... dirty" and won't touch them. then they go on to make stupid claims without taking the time to ever actually find out for themselves.

I'm a strong proponent of thinking for myself. If somebody says something, I'm more likely to prove it than take their word for it. Unless they say something like "stabbing yourself with this sharp pointy thing in the eyeball will lead to great inconvenience." Then I'll probably concede the point to them.

Re:Apple meet real world

he did it to annoy dorks like you and , obviously, it worked.

t3h horror!

[TheSHAD0W]

Are there any statistics on how many Macs are being utilized as DNS servers? Is it more than three? [runs away]

Re:t3h horror!

[Annymouse+Cowherd]

I would bet it's about as many as are being used as servers, which is not many.

Re:t3h horror!

[xxdinkxx]

it's n+3 where n = netbsd :-)

Re:t3h horror!

I'm not sure. But what I do know is that the patch is going to require a hardware upgrade; Apple would have it no other way.

[runs and hides]

Re:t3h horror!

And there are never going to be more than three if Apple can't be taken seriously as a server vendor.

Re:t3h horror!

Clearly you haven't been in a data centre in a while. At my local co-lo, (while predominantly Dell), I'm noticing there are quite a few xServes dotting the racks. I think MediaTemple is preparing to offer OS X virtual hosting this year too.

Re:t3h horror!

[Fast+Thick+Pants]

Either that, or a $20 charge for "new features"...

Re:t3h horror!

Ah, the ever wonderful anecdotal evidence. Fail. Nobody uses Max OS X Server.

Re:t3h horror!

[McGiraf]

Anecdotal evidence is enough to prove that a least one OS X Server is used.

Re:t3h horror!

[JanneM]

Either that, or a $20 charge for "new features"...

Come now, give Apple some credit. This isn't just some run-of-the-mill bug, this is a serious security issue that could cause their customers some serious harm if not fixed.

I'd expect $100 at least; or perhaps they'll introduce the innovative "iLease", with a "lease to own" path for the fixed bug where it's patched permanently on your server after only three years of monthly bug fix rental.

Re:t3h horror!

[Chris+Burkhardt]

Are there any statistics on how many Macs are being utilized as DNS servers?

My Mac mini is being used as a caching DNS server for my home network... but it's running djbdns.

Re:t3h horror!

Clearly you haven't been in a data centre in a while. At my local co-lo, (while predominantly Dell), I'm noticing there are quite a few xServes dotting the racks. I think MediaTemple is preparing to offer OS X virtual hosting this year too.

Shouldn't brag about your incompetent System Engineers ;p

Re:t3h horror!

[Nerdfest]

Heh Heh ... Lease to pwn.

Re:t3h horror!

[Phoe6]

Who are those three? I was about to ask, who uses Apple Macs for DNS?

Re:t3h horror!

[Rick+Bentley]

You can download the patch from Apple for free, but only from i-tunes, and you can install it on any hardware you want ... for the price of a lawsuit.

[runs, hides, and gets a new slashdot username]

Re:t3h horror!

[not_hylas(+)]

Actually there's only one, but it's REALLLLY fast and REALLLLY big - and we LIKE it that way. :-P

You know, the Mothership Model.

http://www.ld8.org/servers/servers.html

http://www.me.com/not_found/

Re:t3h horror!

[Phroggy]

Actually I checked at a client's office this morning; they have a G4 tower running Mac OS X Server acting as their file server and NAT router, but it's pointing DNS to external servers that have been patched. So no, not quite that many. ;-)

Re:t3h horror!

[El+Icaro]

Jokes aside, all updates - yes, besides entirely new releases like Tiger and Leopard - have always been free. iPhone users get charged, but it's for extra functionality. Security stuff is always free.

Re:t3h horror!

[Carik]

Well, we've got one. Of course, it'll be down to zero at the end of the week, given the lack of a patch.

Re:t3h horror!

[Theoboley]

Make that two, my college has/had one to teach students about mac

Re:t3h horror!

[felipekk]

Impossible. Statistics by nature require a large sample size.

Re:t3h horror!

[nicolas.kassis]

We have three. None of them run DNS :). Description: XSan, XSan head and webserver. The previous admin was a fan. I don't know why.

Re:t3h horror!

[rwven]

http://www.mediatemple.net/labs/xv/ Yep.

Re:t3h horror!

[laffer1]

We have 5 machines running OS X server. 3 are xserves (G4, G5, intel), and two are old PowerMac G4s in computer labs. Our entire department is on Mac OS with the exception of a few PCs. There's actually more machines running BSD or Linux than Windows.

I'd much rather deal with BSD, Linux or even Windows server most of the time. The only good feature to me is the user management (preferences, etc).

I'm just glad we don't run DNS for our department.

Re:t3h horror!

[klubar]

Or $129 for a new dot release version of the OS. Only the new version of the OS will have the patch--but it will be listed as one of the one billion new features that are included in the OS. Older versions will no longer be supported...and oh by the way ... neither will older versions of the CPU. Sorry... If you don't like it, tough. We're apple. We don't care.

Apple is full of holes

Mostly assholes.

The patch is undocumented

[commodoresloat]

The problem is that they didnt apply the patch to the OS; they applied a patch directly to the Reality Distortion Field, ensuring that this isn't a vulnerability in the first place.

Re:The patch is undocumented

[Annymouse+Cowherd]

Bah, you can't get anywhere just by changing RDFs...

Re:The patch is undocumented

[OriginalArlen]

Funny you should say that. Someone just released exploit code that, when used with the DNS cache-poisoning attack, allows the attacker to masquerade as the Apple OS update site and supply arbitrary binaries that the victim machine will happily download and install. That's right, in 2008 MacOS doesn't use SSL to authenticate the OS update server. The words "un fucking believable" spring to mind.

Re:The patch is undocumented

[wumpus188]

Are you living in 2002 or just making this up?

Re:The patch is undocumented

holy crap!

Re:The patch is undocumented

[OriginalArlen]

So did you test the exploit code? huh?

Re:The patch is undocumented

[wumpus188]

No, what I'm saying is that all OS X updates are cryptographically signed since 2002. Good luck posing as an update server.

in case you didnt get the memo

[ionix5891]

apple are turning evil http://apple.slashdot.org/article.pl?sid=07/02/09/2036259&from=rss

and
microsoft are coming to the good side lately http://apache.slashdot.org/article.pl?no_d2=1&sid=08/07/25/2135202

Re:in case you didnt get the memo

What are you smoking? Apple has always been evil. Extremely litigious and questionable methods.

Re:in case you didnt get the memo

[argent]

Apple is a corporation. You don't call corporations (whether they be Google, Microsoft, Apple, or IBM) good or evil, you just look at what they're actually doing.

So, let's look at what Apple and Microsoft are actually doing:

iPod/iPhone vs Zune/XBox: iTunes has weak DRM, Windows Media Player has strong DRM with kernel support that's getting stronger in Vista (trusted media path and tilt switches). None of their consumer entertainment products are open, but it's a lot cheaper and easier to get into software development for the iPhone than the XBox.

Open source: Microsoft uses GPLed software in Interix, and used OpenBSD extensively. They haven't released their versions of any of the BSD-licensed components they used in Interix (or Windows), but they do have a copy of their GCC source in the Interix tree. They have *recently* decided to accept the LGPL, but there's no GPLed software in Windows proper. Apple uses GPLed software in Darwin, and used FreeBSD extensively. They have released the open source code in Darwin and kept releasing it with every new release of OS X. They have added their own open source components, to the point where the majority of the traditional userland in OS X, as well as many major new components like launchd, are open source. Microsoft's open source poster boys are things like Windows installers.

This is like claiming that Gandalf's "turning evil" because he's wearing a grey robe, while cheering on Sauron for having the Nazgul stop off to pick up litter on the way back from scouring the Shire.

Re:in case you didnt get the memo

But they're pretty and even though they're closed people believed they were the friendly Unix for a while. It was the comfortable alternative to Windows.

Now people are realising that it's not much different and that they'll have to go (something like) Ubuntu or Fedora.

Re:in case you didnt get the memo

"Captain, I'm reading major fluctuations in the reality distortion field! If we don't stabalize it, the field will collapse and the Apple fanboys will disappear!"

Re:in case you didnt get the memo

[MacColossus]

Don't worry. It appears from the majority of these posts the Linux and Windows fanboys are alive and well in vast enough quantities to make up the difference. Having said that, I agree that Apple should have fixed this long ago. I have xserves, but am running dns, dhcp, and such on linux.

Re:in case you didnt get the memo

[DadLeopard]

They got on my bad side way back when they took DRI to court over the look and feel of GEM (Graphic Environment Manager), that is why You have Windows on the IBM type PC today instead of GEM and Bill Gates is a Billionaire!

Re:in case you didnt get the memo

[uhlume]

They have released the open source code in Darwin and kept releasing it with every new release of OS X. They have added their own open source components, to the point where the majority of the traditional userland in OS X, as well as many major new components like launchd, are open source.

Right. That strong commitment to open source no doubt accounts for OpenDarwin's continued existence.

Re:in case you didnt get the memo

[argent]

Well, setting aside the fact that we're talking about "Apple vs Microsoft" rather than "Apple vs Novell" or "Apple vs IBM" (where you might have a point) the big problem with OpenDarwin wasn't Apple... it was the fact that OpenDarwin was a particularly pointless project.

Apple provided a lot more support for OpenDarwin than Jolitz did for 386BSD, and yet we still managed to turn 386BSD into a pretty damn good OS. How did this happen? Because there wasn't any alternative. This was before Linux. The closest things to free UNIX were Minix and the Software Tools VOS. Linus Torvalds started with even less, and produced the free UNIX of choice. There was a purpose to the 386BSD patchkits, there was a purpose to FreeBSD and Linux.

There's no open niche for OpenDarwin to scratch. That niche had long been filled, by Linux and other BSD derivitives. If you really wanted Mach (despite it being the kiss of death for open source operating systems), you had Lites and Hurd to build from.

Speaking of Lites and Hurd... where are they now? Lites last release was in the '90s, and Hurd hasn't had a production-quality release yet. Why didn't they get anywhere? Because the Free Software Foundation didn't have any commitment to Open Source? No, it's because they didn't have a market. They had no killer application. Same problem as OpenDarwin. What would you actually use OpenDarwin for if it was still actively being developed?

Re:in case you didnt get the memo

[operagost]

GEM? I think you'd have a lot better chance of having a full operating system like OS/2 on the desktop than GEM running on DOS or some kind of 64-bit CPM.

Re:in case you didnt get the memo

[rwven]

No, "people" are not realizing any such thing. The fact of the matter is that the vast majority of users don't really care who Apple, or MS, or WHOEVER sues. The vast majority of mac users have no idea what "Unix" is or that OSX is Unix...so why would they care if Apple is "friendly Unix?"

And Ubuntu or Fedora as "comfortable?" Not even close. Most Mac and Windows users would be absolutely clueless if you stuck them in front of any Linux box. The best OSS Unix/Linux is still miles behind the "average user" usability of the "big two."

People use Macs because they like them, and they like them better than Windows. That's precisely the reason I switched. I have no illusions about Apple as a company, but I like their products better than anything else out there that I can get my hands on.

If Apple keeps going down this road and ignoring the issues of security and "listening to their users wants," and if the next version of windows is actually GOOD, there will be a migration BACK. All it will take is one big "Blaster Virus" type attack to permanently spoil the "pretty" image that apple has built up. Their biggest problem is that they haven't yet figured out how close that possibility could be. OSX has a lousy patching-time record and that's another thing I've got no illusions about.

I personally love a world where I can pretty much use any platform I want and get the job done. Choice is good, and most apple users are in the same boat I am.

Re:in case you didnt get the memo

[geekoid]

Yes, another company sued something Apple had rights to(paid for with stock, btw) and that makes them bad~

so?

use a dedicated dns box that is patched.

Apple codestandards

[krod4]

The genius coders at Apple probably saw this bug years ago and fixed it then. Of course there is no need for a patch now.

Re:Apple codestandards

[Lennie]

You didn't have be a genius to know bind could have had it's security improved by adding source port randomisation, just like djbdns and PowerDNS were already doing years ago. Even the creator(s) of bind knew this. That's why I didn't use bind, they are not pro-active enough by my standard.

Hey! Look at me !! I'm COOL !!

If you are going to roll out a new search engine, please try to make one that has more going for it than a silly name and cheap, misleading PR. Thus we have Cuil, the search engine rolled out this last week by some ex-Google folks who see a market opportunity. While all the people involved seem competent and have great resumes, the site itself out-and-out stinks.

It's buggy. It's slow. It seems hand-tweaked in odd ways. Worse, it requires exact spelling. Use lower case on a proper name and it can come up empty (but not always).

But it's the apparent fiddling with the results that bother me the most. Here's where it gets funny. Type in "Sergey Brin" (the founder of Google) and you get back a whopping "250 results for Sergey Brin"; yes, 250. And they are mediocre hits, many dating back to his Stanford days in the 1990s. There is an "Explore by Category" box, which won't help me find out anything about Brin, from what I can tell. It's pathetic. On Google you get 1.5 million hits. And if you think that's because of Google bias, on MSN Search you get over 3 million hits.

This is pathetic, since Cuil founder Anna Patterson has 11,381 results for herself. And the top search hit is her glowing bio on the Cuil site itself. What a coincidence! Try finding a Brin bio. Then if you search for Louis Monier, the ex-Googler and go-to man at Alta Vista who is now working at Cuil, he gets over 13,000 hits, many with flattering pics that are of other people.

So I decide to do a vanity search on myself to find out where my current bio appears. It's on the Dvorak.org site here. Low and behold, the Cuil engine doesn't seem to find my blog at all, let alone my bio. One version of the search using my middle initial comes close, offering up at least a Wikipedia entry. But subsequent uses of my middle initial come up dead altogether. So I go with "John Dvorak." My blog gets a million page views a month, but Cuil finds a bunch of other blogs and tired old posts or people grousing. The top hit was a CSS blog commenting on a two-year-old story I wrote (although Cuil never found the story itself); the next two were "Dvorak is an idiot" posts from even more obscure blogs followed by various entries about me that you find on speakers' bureaus' Web sites. Yeah, this is endearing. No mention of PC Magazine, MarketWatch.com, Cranky Geeks, or any number of things I'm doing.

So I go to page two. After waiting for an eternity, I get pretty much the same thing on page two: people who condemned me on their blogs. Hey, I can go to Technorati for this abuse! Page 3: still no mention of my own blog or PC Magazine or MarketWatch.com or even Mevio. In fact, some of the hits are redundant. OK, so how many times do I have to pound this thing to find my base Web sites--any of them? I gave up after page six and figured that this site was useless. I mean, if your search term has their own Web site, you'd think said Web site would be in the search results. If I was doing a search engine, it would be a priority. After all, Dvorak is in the URL!!

And, yes, I do have enough presence on the Web to use myself as a benchmark.

Now you're wondering if this site has any usefulness. When the site was actually reviewed by others, I didn't see anybody jacked up about anything. Here is an example from this BBC blog:

Search term: "Nikon d50 reviews problems". Plenty of articles on the D70 camera, but none on the D50 (which might suggest it isn't doing its job in terms of prioritising meta tags and headlines above freetext). Google however got a good review from a reputable independent source as first link.

So while I'm always hoping for something better or more interesting or uniquely valuable, I still end up having to use Google. This over-hyped product is just another dead-end as far as I can tell. Oh, and the name is stupid too.

Mac OS X ...Server?

[sexconker]

Wait, what?

Re:Mac OS X ...Server?

[argent]

Mac OS X isn't my first choice for a server OS, I'd rather run FreeBSD straight without spiking it with Mach. But it's probably a better choice for small sites without much technical expertise.

I think a bigger issue may be Internet Sharing.

Re:Mac OS X ...Server?

[LostCluster]

Mac OS X Server is a high-priced add-on to MacOS that mostly bundles Unix/Linux/OSS solutions for common server tasks, and adds a Mac-pretty-style GUI for everything. It comes with XServe products, but can be added to as low as a Mac Mini. Anybody reading /. would rather run a Linux box, but for those who are used to dealing with Apple products, it can be part of a one-vendor solution.

Re:Mac OS X ...Server?

Mac OS X Server is way more than that. It remotely manages and provides services to potentially thousands of concurrent Macs OS X clients and/or effectively manages Apple's XRAID/XSAN storage subsystems. Apple can't walk into an organization and sell them five hundred Macs and very well expect them to use Windows 2008 or Sun servers now can they? Remote software updates, asset tracking, screen-control, web-mail, anti-spam, everything... http://www.apple.com/server/macosx/

Re:Mac OS X ...Server?

Wow, sounds great, tell me more about the security, i want to use their super-slick interface for my DNS servers.

Re:Mac OS X ...Server?

[falcon5768]

High priced my ass.. its 500 dollars for a unlimited license, and does a hell of a lot more than throw a few OSS solutions into the box. If your going to comment it helps if you have half a clue what your talking about.

Re:Mac OS X ...Server?

[jc42]

Hmm ... I don't think I'd recommend a Mac OSX machine for a server, especially to a small site without technical expertise. When I tried this a couple of years ago, it took me the longest time to figure out why not only that machine, but also a lot of machines in the neighborhood, were so flakey.

One of the issues was the "Internet Sharing" buzz phrase. If you google that now, you'll find lots of warnings that if you enable this in OSX, it silently starts up a DHCP server. If there's already a DNCP server anywhere on the local network, you now have two of them battling it out, and the symptoms aren't something I'd wish on anyone but a networking expert. Apple's CS people were supremely unhelpful, too. They just made it clear that my problem was that we were running non-Apple equipment on the network, and we would have to shut them off before they could diagnose the problem. Yeah, right. I shut the OSX box off instead, and then started learning what it took to explain why that fixed the other machines' problems. If you're a novice, you really don't need a rogue DHCP server on your network. When the other users figure out that it's on your machine, they will not be very friendly.

I've also experimented with an OSX web server. The main problem here is that OSX does funky things with file names, starting with their "caseless" feature. This works if everything was developed on OSX. But if you're running a web server, you're probably going to be including things from other machines in the vicinity. If they're not OSX, you'll go crazy trying to figure out what's going on with the file names. And you probably won't be able to fix it.

The conventional answer you get from the OSX folks is to run the HFS+ file system, which supports case. Well, I tried that. It turns out you have to reformat the disk for HFS+; you can't just flip a bit to turn HFS into HFS+. I did that, and reloaded from backup. Then a couple months later, we had some problems with the disk. I sent it off to Apple for diagnosis, and it came back apparently fixed. Actually, they had replaced it with a new disk, and they copied all our files over. It was formatted as HFS. Oooops! This happened a couple of times with other Macs, so it seems to be a systemic problem. Pointing out to them that you're using HFS+ has no effect.

And even with HFS+, there are some funky file naming problems that I don't understand. I saw a lot of cases where an rsync would produce strange file names on just the OSX system. Linux, Solaris, *BSD systems, and usually even Windows could rsync back and forth, and they'd end up with the same file names (though Windows would proceed to ignore case and get the wrong files at times). But on OSX, we'd see non-ASCII chars simply garbaged with no obvious pattern.

So unless you know that you'll never want to copy directories full of files from a non-OSX machine, I'd advise against using OSX as a serious server. It won't work, and Apple's people won't cooperate with diagnosing the problems. (And you'll just get insults if you mention it here on /. ;-). Save yourself the headaches and wasted weekends, and build a server with a real unix-type file system that accepts any bit patterns except '/' and NUL in file names without damaging them.

(And I have occasionally wished that I could use '/' and NUL in file names. I wonder if there's a system that allows all 256 8-bit bytes in a file name... ;-)

(And I wonder if there are linux systems that do "intelligent" things with file names. If so, should we also be warning people to avoid them as servers?)

Re:Mac OS X ...Server?

(And I have occasionally wished that I could use '/' and NUL in file names. I wonder if there's a system that allows all 256 8-bit bytes in a file name... ;-) it was called VMS!

Re:Mac OS X ...Server?

[tim_of_war]

Apple can't walk into an organization and sell them five hundred Macs ...

We'll cross that bridge when we come to it.

Re:Mac OS X ...Server?

[SoupIsGoodFood_42]

I rather have a Mac OS X Server than Linux for many things. I have better things to do that learn how to setup a server.

Re:Mac OS X ...Server?

Here here, I was administrator of a small network running on OS X server and it was pretty robust. Far easier to set up than the yellow dog Linux they started with and I never got calls on weekends to fix things. Every Linux server I've tried to set up including Red Hat Enterprise Linux 5 required special bits of certain parts of what the heck was that library name again, and then it still didn't work, switch to another distro, same problem different piece. Got tired of switching distros threw out the PC got out the old G4 and set up OS X server in thirty minutes. Threw on Webmin and it was easy to admin too.

Re:Mac OS X ...Server?

It is also the only edition of Mac OS X that can be virtualized (using Parallels Server).

Re:Mac OS X ...Server?

[Bill,+Shooter+of+Bul]

I see your comment is interesting, but not really informative. What is the killer feature of OS X server? What one service or feature makes it worth wile?

Re:Mac OS X ...Server?

[MarcQuadra]

OK. I'll start from the beginning.

All the 'internet sharing' devices and operating systems (including Windows XP) will fire up a DHCP server on the LAN they're sharing to, that's what internet sharing is, a single device acting as a NAT/RIP gateway for several other machines. DHCP is quite a simple service (too simple if you ask me, given this particular problem), if you -sometimes- get IPs and other times do not, there's probably a contending DHCP server on your LAN that needs to be hunted down and killed. This is netwoking 101. You never plug the 'LAN' side of a NAT device into a LAN that already has a DHCP server, unless you're sure you know what you're doing.

Second, regarding the 'case issues'. There is a case sensitive option (that you -can- flip arbitrarily) in HFS+. There are -case issues- if you're doing some kinds of things (CVS checkouts of source directories with colliding names, etc.), but generally nothing that a little understanding wouldn't fix.

Why on -earth- you would use HFS at all instead of HFS+ is beyond me. That's trying to install Windows on a FAT16 disk. HFS+ has its strong and weak points, but HFS is a dead -dead- dinosaur.

It really sounds like your mac experiences were from the early 10.x days or even the Classic Times of Olde. I've admin'd several OS X (10.3 - 10.5) servers that do printing, file sharing, VPN, directory services, desktop management, web serving, and even Windows Domain Control, and I've never had a problem with anything you're talking about.

That being said, I do prefer Linux, but that's just because it's cheap and it runs on anything.

Re:Mac OS X ...Server?

Apple can't walk into an organization and sell them five hundred Macs and very well expect them to use Windows 2008 or Sun servers now can they?

Hasn't that been their EDU strategy for the past 15+ years?

Re:Mac OS X ...Server?

[bigbadunix]

Anyone that reads slashdot for humor would rather run a BSD box.

Re:Mac OS X ...Server?

Who is using HFS anymore? HFS+ was released in 1998 with Mac OS 8.1.

Both Case-sensitive and case-insensitive HFS+ options have been available in Mac OS X for quite some time now.

Thanks for your experience from the 90's.

Re:Mac OS X ...Server?

[NaCh0]

I've been through the HFS pain in another context. One of our web developers insists on using a mac. When we migrated one of his sites from a Dreamweaver built site to joomla he had all sorts of problems. The root cause is that the Dreamweaver template was in the Templates directory and joomla had the theme under its templates directory. The linux server has no problem seeing the two as different. However, his mac freaked out and was putting the joomla themes into the dreamweaver Templates folder. Once I figured out his mac was the problem, we renamed the Dreamweaver Templates folder to something else to avoid the confusion.

Re:Mac OS X ...Server?

[Have+Blue]

Where the hell did you even find an HFS volume? That's like worrying about compatibility with FAT16.

Re:Mac OS X ...Server?

[Graff]

When I tried this a couple of years ago, it took me the longest time to figure out why not only that machine, but also a lot of machines in the neighborhood, were so flakey.

One of the issues was the "Internet Sharing" buzz phrase. If you google that now, you'll find lots of warnings that if you enable this in OSX, it silently starts up a DHCP server. If there's already a DNCP server anywhere on the local network, you now have two of them battling it out, and the symptoms aren't something I'd wish on anyone but a networking expert.

You mean the "Internet Sharing" feature that when you click the help icon it says this:

If your Internet connection and your local network use the same port (Ethernet, for example), investigate possible side effects before you turn on Internet sharing. In some cases (if you use a cable modem, for example) you might unintentionally affect the network settings of other ISP customers, and your ISP might terminate your service to prevent you from disrupting their network.

I don't know, I think that spells it out pretty clearly to me: don't start this feature on the same port that the rest of your LAN is running on. Then again I don't usually enable settings I don't know much about without first reading the documentation.

Oh, and Mac OS X drives come formatted with HFS+, what you are talking about is the case-sensitive formatting option for HFS+. The journaled and case-sensitive HFS+ is called HFSX. You don't want to enable that on a boot disk because Mac OS X is not designed to boot from a case-sensitive disk and it will cause all sorts of odd issues. If you need case sensitivity then you make a non-boot partition and set it up as case-sensitive HFS+. You can then use that partition for anything you need to have case-sensitive, such as web pages and the like.

Re:Mac OS X ...Server?

I hate to be the one to say it, but if you thought that switching distros was the way to solve your problem(s) instead of actually learning about your system, then you weren't an admin, you were a button pusher. Additionally simply slapping another distro in the environment because you were too lazy to actually do some system analysis and design work is simply sloppy.

Re:Mac OS X ...Server?

You're holding some pretty old grudges.

• Seriously, HFS? The one deprecated in 1998 by HFS Plus and that Mac OS X can't boot from?
• Most, if not all, of the rsync woes (of which, I admit, there were many) were fixed years ago

Also, judging by the nature of your problems, I feel like you were severely underqualified to be running any sort of computer network. I mean come on:

• How could you both know what a dhcp server is and enable Internet Sharing without being able to debug that you had just hosed everyone on your network? There's even a warning when you enable it, telling what will happen if you've hooked it up to the wrong network.
• You host web sites on the defacto, open-standard server but are unable to accommodate for file system case sensitivity (do you not have control of your shift key, the files on the system, OR the code running the site?)
• Your claims are so vague that you sound like someone defending himself from incompetence.

I think you knew just enough just to be dangerous and couldn't take it when you were criticized for your actions.

(And you'll just get insults if you mention it here on /. ;-)

Yes, if you're pompous and self-righteous but ultimately wrong.

Re:Mac OS X ...Server?

[Aphoxema]

I've been wanting a macbook for a while now, but what you just said there suddenly makes me feel less inclined to get one. I'll stick with my plans to get something from System76.

Re:Mac OS X ...Server?

[Wdomburg]

Erm, the Xserve RAID was discontinues earlier this year and XSAN is a seperate product (and just a rebadge of a Quantum offering) so it hardly counts toward what Mac OS X Server is. :)

Re:Mac OS X ...Server?

[raddan]

As of today, we've extricated ourselves from the hell that was Xserves. We purchased a number of these machines because it seemed like an easy and cheap way to get a fileserver going that did both AFP and SMB, was AD-integrated, and could have its file store on a SAN. Well, after much money and a year later, the answer is that Apple very much oversold their ability to integrate into a Windows environment. Here are my gripes:

• AD-binding is not straightforward. Apple really wants you to run an OpenDirectory, as this allows you to both manage Apple desktops and do single-sign on. If you just want to allow AD authentication on your MacOS X servers, good luck. You're in for a bugfest, with partially-working GUIs and many, many quirks.
• #1 quirk being: you can't do cross-domain authentication, even if those domains are trusted. This was a showstopper for us.
• There is only ONE backup application for Xsan that is both a) reliable, and b) has a reasonable support contract. We tried Retrospect (total POS), Veritas (ridiculous wait times for support), and finally, BRU. BRU has a decent product, but the number of MacOS bugs that plague this application make it unreliable and frustrating to use. OSS applications don't handle the numerous HFS+ corner cases. Rsync, which we used for snapshots, routinely hemorrhaged itself on files with extended attributes, despite the fact that this was APPLE'S OWN VERSION.
• Ever try running a shared AFP/SMB volume on an Xsan? You can't. Surprise, surprise: Xsan is not HFS+ formatted. It uses CVFS, which is a Quantum/ADIC filesystem. Why? Because Xsan is simply a rebadged version of StorNext! So your AFP daemon will spew Mac metadata everywhere which your SMB daemon will not honor, thus totally corrupting your data. Fuck you, Apple. Seriously.
• You can't modify MacOS X Server files on the command line. Oh, well, you could on 10.4 server; then lock the file and hope you never had to use the GUI again. But on 10.5, even that does not work-- it still overwrites your file; smb.conf is a perfect example. I figured, OK, maybe I should set the immutable flag, but then I started thinking... WHY am I using Apple products again?
• Apple's enterprise support blows. Sometimes you get an answer, but no matter what, expect a long wait while people on the other end decide whether they want to bother answering your question or not. Want to follow-up on a bug that someone else reported? Good luck. Their bug reporter is terrible. Would it be so hard to run Bugzilla?

Apple needs to get their shit together. Unless your needs are VERY straightforward, even 10.5 does not solve them. I'll admit that 10.5 has a much nicer server admin GUI, but it does not overcome the problems with the platform.

We've moved all of these services to CentOS machines. By contrast, getting them working reliably was a walk in the park. Equivalent hardware (hotswap RAID (SCSI, I should add), redundant PSU, fiber channel card, GigE, dual processor machines in a 3U form factor (SuperMicro chassis) come out to about $1k less than an Xserve, on average. And when a part dies, like a backplane, I can BUY THAT PART. With Apple, you have to buy an entire parts kit, which comes with stuff you may not want.

We now run Samba and Netatalk on CentOS on generic server hardware, connected to our StorNext network. There may be better SAN stuff out there than StorNext (in fact, their licensing department leaves much to be desired-- do they even know how to use their own product?), but we already had a lot invested (three Xserve RAID cabinets). Things run great now, and with the Linux version of BRU, our full tape backup [inexplicably] finishes 9 hours earlier (used to take 60 hours, now takes 51).

My advice: Apple makes some nice desktops, but their server stuff is only for novices. I went into the experience very optimistic about Apple's stuff, but now I have a very bitter taste in my mouth.

Re:Mac OS X ...Server?

[mortonda]

... and that's just exactly the reason people advocate a caseless file system. A folder named templates and another folder named Templates? Are you mad? I'm not really leaning one way or the other wrt caseless fs's, but let's not ask for pain!

Re:Mac OS X ...Server?

[mortonda]

One of the issues was the "Internet Sharing" buzz phrase. If you google that now, you'll find lots of warnings that if you enable this in OSX, it silently starts up a DHCP server.

So does ICS in windows, what's your point? You don't know what you're doing?

The caseless filesystem certainly causes headaches, we had to rename some files in Maia Mailguard due to name clashes that only show up on OSX, and yes we do have one person using it. I guess the other osx server gets lots of spam.

The rsync issues are well known in the mac community, and there are some patched versions available. As with open source, utilize the communities, not Apple support. You may find it's not that bad.

Having said that, I don't use OS X in a server, I prefer Ubuntu. :)

Re:Mac OS X ...Server?

[Whiney+Mac+Fanboy]

its 500 dollars for a unlimited license,

Uhhh? unlimited license? For $500, Apple gives you a 10-client license?

and does a hell of a lot more than throw a few OSS solutions into the box.

OSS solutions:

* Scale up onto hardware Apple can only dream about (talk to Sun or IBM for more info)

* Fit into your existing vmware infrastructure.

* Don't impose bullshit per-client licensing restrictions.

* Don't leave you with a coating of vendor lock-in slime.

Sure, if you're a complete Apple shop (hah!), then OS X server is probably a good fit for you, but in the real world, its mixed clients (or at least looking in that direction).

If your going to comment it helps if you have half a clue what your talking about.

Well - at least we agree on this....

Re:Mac OS X ...Server?

[jc42]

Where the hell did you even find an HFS volume? That's like worrying about compatibility with FAT16.

It came on the disk inside my Mac Powerbook about 4.5 years ago.

(And it also came on the returned disk in the PB some months later. ;-)

Back then, Apple gave vague, unspecific warnings that some Mac apps wouldn't work right on a caseless file system. Dunno if they claim to have fixed it. The PB is still running (and I'm typing on it right now), but it's mostly relegated to "network appliance" status. It no longer gets used for serious attempts at software or web-site development.

But it's pretty good for running the dozen or so browsers that I have installed. And the funny thing is that some of those browsers can handle file names that the Mac apps can't. I'm not sure I want to waste more time banging my head against a wall trying to figure out why. It's clear that the machine is unsuitable for use by someone as inexpert as me.

(And note that my original comment was in response to a suggestion that a Mac would be a good network server for a small shop with little net expertise. Unless you have a lot more expertise than I do, I'd recommend against it. It might be OK for an expert Internet hacker, but it's not suitable for use by novices. You're expected to understand things like file-system formats, NAT, DHCP, etc. If you don't, you don't get answers, you just get insults for your lack of understanding. Read the other replies to my message for examples. Those replies show quite well why a novice shouldn't be trying it. ;-)

Re:Mac OS X ...Server?

FLAME ON! [Human Torch Flies Away]

Re:Mac OS X ...Server?

[Graff]

And note that my original comment was in response to a suggestion that a Mac would be a good network server for a small shop with little net expertise. Unless you have a lot more expertise than I do, I'd recommend against it. It might be OK for an expert Internet hacker, but it's not suitable for use by novices. You're expected to understand things like file-system formats, NAT, DHCP, etc.

If you don't know much about those topics then you shouldn't be running a server operating system in the first place. You should either hire someone who does know these things or you should just get a hardware network appliance where you don't need to know much about servers.

Honestly I have found that Mac OS X Server is a lot easier to administrate than most other server operating systems but it doesn't substitute for not having the proper level of sysadmin experience. Yes, there are some "gotchas" in running a Mac OS X server but there are also tricks to running a Windows, Linux, or BSD server. If you don't have the knowledge then you stand a good chance of falling flat on your face at some point.

By the way, Apple stopped using HFS back in the 90's. They moved on to HFS+ and every Apple-shipped drive in the last decade has come with HFS+. A HFS+ journaled partition is HFS+J and a journaled and case-sensitive partition is HFSX.

Re:Mac OS X ...Server?

[PsamtikNerd]

Mac OS X Server is a high-priced add-on to BSD

There, fixed that for you.

Re:Mac OS X ...Server?

[Macman408]

Thank you for making it very clear that you are a Windows or Linux admin tasked with keeping the Macs running. I don't pretend to be an expert at Windows - I suggest you do the same around Macs, or learn more about them (having to use one helps, even though it's painful to get out of your comfortable habits).

That said, I doubt that there are many OS X Servers providing DNS services, but I am surprised it hasn't been fixed yet. Somebody needs to speed up that test and release cycle a bit...

One of the issues was the "Internet Sharing" buzz phrase. If you google that now, you'll find lots of warnings that if you enable this in OSX, it silently starts up a DHCP server.

...and Windows has a similar feature. I first encountered it (as a victim, not an admin) in about 2001. It can be a pain to figure out exactly which machine is doing it, but you ought to be able to tell pretty quickly that it's happening. When you don't have network access, you check the network settings - you find that there's a DHCP-assigned IP address that's not in the correct range. You should quickly figure that either your DHCP server is hosed, or there's a second one on your network.

The conventional answer you get from the OSX folks is to run the HFS+ file system, which supports case.

OK, you're getting your filesystems confused here. The default is HFS+ (aka Mac OS Extended), which is case-preserving and case-insensitive. That means that a file's upper and lower-case letters are always displayed as such, but you can't create a second file with the same name and different capitalization. There is a case-sensitive HFS+ (sometimes called HFSX), which is presumably what you switched to. It's not the default, so no surprise that the reformatted drive was case-insensitive. The ubiquitous recommendation is to always use the default HFS+ (Journaled) for the startup disk, and not the case-sensitive file systems (either case-sensitive HFS+ or UFS). Unless you really need it, use the default.

HFS is something else entirely, as others have noted.

So unless you know that you'll never want to copy directories full of files from a non-OSX machine, I'd advise against using OSX as a serious server.

Most people I know wouldn't run into an issue with case-insensitivity. It makes much more sense to differentiate your files by the name than by case. But the difference can be painful if you do.

(And you'll just get insults if you mention it here on /. ;-).

Hopefully I'm not interpreted as being insulting - I just hate it when someone is wrong on the internet. But do yourself and those you support a favor - if you support Macs, learn how to do it correctly. I'm sure you're a much better Windows/Linux/whatever admin than I would be, because that's what you know the best. You can get that good on a Mac too, but only if you're willing to invest the time.

(And I have occasionally wished that I could use '/' and NUL in file names. I wonder if there's a system that allows all 256 8-bit bytes in a file name... ;-)

HFS+ can do that. According to Wikipedia, allowed chars are "Unicode, any character, including NUL. OS APIs may limit some characters for legacy reasons." More specifically, : and / tend to be limited; in the OS 9 (and earlier) or OS X Finder, you can't use a colon, since that was used as the path delimiter. (In HFS, colon was prohibited, as it was reserved for that.) However, OS X goes through a few layers of translation - some layers use / as the delimiter instead. So if you name a file with a / in the Finder, then do an ls in Terminal, it will show up with a colon instead.

In any case, I actually renamed files to begin with a NUL in OS 9 to get them to sort to the beginning of a list. It's hard to enter one, though - I used BBEdit to put a NUL in a document by clicking insert from its ASCII table, then used copy/paste to get it into the file name. I felt dirty doing it, but it worked.

Re:Mac OS X ...Server?

[jc42]

If you don't know much about those topics then you shouldn't be running a server operating system in the first place. You should either hire someone who does know these things or you should just get a hardware network appliance where you don't need to know much about servers.

I'm not saying you're wrong. I'm saying that Apple and Microsoft are both selling systems to novices that provide something called "Internet Sharing", i.e., several computers using a single ISP modem with a single IP address. They and other people, including the OP to my first message, are recommending these for use by people with no net expertise at all. You seem to have just said that this is a bad idea, which is also what I said.

However, ISPs are providing service with a single IP address, and people are buying multiple gadgets that all want to use the Internet. They WILL be hooking them all up to that single modem, and they WILL be following (mostly) Microsoft's or (sometimes) Apple's instructions to turn on Internet Sharing.

And no, they will NOT be hiring an expert to do the job. That would cost several times what their gadgetry cost. Also, Microsoft and Apple say they don't need the expert; they can do it themselves by just checking one box.

Well, not in our house. I have a linux box that runs iptables and NAT and DHCP and maradns and a few other things. That seems to work pretty well. But I'm not expert enough to figure out how to make a Mac do the job right. I'm not saying nobody should; I'm just suggesting that maybe they shouldn't unless they know more about it than I do. ;-)

Re:Mac OS X ...Server?

[CAIMLAS]

I find that hard to believe. Linux is pretty obscenely easy to set up and administer these days for most conditions, and RedHat has been there for a long time - but then, I cut my teeth doing things with samba long before they were supported.

Re:Mac OS X ...Server?

[not_hylas(+)]

Where the hell did you even find an HFS volume? That's like worrying about compatibility with FAT16.

You insensitive clod!
Imagine my Beowulf cluster (HFS disks) of those just off my edge network, running A/UX 3.x (you KNOW BSD is dying) just to confuse the door-knockers.

I know you're asking yourself.

Q: How many Libraries of Congress is that?

A. 42

Re:Mac OS X ...Server?

[Ash-Fox]

I rather have a Mac OS X Server than Linux for many things. I have better things to do that learn how to setup a server.

Honestly -- you will probably have a harder time with OS X server dealing with just it's numerous issues with it's default setups (I have encountered broken apache, cups, PHP, squirrel mail, Bind, openssh and other stuff that I don't recall right now = many of these required grabbing crap like xcode, recompiling stuff with patches etc - I generally don't have to do this with Linux servers).

Never mind actually setting it up.

I would suggest using something like SuSE Linux Enterprise Server for a server if you don't want to be concerned with getting your hands dirty - I find the GUI/TUI (two modes of operation in YasT) is easier than Microsoft's and Apple's alternatives.

Re:Mac OS X ...Server?

[SoupIsGoodFood_42]

Actually, I plan to get a copy of Snow Leopard server and some basic BSD or Linux, and play around with them both on a Mac mini (via external drives -- gotta love EFI). I agree for that for serious web hosting, OS X server requires a lot of mucking about, like any Linux install would, but I also want to use OS X Server so that I can use the more Mac friendly features of it for other uses (such as a small all-Mac office etc), rather than just as a traditional web and mail server.

I was hoping that OS X server was actually good enough to use for web hosting and e-mail for many of my clients, rather than telling them to use some web host or do reselling (I'm a web designer/developer), but after a bit of research, it doesn't look like you can just use the GUI while you learn the technical side along the way (my original plan), but need to learn it all before, at which point, I might as well muck about with something cheaper and leaner. I might also give SuSE Linux Enterprise Server a go, too.

The other factor was that going the non-Apple route for a server means I don't have to pay for an Xserve -- servers are already expensive enough. And while I don't mind having to take my iMac in to get it fixed (even though I can do it myself), a commercial web server is another story.

I'm a bit disappointed with Apple recently -- with all the iPhone stuff going on, it has clearly affected the quality of the desktop and the server version of OS X. If they continue down this road, it won't be good. However, unlike Microsoft, I actually have faith that they will get back on track -- they can't afford not to if they want to continue doing as well as they are at the moment.

Re:Mac OS X ...Server?

Honestly, did you guys do an in house evaluation of XSAN before you bought it? I worked as a consultant doing OSX server/XSAN stuff for 3 years and we were always very upfront about both the advantages and limitations of both XSAN and OSX server. Stornext as a file system has always performed better with large files, which is why its most often used in a final cut pro video editing enviroment, not neccesarily in a file sharing situation. Direct attached storage is almost always going to be faster for small files/file sharing, and Apple was always clear about that with our customers. Some of them *chose* the flexibility of a SAN enviornment anyways, but they knew they were going to take a hit in performance.

As far as backup, I would think that you would have been recommended either Backbone NetVault or Atempo Time Navigator by Apple or your VAR. Both of these solutions performed very well and were certified for XSAN by their vendors. BRU and Retrospect were not, the last time I checked. I don't even think their vendors claim to work with XSAN.

In my experience, the AD plugin has generally worked pretty well for us. There have been bugs in some versions, but overall it does what it is supposed to. Did Apple tell you that it would work for cross-domain auth? There certainly are some AD features it doesn't yet support. This very well could be one of them..

Does Apple need some work to be a better citizen in enterprise environments? Sure... but in my experience, their stuff works well when used with knowledge of what it can and can't realistically do.

Re:Mac OS X ...Server?

[amsr]

I am curious about the performance of Samba/Netatalk on CentOS with a Storenext backend? Is it really better than Samba/AFP on OSX server? I always thought it was Stornext itself that just didn't work well with small files, not the OS providing NAS services that was the issue. Do you have any numbers?

Re:Mac OS X ...Server?

[Phroggy]

One of the issues was the "Internet Sharing" buzz phrase. If you google that now, you'll find lots of warnings that if you enable this in OSX, it silently starts up a DHCP server. If there's already a DNCP server anywhere on the local network, you now have two of them battling it out, and the symptoms aren't something I'd wish on anyone but a networking expert.

Not true. First, we're talking about Mac OS X Server, which has a whole section in the Server Admin GUI just for configuring the DHCP server. You're talking about the plain old normal client version of Mac OS X. The Internet Sharing feature does enable a DHCP server, but not silently. The warning message (with big yellow caution sign) says:

Are you sure you want to turn on Internet sharing?

If your computer is connected to a network, turning on Internet sharing may affect the network settings of other computers and disrupt the network. Contact your system administrator before turning on Internet sharing.

It's certainly not as technical as I'd like, but anybody with half a clue should be able to infer that "affect the network settings of other computers" is talking about running a DHCP server.

I've also experimented with an OSX web server. The main problem here is that OSX does funky things with file names, starting with their "caseless" feature. This works if everything was developed on OSX. But if you're running a web server, you're probably going to be including things from other machines in the vicinity. If they're not OSX, you'll go crazy trying to figure out what's going on with the file names. And you probably won't be able to fix it.

It has always been possible to use a case-sensitive filesystem with Mac OS X, but it breaks some legacy Mac OS applications, so case-insensitive is the default. There was a security issue here as well; Apple submitted patches to Apache to fix that.

But on OSX, we'd see non-ASCII chars simply garbaged with no obvious pattern.

Mac OS X uses UTF-8 encoding for filenames. Bug your other OS vendors about supporting it.

(And I have occasionally wished that I could use '/' and NUL in file names. I wonder if there's a system that allows all 256 8-bit bytes in a file name... ;-)

I don't know, but if there is, good luck using it with a CLI.

Re:Mac OS X ...Server?

Its still better than Windows implementation ;)

Re:Mac OS X ...Server?

AD-binding is not straightforward. Apple really wants you to run an OpenDirectory, as this allows you to both manage Apple desktops and do single-sign on. If you just want to allow AD authentication on your MacOS X servers, good luck. You're in for a bugfest, with partially-working GUIs and many, many quirks.

Of course with Mac OS X Server 10.5 you can use augmented accounts and run that OD if you desperately think you need to. Depends what services you're trying to run whether you need to or not, some services just need more directory information than AD can provide.

#1 quirk being: you can't do cross-domain authentication, even if those domains are trusted. This was a showstopper for us.

Yes you can. That's what the pretty little checkbox labelled "Allow authentication from any domain in the forest" does. Nifty eh?

There is only ONE backup application for Xsan that is both a) reliable, and b) has a reasonable support contract. We tried Retrospect (total POS), Veritas (ridiculous wait times for support), and finally, BRU. BRU has a decent product, but the number of MacOS bugs that plague this application make it unreliable and frustrating to use. OSS applications don't handle the numerous HFS+ corner cases. Rsync, which we used for snapshots, routinely hemorrhaged itself on files with extended attributes, despite the fact that this was APPLE'S OWN VERSION.

There are other backup applications available, I'm not going to go into them now. Rsync can be made to work fine with Mac OS X, depends on your needs of course. Are you trying to backup HFS+ or Xsan? Or can't you make up your mind where your data is?

If you're backup up Xsan then HFS+ corner cases are pretty much irrelevent given...

Ever try running a shared AFP/SMB volume on an Xsan? You can't. Surprise, surprise: Xsan is not HFS+ formatted. It uses CVFS, which is a Quantum/ADIC filesystem. Why? Because Xsan is simply a rebadged version of StorNext! So your AFP daemon will spew Mac metadata everywhere which your SMB daemon will not honor, thus totally corrupting your data. Fuck you, Apple. Seriously.

That's right, it's not HFS+. Uhm, duh? A cluster file system needs to be, well, a cluster file system. Fortunately for you you've just discovered that this creates the magic of a "._" file (AppleDouble extra data).

Now I've got currently running an Xsan cluster that seems to serve out the same data via AFP and SMB and I haven't had any data eaten. Ever consider that maybe you're doing something wrong?

You can't modify MacOS X Server files on the command line. Oh, well, you could on 10.4 server; then lock the file and hope you never had to use the GUI again. But on 10.5, even that does not work-- it still overwrites your file; smb.conf is a perfect example. I figured, OK, maybe I should set the immutable flag, but then I started thinking... WHY am I using Apple products again?

Right, smb.conf. Maybe you could just read the file and look for the big comment noting:

; Site-specific parameters can be added below this comment.

Maybe you could add your customisations below there like you're told to and be amazed that they don't get overwritten. Reading the documentation, that'd be a novel idea.

Apple's enterprise support blows. Sometimes you get an answer, but no matter what, expect a long wait while people on the other end decide whether they want to bother answering your question or not.

I've had great enterprise support including contact with engineering teams to fix specific issues I've had. Maybe you should be nice to your reps instead of abusing them in public forums.

Want to follow-up on a bug that someone else reported? Good luck. Their bug reporter is terrible. Would it be so hard to run Bugzilla?

Because I know that I want all my confidential data supplied to Apple so they can fix an issue to be public. This just isn't reasonable for any large company. Nor does it make much sense.

If you're having a bug yourse

Re:Mac OS X ...Server?

[hab136]

But on OSX, we'd see non-ASCII chars simply garbaged with no obvious pattern.

My guess is you were using a codepage instead of Unicode. I've had issues with old MP3 files ripped over the years - for example Björk :). There are several converters for filenames (and ID3 tags). After switching everything to UTF8, all my systems (mac, win, linux) produced consistent results. Unicode is the future, convert now or die. :)

http://www.joelonsoftware.com/articles/Unicode.html
http://unicoderewriter.sourceforge.net/
http://www.unicodetools.com/
http://www.linux.com/feature/58689

Re:Mac OS X ...Server?

[drsmithy]

Back then, Apple gave vague, unspecific warnings that some Mac apps wouldn't work right on a caseless file system. Dunno if they claim to have fixed it. The PB is still running (and I'm typing on it right now), but it's mostly relegated to "network appliance" status. It no longer gets used for serious attempts at software or web-site development.

I think you are getting UFS and HFS+ confused. HFS+ has been standard on Macs since MaCOS 8.x - I doubt OS X even has a "regular HFS" driver in it.

Re:Mac OS X ...Server?

[drsmithy]

We purchased a number of these machines because it seemed like an easy and cheap way to get a fileserver going that did both AFP and SMB, was AD-integrated, and could have its file store on a SAN.

Windows 2003 ?

Equivalent hardware (hotswap RAID (SCSI, I should add), redundant PSU, fiber channel card, GigE, dual processor machines in a 3U form factor (SuperMicro chassis) come out to about $1k less than an Xserve, on average. And when a part dies, like a backplane, I can BUY THAT PART. With Apple, you have to buy an entire parts kit, which comes with stuff you may not want.

I would be surprised if a 3U machine was *not* significantly cheaper than a 1U box. With computers, smaller == more expensive, remember ? Why are you buying parts to repair machines yourself ? Ever heard of a "warranty" ?

Re:Mac OS X ...Server?

[makomk]

There's one slight issue with that - stuff like the Greek dotless lowercase i and dotted uppercase I. Sure, a caseless file system is wonderful as long as you only have to deal with English, but once you start dealing with other languages you realise that the mapping between upper and lower case is (a) language-dependant and (b) not always symmetric, one-to-one or transitive. All in all, it's a major pain.

Re:Mac OS X ...Server?

ROFL! My school went all mac and they got hacked before by two brothers who went and changed their grades. [gets off the floor and wipes the tears of laughter away]

Re:Mac OS X ...Server?

They use Verdana instead of Arial. Really really looks keen. Oh, and the cursor blinks a bit faster. You'll find yourself arbitrarily running commands just to see the results.

Re:Mac OS X ...Server?

I bought 10.5 server and a 24" imac to run it on, looking to migrate away from my bletcherous kludge of stacks of linux boxes built up over the years.

I joined the Xsan and Xserve mailing lists, and started lurking while I brought my 10.5 server up and started fiddling. I installed 10.5 server many times. The expert configuration is the only one that actually allows for fine grained control, however the GUI is of no use in that case. As you stated, custom modifications of configurations will get overwritten unless you go in and tweak the various relevant plist entries.

This is really painful.

Apple of course in this time stepped back from Xsan and outsourced their product to Promise. I have no strong opinions concerning Promises offerings. But they somehow never really came to the top when looking for SAN solutions.

I've been using BRU for many years, and overall, am happy with it. I still find it painful, and probably place a tech support call about twice a year to sort out something or another.

Dollars to Dollars, I can buy servers that have *real* support plans for much less than comparable Xservers, the only downside is that they are not apple, therefore I cannot run 10.x
machines on them by license. It was my intention to be able to virtualize some 10.x machines eventually.

Until Apple changes their licenses around a bit, I just won't be able to do this. My experience with 10.5 server is less than joyful.

In very specific cases, it just might be the right thing. In a generic sense, I feel it falls well short. While at the outset, it may in fact be easier to install, set up, and get running. In a practical sense, doing these things correctly require knowledge and skills beyond what are assumed by the apple faithful. Using this knowledge and these skill sets is more readily realized on machines such as you describe. CentOS or similiar, running on generic hardware for which spares and support are much easier to get.

Re:Mac OS X ...Server?

[stewbacca]

No no no no no no no...Apple doesn't use VERDANA (or any other proprietary, and mostly crappy MS Font). As a recovering typographer from the mid 90s, I shudder at the thought of Apple ever using a MS font in their OS! Ok, I think you were kidding, but please, don't scare me like that!

Re:Mac OS X ...Server?

[argent]

One of the issues was the "Internet Sharing" buzz phrase. If you google that now, you'll find lots of warnings that if you enable this in OSX, it silently starts up a DHCP server.

Well, yes. It's emulating a home/office firewall/router. Every SOHO firewall/router I've ever used has done the same thing.

This works if everything was developed on OSX.

Or Windows. Which also has the same file naming convention.

But if you're running a web server, you're probably going to be including things from other machines in the vicinity.

If you're running a network and you already have UNIX systems on the network, why on earth would you even consider OS X? You already have better UNIX server boxes (just about any other UNIX system is a better UNIX server than OS X). You're not the target market. You already have more technical expertise than the people I'm talking about, AND you're not looking for a system designed for an all-Mac-and-Windows environment.

OS X doesn't run HFS. It only runs HFS+. You can build an HFS+ file system with case sensitive or case insensitive behavior. That's not "turning HFS into HFS+", it's "running HFS+ case insensitive". No wonder the poor folks at Apple were confused. And, as you found out, it's probably a bad idea, because Mac software is written with the assumption that the file system is case-insensitive, and it is likely to misbehave. The same thing would happen if you ran Windows on a non-translating file system (I've tried it... you can allegedly do it with NTFS but I've found that it pretends it's done it while keeping the case-insensitive file name matching, the 8+3 file name translation, and so on).

The solution to your problem, by the way, would be to create a separate *UFS* (not "HFSanything" partition and keep your work on there.

There's been a LOT of work done on rsync on Windows to deal with the NTFS oddness. There hasn't been that much done on HFS+... because people are less likely to be stuck using HFS+ on OS X because their company is "Mac Only", the way people get stuck using NTFS and Windows because so many companies are Windows-only.

But on OSX, we'd see non-ASCII chars simply garbaged with no obvious pattern.

All file names in OS X are stored in UTF-8: you were probably just reading them as raw 8-bit characters and trying to interpret them as ISO-8859.1. That trick never works.

If you were starting with Mac-and-Windows you would be using UTF-8 and Unicode file names to begin with, you'd be using case-insensitive file names, you'd never run into this stuff. That's the market Apple's looking at, not people who already have FOSS UNIX boxes around the place. People who have FOSS UNIX have much better servers already.

Re:Mac OS X ...Server?

Regarding the DHCP server, it is not a hidden process, bootpd shows up in ps then man bootpd tells you about the config file and it is surprisingly well documented about all the knobs you have. Also having a simple little GUI checkbox for internet sharing is exactly perfect for not too computer savy people It setups nat, dhcp, bind, and adds a divert rule to ipfw. A not techincal person would have an impossible time of it otherwise and a technical person can make it work any way they like.

I agree with you that it is too bad there is not a more painless way of going from hfs+ to hfsx.

Re:Mac OS X ...Server?

[jc42]

I think you are getting UFS and HFS+ confused.

You're probably right. And a check I just did might explain why. There's a "Mac HD" icon on my background, so I pointed at it and did a CMD-I. A "Mac HD Info" window popped up, and part way down is the line "Format: "Mac OS Extended (Journaled)".

I note that this doesn't match any of the format names that people have used here. There's nothing that abbreviates to the "HF" at the start of any of the format names. That "Extended" is most likely abbreviated to 'X', but it could be '+'. There is (as far as I can tell) just one partition, the machine boots, and someone said that OSX can't boot from a "HFX" partition, so it probably isn't that. Or "df -a" isn't listing all the partitions. Or I'm not reading df's output correctly.

This is one of the ongoing problems I've found when asking questions about things inside the Mac. Many parts of the system seem to have several different names, depending on which app or doc you're looking at. I'm guessing that "Mac OS Extended (Journaled)" is a synonym for "HFS+", but I can't verify that, and I wouldn't be surprised if I'm wrong. And if I use the wrong abbreviation, the result is a discussion of my knowledge of Apple's confusing terminology, not of whatever question I was asking. This materially slows down the process of getting useful information.

But for the purposes of this discussion, it's just one more example of why I objected to the recommendation of Mac OSX as a server for a small site with little net expertise. I've been using this Mac for going onto 5 years now, and I keep stumbling across such problems. You could argue that it's because I'm too stupid to learn the system. But note that if you say that, you're supporting my contention that OSX isn't suitable for people like me.

And there is evidence that I'm not all that stupid. I've set up various sorts of network servers using linux, solaris, HP-UX, and various other unixoid systems. All have had their problems, but I haven't had nearly as many problems with any of them that I've had with OSX. If a dummy like me can set up a linux server in a few hours so that it works, but can't do the same with OSX after several years of futzing with them, the simplest explanation is that OSX is materially more difficult for such tasks that is linux. Apple's "extensions" to the file system (caseless matching, extended properties, ...) also cause ongoing problems, mostly because they're not clearly documented anywhere that's easy to find. The reason behind this can apparently be summarized as "Don't worry your pretty little head about it." This can be a rather frustrating reply to someone who's trying to learn.

So for a small shop with little net expertise, I'd still suggest that OSX isn't a good choice. Such people are more likely to be happy (or at least less frustrated) with a linux-based system.

(I've looked over various people's shoulders when they were trying to set up a MS Windows-based server. I'd have to agree that OSX would be far better than that. The amount of swearing in such tasks can be truly impressive. But such people usually can't be persuaded that they should consider alternatives. Or they're stuck with what their boss ordered them to use. ;-)

Re:Mac OS X ...Server?

[jc42]

My guess is you were using a codepage instead of Unicode.

Hmmm ... I don't grok that at all. If you're using Unicode, you must be using at least one codepage, right? That's how Unicode is organized. Obviously I don't understand something.

I do have a number of test files that contain mixtures of languages, including the worst cases like Chinese, Japanese, and Arabic. And some of them contain chars above U+FFFF. It's, uh, interesting to see which apps on which systems can display chars with 5-digit hex codes. Thus, among browsers, firefox 3.0 is slightly edging out opera 9.51 on my Mac, and all the other of my dozen browsers are a bit behind. Meanwhile, Terminal wins over both for codes under U+FFFF, but totally fails for higher codes.

Unicode is the future, convert now or die. :)

Yeah; I've been doing that. Now if we could only use Unicode/UTF-8 here on /. ;-)

I have seen warnings that OSX's file names do something weird (can't quite remember what) with combining chars. It might be that you can't use some precombined chars, only the expanded multi-char forms, but I'm probably wrong. I've seen a lot of garbling of marked Latin1 chars, and it might be an example of this, but I don't understand what's happening or how to fix it.

It'd be nice to find a good forum where one can ask dumb questions about i18n on various platforms without being flamed for being an idiot. I've found a lot of forums, but most of my (and others') questions seem to go unanswered on all of them. I have a query out on ubuntuforums.org right now about Chinese and Arabic text in uxterm, but it's not getting any answers. Maybe later, though.

Re:Mac OS X ...Server?

[drsmithy]

This is one of the ongoing problems I've found when asking questions about things inside the Mac. Many parts of the system seem to have several different names, depending on which app or doc you're looking at. I'm guessing that "Mac OS Extended (Journaled)" is a synonym for "HFS+", but I can't verify that, and I wouldn't be surprised if I'm wrong. And if I use the wrong abbreviation, the result is a discussion of my knowledge of Apple's confusing terminology, not of whatever question I was asking. This materially slows down the process of getting useful information.

Your filesystem is Journalled HFS+. There is also normal (unjournalled) HFS+. These are roughly analagous to ext3 and ext2 in the Linux world, respectively.

The other major filesystem OS X supports is UFS, which is the same UFS you'll find on Solaris or FreeBSD. This is its "UNIX filesystem" and will behave much like a filesystem you would bump into on any UNIX-esque system (eg: Solaris, Linux, FreeBSD).

HFS, to go back to your original post, is the very old MacOS filesystem dating back to the mid-80s. It is the Mac equivalent of FAT16, as another post said (albeit somewhat more advanced).

I'm sure this is all documented in Apple's support pagges, although I've never bothered to look. They are certainly pieces of information that you can find in 5 minutes with Google.

But for the purposes of this discussion, it's just one more example of why I objected to the recommendation of Mac OSX as a server for a small site with little net expertise. I've been using this Mac for going onto 5 years now, and I keep stumbling across such problems. You could argue that it's because I'm too stupid to learn the system. But note that if you say that, you're supporting my contention that OSX isn't suitable for people like me.

Yes, if you're after Linux or some other traditional style UNIX system, then OS X probably won't do you much good. That's because it's built to be as much UNlike a traditional UNIX system as possible.

And there is evidence that I'm not all that stupid. I've set up various sorts of network servers using linux, solaris, HP-UX, and various other unixoid systems. All have had their problems, but I haven't had nearly as many problems with any of them that I've had with OSX. If a dummy like me can set up a linux server in a few hours so that it works, but can't do the same with OSX after several years of futzing with them, the simplest explanation is that OSX is materially more difficult for such tasks that is linux.

No, it just means all you've got is a hammer, so everything looks like a nail.

Apple's "extensions" to the file system (caseless matching, extended properties, ...) also cause ongoing problems, mostly because they're not clearly documented anywhere that's easy to find. The reason behind this can apparently be summarized as "Don't worry your pretty little head about it." This can be a rather frustrating reply to someone who's trying to learn.

I don't know what you mean by this. The filesystem distinctions and terminology you were confused about can be trivially cleared up in a few minutes on Google (third result searching for HFS is a Wikipedia article answering all the questions you posted here). This says to me that you didn't bother trying.

So for a small shop with little net expertise, I'd still suggest that OSX isn't a good choice. Such people are more likely to be happy (or at least less frustrated) with a linux-based system.

A small shop with no expertise is going to run into the same problems with Linux. The difference is that the first few steps - which may very well be completed *without* running into any problems - can be trivially completed.

(I've looked over various people's shoulders when they were trying to set up a MS Windows-based server. I'd have to agree that OSX would be far better than that. The amount of swearing in such tasks can be truly impressive. But such people

Re:Mac OS X ...Server?

In a battle of who can lay on the most sarcasm and berate someone else, I'd place you as the winner.
If I had to make a hire for a co-worker that other colleagues would feel is apporachable when raising issues with technology, I'd hire the parent.

Content wise, I think many of the issues the parent raised aren't addressed above; mentioned but just glossed over. I'd also be surprised if the parent didn't try some of what was recommended above. Maybe he did, maybe he didn't, but assuming he didn't and utilizing language to make him sound like an idiot doesn't help answer any questions.

Content aside, why I'm suprised this got modded up at all due to the arrogance exhibited towards the parent:
...That's what the pretty little checkbox labelled...
...Or where your data is?
That's right, it's not HFS+. Uhm, duh?...
Right, smb.conf. Maybe you could just read the file and look for the big comment noting:
Netatalk? Guess you didn't want a reliable and useful AFP service anyway.

Re:Mac OS X ...Server?

[poached]

-what- /the/ _fuck_ \is\ [up] =with= ~people~ >using> MOTHERFUCKING _weird_ -delimiters- for -emphasis-?! What happened to good ol' MOTHERFUCKING CAPS!?

Re:Mac OS X ...Server?

[amsr]

Apple stopped making their hardware FC RAID box which to be quite honest was woefully out of date at the time. They chose to certify 3rd party storage with their SAN filesystem instead of building another box. The Promise solution performs way better than the Xserve RAID ever did, has more features, and is in the same price range per GB that the Apple offering was in. Overall, I think it was a good move. And who knows, they may certify other storage vendors in time, which is something customers have been asking about for a very long time.

As far as OSX Server requiring a skillset beyond that of the "apple faithful", I'm not sure what you were expecting. Its still a server. Just because it has a shiny Apple GUI, doesn't mean you can just blindly check a bunch of boxes and hope your network works. There is no subtitute for training, documentation, and understanding of how the services work and how to manage a network. Fortunately, Apple offers some very good training classes, and there are some good resources out there for learning the stuff (mailing lists, forums, books, docs, etc..)

The above is probably a disappointment to the ASIP crowd, but in general, the capabilities of OSXS are far greater than those of ASIP, and no matter how easy Apple tries to make it, it is a considerably more complex product and that comes with a more substantial learning curve.

It also offers services for Managing Mac OS X clients above and beyond what is available if you used a Linux server, such as Managed Client (GPO like management), software update service, network imaging and install services, etc... So perhaps if you are just going for a Samba server or a Web server, it really doesn't make your life easier. But if you are managing a network of OSX machines, it gives you a much greater level of control than any other solution.

Re:Mac OS X ...Server?

[amsr]

Mac OS X Server provides services akin to the services provided to windows via Active Directory and various supporting tools such as directory based client management for Mac OS X (standalone or in conjunction with a 3rd party directory server), Software update services (like WSUS), and Remote/Network Install services for imaging/deoploying new workstations. These features can't be had by using a Linux distro or Windows server and they dramatically simply the management of Mac OS X clients on any network.

There is also podcast producer, which is an end to end solution for creating, compressing, and distributing audio and video podcasts. At first glance this might seem simple, but if you are a TV studio or run a website that produces a lot of content, having and optimized end to end solution for this makes your life much easier.

As for the other services such as DNS, Web Server, File Services, etc.. the main value proposition is the Apple GUI. For some customers this might not be a selling point, and those people rightfully look elsewhere. However, don't underestimate the value of easy setup wizards and GUIs for "typical" services. Windows SBS didn't become the sucess it is without exploiting this angle. Mac OS X server makes a pretty darn easy to setup and robust SBS type machine...

Re:Mac OS X ...Server?

[amsr]

And while I don't mind having to take my iMac in to get it fixed (even though I can do it myself), a commercial web server is another story.

You don't have to take your web server down to the genius bar to get it fixed if it breaks. Apple offers service contracts that include on site parts replacement...

Re:Mac OS X ...Server?

Newer versions of OS X Server use the case sensitive HFS+. Note all versions used HFS+ (hell since os 8.1 it was included) That has nothing to do with the case sensitivity. Apple has added a few things as they've progressed with OS X. For instance, 10.2 client didn't have journaling (it was added near the end and optional) . With 10.4 server, you can enable case sensitive, journaling and even software RAID during install.

Mac OS X server is not for beginners or non technical people. You must know what you're doing. It's not like using a mac desktop. Nothing works in server without some work unless you follow Apple's vision exactly. It's very inflexible and it takes some serious hacking to get it to conform to your will. If you actually find someone who says it's easy, they're either following apple's directions exactly or they're lying.

The largest problem is the pay for security model. When you can get many free operating systems, it's hard to justify the os upgrades all the time on the server. Consider a windows release is out 3-5 years typically. That gives you time to get patches and actually still enjoy reasonable security without starting over or doing a major upgrade. Until 10.5, apple seemed to only patch 1 version back, and even now they only do really critical selective stuff for 10.3 server. You're effectively forced to upgrade your os all the time to stay secure. People in small businesses like to buy a server and use it without doing much for many years and apple doesn't offer that. I'd say BSD, linux or even solaris is a better choice now. You can get patches for those and the os is free.

Apple still ships apache 1.3 and ancient versions of php on their servers.

Re:Mac OS X ...Server?

Resharing an Xsan volume over AFP or SMB works perfectly fine.
Oh, yes, you have to have a properly configured Xsan.

As for the bullshit about support.. I guess you're very happy with CentOS support. Oh wait. Nope, there's no support.

Re:Mac OS X ...Server?

[mortonda]

Like I said, I'm not advocating caseless, but this is the one good argument they have. It's easier from the programmer's perspective to be case sensitive, for sure, and some real difficulties exist for trying to make a good caseless system. In any case (I groan at my own pun), having such similar identifiers for different semantic meanings is a bad idea.

Re:Mac OS X ...Server?

[Smurf]

After reading this whole extensive thread I'm left with the impression that you are very proficient with Linux and some other Unix-like system, and that is a really great thing.

But at the same time, with all due respect, you are very, very ignorant about MacOS. That's also OK. But in that case, you should either let someone more qualified do the work, or take a deep breath, accept that you need to learn the stuff, and sit down and learn it patiently.

Now, you claim that the information is too hard to get to. But most of the things you are complaining about, including all this nonsense about HFS+ vs HFS (you meant UFS), is clearly spelled out in Wikipedia.

I'll agree with you that in many cases MacOS X Server is not a good server solution. But the problems you described seem more like PEBKAC. Sorry for the bluntness, but your original post was really absurd.

Re:Mac OS X ...Server?

but HFS is a dead -dead- dinosaur

If this is true and i read the parent correctly, then then why did apple send him a disk set up with this very format?

Re:Mac OS X ...Server?

[jc42]

If you're running a network and you already have UNIX systems on the network, why on earth would you even consider OS X?

Hey, go back and look at the message that I was originally responding to. The OP explicitly recommended a Mac OSX server for small shops with little net expertise. My post was an explanation of why I thought this was a bad idea. So don't try to accuse me of recommending the very thing I was arguing against. ;-)

Fact is, Microsoft and Apple are marketing their systems as a good way to do "Internet Sharing". They are marketing this explicitly to people who wouldn't know a DHCP server from a word processor. If we want to fight this, we need people who have tried it and can explain why it's a bad idea. And that's effectively what I've been doing.

A few years back, there were a lot of comments in the unix/linux arena about how OSX was an interesting new unixoid system, and we should all get acquainted with it. So I did. If I hadn't got one and tried to use it as a server system, I'd have no idea why it's a bad idea. All the PR (and no small number of the /. crowd) encouraged such things. It's not bad as a workstation (and a lot better than Windows), but it has serious drawbacks as a server.

So far, I've managed to get enough experience with OSX that I've successfully persuaded the managers of a number of projects to avoid OSX for any uses but personal workstation. And I've had the fun of explaining to any number of people why they're having so much trouble rsyncing their Mac with the other machines around them. I've warned them that they'd never solve the problems (partly because some of the code is proprietary and unavailable; partly because the internal docs suck). Quite a number of people have eventually told me that they should have listened, because they never have fixed all the problems.

You can't give people good consulting advice on such things unless you've considered them and, in some cases, attempted them. Well, yes you can, but it takes studying others' attempts and taking their stories seriously. But when I started investigating OSX maybe 5 years ago, I couldn't find any of that. All I could find was glowing PR suggesting the very thing that I've been arguing against here (and which you've accused me of supporting ;-).

Oh, well; it's not the first time. I've also, for example, worked on SNMP in the past, and implemented a couple of SNMP agents. They can be good tools for the things they were designed for. I've also been to many interviews where they ask me about using SNMP in their package. I go into a detailed explanation of why it's a really bad idea for them. Their conclusion is that I know a lot about SNMP, so they'd like me to implement their agent for them. "Uh, I think you missed something important in what I was explaining ..."

It's a funny world.

Re:Mac OS X ...Server?

[SoupIsGoodFood_42]

Yeah, those contracts are expensive and not fast, last time I checked. When I mean fast, I mean fixed within the hour. Perhaps they offer better service in major US cities, but not where I live.

Re:Mac OS X ...Server?

[falcon5768]

client management. for large scale distributions AD and Apples equivalant Open Directory and Workgroup Manager beat the pants off the pain it is to administer mac and windows clients from a linux box.

Re:Mac OS X ...Server?

No one cares. Bugger off.

Re:Mac OS X ...Server?

[hab136]

Hmmm ... I don't grok that at all. If you're using Unicode, you must be using at least one codepage, right? That's how Unicode is organized. Obviously I don't understand something.

Eh... "code page" is an overloaded term. Yes, "code page" = "character encoding". I prefer to call the old 256-char 8 bit code page system "code pages", vs Unicode and "character encodings". What I should have said was non-Unicode code pages.

The old method (what I was calling "code pages"):
You had 256 characters. The first 128 stay the same; you swapped out the top 127 for different characters. For example in default CP1251 (Latin-1), character D9 is a U with a backward accent mark (in Unicode, it's U+00D9). In CP1251 (Cyrillic), character D9 is the W with a foot (U+0429). There is no way to represent both characters at the same time.

http://www.microsoft.com/OpenType/unicode/unicodecp.htm
http://www.microsoft.com/typography/unicode/1251.gif
http://www.microsoft.com/typography/unicode/1252.gif

Note that you are using the same byte, D9, to represent different characters depending on what global code page you have set. How do you know whether it's a CP1251 D9 or a CP1252 D9? You don't, except by setting a system setting.

In Unicode, you can have both characters at the same time. U+00D9 is always a U with a backward accent mark; U+0429 is always the W with a foot. There's no swapping out of characters for others, like trading one code page for another. How U+0429 is written to disk is determined by the Unicode encoding. UTF8 is one such encoding (the best/most popular IMHO), but there are others (UTF16, UTF7, etc). Think of it like taking a text file and then storing that text file in ZIP or TAR or CAB. So in this sense Unicode has "code pages" - UTF8 for example - but they're not like the old code pages since there is no swapping out of one set of characters for another, only different ways of representing the same character set.

So - what I was originally saying, you may have had accented characters in CP1251 for example, and when the other system sees it, it has no way of knowing if the characters are encoded in CP1252 or CP1251 or CP874 unless you specify, so it defaults to CP1252. Which, if you meant a different code page, means your accented characters will get messed up.

Most systems will recognize UTF8 on the other hand, so once you've converted to UTF8 there's no configuration needed. You don't have to tell receiving systems that D9 is a Cyrillic D9, or a Latin D9, or whatever - in Unicode, U+0429 is U+0429 and that's it.

(Whether or not your font has a way to show U+0429 on the screen is a font problem, not character encoding)

So - the old code page system (CP1252, etc) was a way of swapping out some characters to represent a subset of all available characters plus a way of encoding that subset. Unicode code pages (UTF8, etc) are just different ways of encoding the whole Unicode character set, no swapping out, all characters are available simultaneously.

Oh and Slashdot sucks for not supported Unicode, would've made this explanation easier. :)

It'd be nice to find a good forum where one can ask dumb questions about i18n on various platforms without being flamed for being an idiot. I've found a lot of forums, but most of my (and others') questions seem to go unanswered on all of them. I have a query out on ubuntuforums.org right now about Chinese and Arabic text in uxterm, but it's not getting any answers. Maybe later, though.

Most English-speaking people don't care since they stick to unaccented letters. Speakers of languages represented in the default Latin set (CP1252) such as most of Western Europe don't care since it just w

Re:Mac OS X ...Server?

[argent]

Hey, go back and look at the message that I was originally responding to. The OP explicitly recommended a Mac OSX server for small shops with little net expertise.

Hey, go back and look at who the OP was. I recommended OSX Server for small shops with little net expertise, and I'm explaining why your comment had nothing to do with that. Anyone who has the expertise to build a network using rsync for publishing and backups is NOT running "a small shop with little net expertise". Anyone who's hiring you to set up and run their network is also NOT running "a small shop with little net expertise".

I *never* considered OS X an appropriate server operating system for your kind of situation. Ever. Not now, not five years ago when I was investigating it (investigating it, by the way, means actually running OS X and understanding how it works... not getting confused about HFS and HFS+ or failing to recognize UTF-8 file names). Take away the desktop and all you have left is a rather anemic UNIX box. You can get a MUCH better UNIX box for MUCH less money from HP... I'd take a DL320 or DL360 over an XServe any day. But I wouldn't suggest that "a small shop with little net expertise" buy a DL320 and stick Debian or SUSE or FreeBSD on it and try and make a go of it.

I'm talking about shops with a few Mac and Windows desktops, no geeks, whose other option is Windows Server 200x.

And never fear, if you were interviewing with me and spent the interview slamming SNMP, I wouldn't make the mistake of hiring you. :)

Re:Mac OS X ...Server?

[konohitowa]

Nowhere in the post does he talk about getting any sort of disk from Apple. Nowhere in the post does he talk about having an Apple XServe machine. In fact, nowhere in the post does he even talk about having Mac OS X Server software. The most I could surmise from his statements is that he recommends against throwing a desktop version of OS X on a network and trying to turn it into a server by randomly changing networking options. Which is relatively good advice for any system.

On a related note, OS X Server (the shrinkwrap box of software) has been around for a long time. I did my first install on a Beige G3 desktop box that had previously been running MacOS 8.something (or maybe is it was 9.1 - it's been a while). As I recall, that version of the system was known as 1.2.

Re:Mac OS X ...Server?

[konohitowa]

I did a code review of a perl utility someone in my group at work had written. He had two file streams. One was named InPuT and the other was named iNpUt. When asked about it, he said that he did that because he didn't have time to come up with good names.

Seriously.

Re:Mac OS X ...Server?

[mortonda]

Wow. Off the top of my head, I can think of: input1, input2, or onpu_one,input_two, or bob,mary .... yeesh

Re:Mac OS X ...Server?

[konohitowa]

I hear ya. As I recall the first retort out of my mouth was an incredibly sarcastic "uh... you mean like input1 and input2?".

Honestly, I was almost impressed with his ability to not only type them repeatedly but actually keep them from being confused with one another. Almost.

Re:Mac OS X ...Server?

I think you took over my previous job, sorry dude. I have an equal list of horror stories--all 10.4 related. The last version of OSX Server I touched--and will ever touch. Apple in the enterprise is the WORST experience I have ever had. It included flying in guys from Apple to provide support, and having them still tell us there were no real solutions to our problems. When they could provide a solution it was always some undocumented magic. I would ask "ok, where would have I found that answer" and they would say "you can't, this is all proprietary information we don't publish". I could go on and on and on (and on), but I won't. I have just one warning: use apple's os on your servers at your own peril. It will make you look completely incompetent because you will be stuck in situations every day where you CAN'T fix the problem and Apple isn't around to back you up. The performance is abysmal, and you'll see me running a Windows network before I ever take an other Apple job. I'm back to managing Linux machines. When I have a problem I can either find or write a solution. My stress level is down, and my users think I am a good person again.

OS X Server not for critical infrastructure

This sort of thing is why nobody should be using OS X Server for critical infrastructure. OS X Server is for schools and such that use Macs for everything else, so an Apple server is a natural fit.

It seems like Apple is always dragging their feet on security updates, and that alone should cause a major aversion on the part of anybody thinking of deploying their server software into production.

Re:OS X Server not for critical infrastructure

[bluefoxlucid]

OS X Server is for schools and such that use Macs for everything else, so an Apple server is a natural fit.

As a hacker, I welcome the concept of hooking up one giant monoculture. Chances are if you misconfigure X or fail to patch Y on my entry point, I've got the same back door all over your whole network.

As a security consultant... who am I kidding, I rape the network and give you a stack of paper saying you should have relied on Unix-like/Windows/Apple boxes by purpose, citing specific software supported on each (i.e. Apache vs. IIS, php, MySQL vs MS SQL Server); and point out that making one big singly-deployed network only makes my job easier, especially when your administrators are more used to purpose X on platform Y.

Re:OS X Server not for critical infrastructure

[Annymouse+Cowherd]

My old school used Macs exclusively, and a Mac server. The server had to be rebooted every hour or so when a class was using it.

Re:OS X Server not for critical infrastructure

[rwven]

And what year was this? My school had constant problems with their macs too...but it was in the mid-to-late 90's and OS8/9 just stunk.

OSC has also come a long way "overall" in terms of stability in the past three releases. I certainly wouldn't buy what apple was putting out in 2003.

Re:OS X Server not for critical infrastructure

[rwven]

OSX*

Re:OS X Server not for critical infrastructure

[amsr]

Don't kid yourself, schools have considerable IT infrastructure that would make most run of the mill businesses server rooms look like a joke. Don't forget that many Universities have more computers to manage and IT services to provide than many large corporations. A decent amount of them have large populations of Mac OS X machines, including servers...

I guess Microsoft have found the focus of their..

[Channard]

.. $500 million 'Why Vista is better than Apple because we say so' campaign.

Hey, I just wrote about this

[Pfhor]

At the Angrydome (which I started out of frustration of this and other things Apple related)

The only statements we have been able to get out of apple has been from the bug reporting tool. They have stated that they are working on a fix, but it is causing problems in some instances of their deployments, but don't see it as an emergency because there isn't a targeted exploit against their user base.

They do not need to understand that this is a protocol specific issue, not a code specific issue.

Re:Hey, I just wrote about this

[snowgirl]

They do not need to understand that this is a protocol specific issue, not a code specific issue.

How long did it take Microsoft to patch the WMF hole? Again, same sort of situation... the protocol/format itself is working as intended... it just can easily be abused.

I can see a fair amount of lack of concern from Apple... this affects DNS caches... rarely are these running on a Mac OSX machine...

Re:Hey, I just wrote about this

[Ifni]

I wonder if they use OSX server for their public DNS and how much egg they would have on their face when some script kiddie used Metasploit (http://www.metasploit.com/) to "test" their servers for them.

No targeted exploit indeed. Of course I suspect they pay some actual professionals to manage their DNS, and that these professionals use a proper server OS and have patched the DNS hole. But still, a script in the wild that affectes the security of their servers certainly exists, on a very popular vulnerability assessment tool no less, and should be cause for concern on their part. The fact that it apparently isn't just shows how seriously they take their server business.

Re:Hey, I just wrote about this

[Pfhor]

this is related to Apple's OS X Server product, which runs DNS (bind in fact), and many mac businesses do in fact use it, if even as a local DNS cache (which a simple fix now would be to configure their boxes to us opendns).

The bigger issue is this is a pretty big deal on the security front, all of the businesses that apple has to compete with in the server space (especially in the eyes of enterprise IT), have had a fix and a public statement about it out the door. Apple is the big unix vendor missing off the list, and has not even made a public statement as such to inform it's users about the issue. Not exactly the best way to talk about how secure their products are (client and server).

Of course, they still haven't gotten around to fixing the ARDAgent.app vulnerability from a few weeks back either.

Re:Hey, I just wrote about this

[snowgirl]

But recall... this vulnerability is only available to someone who has access to the caching server in the first place...

Intra-business, do you really fear your employees that much that they might cache poison someone else?

At some point, you have to trust those who are in your network... a tight knit business platform doesn't really need to worry about this (as long as their DNS is protected from outside requests)

This primarily impacts open DNS servers with unrestricted access, or unknown arbitrary access, say ISPs...

Re:Hey, I just wrote about this

[Pfhor]

The fact that it apparently isn't just shows how seriously they take their server business.

Which is a shame, because they do tend to make some good stuff, and when you want to build something to help manage and work with a group of macs, a mac server can make things a lot easier.

Of course, this is a company that didn't test their AD binding under 10.5 in anything larger than a single AD server installation (because why would apple have a multiple window servers to configure as a real AD deployment when their company doesn't actually use them)

Re:Hey, I just wrote about this

"This isn't a targeted exploit aganist their user base."

The only way this is fair game is if they know that nobody is running DNS. This would be consistent with the Apple MO, "You will do things the way we feel you should do it."

I'm still bitter that I have to download a 3rd party app (which I can't do on our OSX server since its not approved) just to adjust the mouse acceleration. And how about the "we dont need no stinkin SDK" attempt with the iPhone? Customized BIOS so you can only run macs in the shape they intend?

Re:Hey, I just wrote about this

[Pfhor]

10.4 server made it really easy to provide recursion to the entire internet.

Also, to get your cache poisoned, all you need is an employee to visit a nice page full of LOLCats on a malicious server that will keep feeding them dns requests in the background.

Re:Hey, I just wrote about this

Of course, read Enemy at the water cooler.

Re:Hey, I just wrote about this

[Burdell]

There are many ways to get to a "protected" caching resolver. Users on the trusted network browse the web, send email, IM, etc.; all of those require DNS lookups, and many can be subverted to cause lookups of arbitrary names.

In any case, trying to excuse Apple by saying "not too many are affected" is crap. They shipped software that is now known to have security issues and it should be addressed. They've known there is a problem for almost 3 months and still have not done anything to protect their customers. If this was Microsoft, Sun, Red Hat, etc., people would be ranting about it, but since it is Apple, it must be okay.

Re:Hey, I just wrote about this

[mortonda]

But recall... this vulnerability is only available to someone who has access to the caching server in the first place...

No!

This attack is simply a flood of false answers to a dns query made by either a client or caching server. They *look* like legit answers that beat the actual answer back. Because the legit answer has to be able to get back to the server, the spoofed ones are able to get there too.

The clients are only vulnerable within their own firewalled network; but a resolving server, even behind a firewall, is vulnerable to the Internet at large.

Re:Hey, I just wrote about this

[TooMuchToDo]

people would be ranting about it, but since it is Apple, it must be okay.

It's ok that it's Apple, because so few people use their products.

*ducks*

Re:Hey, I just wrote about this

[OriginalArlen]

If this was Microsoft, Sun, Red Hat, etc., people would be ranting about it, but since it is Apple, it must be okay.

To be fair, if you look up and down the comments around this you can see a big barrel o'hate being upended over Jobbsey's smug fatuous face. Quite right too, I'm delighted the short-lived love affair with "open source" geek types drooling over the idea of lickable bash shells is wearing off a little.

Re:Hey, I just wrote about this

[snowgirl]

But recall... this vulnerability is only available to someone who has access to the caching server in the first place...

No!

This attack is simply a flood of false answers to a dns query made by either a client or caching server. They *look* like legit answers that beat the actual answer back. Because the legit answer has to be able to get back to the server, the spoofed ones are able to get there too.

The clients are only vulnerable within their own firewalled network; but a resolving server, even behind a firewall, is vulnerable to the Internet at large.

*ponders ponders ponders* Ok... so, you don't have to force the DNS caching resolver to resolve a specific address... however, if I never visit anything at *.victim.com then I won't be bombed by something at blah.victim.com If they can poison by including an image on *.victim.com, I'm still not going to *.victim.com anyways.

So, you end up with opportunistic danger... still a ways away from arbitrary danger, and especially remote privilege escalation.

Re:Hey, I just wrote about this

[mortonda]

The attacker could send you a spam that has a image or link to blah.victim.com

Re:Hey, I just wrote about this

[snowgirl]

The attacker could send you a spam that has a image or link to blah.victim.com

I already stated... I never visit *.victim.com

So, it does no good, he's poisoned my cache, but to no effect... I will never visit the site he poisoned.

Re:Hey, I just wrote about this

[mortonda]

unless *.victim.com = *.slashdot.org ... and btw, the attack also caries glue records that can overwrite other records, including the nameservers. So by getting you to go to aaaagjghfjgf.slashdot.com, they have made all slashdot pages bad for you, and the next time you log in ( to their false page), they have your account information.

Now imagine they know where you bank...

Re:Hey, I just wrote about this

[snowgirl]

unless *.victim.com = *.slashdot.org ... and btw, the attack also caries glue records that can overwrite other records, including the nameservers. So by getting you to go to aaaagjghfjgf.slashdot.com, they have made all slashdot pages bad for you, and the next time you log in ( to their false page), they have your account information.

Now imagine they know where you bank...

Right... it requires special knowledge. Surely, that isn't that hard, and as well, they could easily set up a dredging email, just getting a few here and there.

Either way, as mentioned, you need to have special knowledge about what sites the individual is visiting. Without that knowledge it's a bunch of stabbing in the dark.

Re:I guess Microsoft have found the focus of their

whats this Vista you all speak of?

In related news..

Steve Jobs was heard murmering something about telekinesis, and how he should be able to patch every individual machine within a week from his iChamber.

After failing the task, a fresh clone was sent in.

Goes with the MobileMess...

Not surprised. Since 11/Jul, diligence, good customer relationships and even common sense seem to have left the company. Guess it's true that cellphones cause cancer: too much iPhone use has fried Jobs' brain...

They do not SEEM to understand even.

[Pfhor]

need to lay off the coffee right now.

Steve Jobs?

[st33med]

Maybe because he is sick/out of work is why they can't patch it (They fear their boss might yell at them for patching it without his consent...)

OR They are so stubborn that they believe there is and never will be anything wrong with a Mac.

OR They are still testing the patch (highly unlikely since it has little interference with how the server functions...)

Sure, they can get away with a whole lot of stuff since they aren't a monopoly like MS, but, this is just wrong.

Re:Steve Jobs?

[CAIMLAS]

Or, they're waiting to fix it in the next version, which you will have to pay for, but will have fuzzy little pink rabbits that come with it, free.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Right on

Well, that's what my Mac using friend whose reality is severely distorted told me - "I don't have to worry, I use Mac.". Further arguments were futile after that.

Re:Right on

[LostCluster]

Recapping our top story for those just joining us... there's a flaw in most common DNS esolving servers.

So it doesn't matter what desktop software you're running, it's what the machine that answers to the DNS server named in your IP config.

If you're using a Mac and your ISP is fixed, you're most likely fine. If your ISP isn't fixed, well, there's your problem.

Re:Right on

Exactly. And that was my point - he took it personally as if I was accusing his beloved OS to be insecure in any way while I was mentioning this for Apple servers.

Re:Right on

[mortonda]

That's not quite true. The flaw is in any system that asks a dns question. The attack is to answer that question first. Thus, a patch is needed for client systems too. Firewalls do nothing to prevent the attack, as the attack involves spoofing a legitimate and expected answer to a a question. You may note that MS had a patch for client systems a couple weeks ago... I saw the bind9-host package update in my ubuntu workstation. Even my router, DD-WRT, needed an upgrade.

The risk is minimized, however, because larger caching servers are a much more interesting target,since one hit can then reap many targets at once. My ISP hasn't patched yet, so I set up my own caching servers to bypass theirs. (and I thoroughly tested it!)

I'm a little miffed that my macbook doesn't have a patch yet, but due to my precautions, It can only be attacked from my local network right now. I only hope they get a patch out before I have to leave town. Oh nuts. There's a whole new risk - traveling onto an insecure network...the fun never stops.

Slashdot and Apple Schizophrenia

[syousef]

Remind me again, this week are we suppose to love Apple or hate them. I'm not a fan and any time I've posted comments that are less than adoring regarding me personal experiences with Apple, I've seen the moderation work like a yoyo. +5 no +2 no +4 no -1:Troll.

I mean moderation is broken and I say what I think without paying much attention, but it's annoying that it's so broken that you're not allowed to hold a consistent opinion without being punished for it.

Re:Slashdot and Apple Schizophrenia

[LostCluster]

I think this article we hate Apple because they missed a release date on a patch that /. considers critical, even if the rest of the world doesn't.

Re:Slashdot and Apple Schizophrenia

[Shados]

If all you had to do was keep a constant opinion, what would be the freagin point of posting at all? Bunch of zombies that all say the same thing, oh yeah, very constructive (though its ALMOST what it is anyhow).

Whats important is how constructive what you say is and if it adds value to the discussion (and yes, being funny does add value).

The system is broken, but not as much as one would think... Most the moderations I get on pro-Windows post get modded up (and those that get modded down, half of the time its because I was not constructive and only ranting), on such an anti-MS web site... so its not completly hopeless.

Re:Slashdot and Apple Schizophrenia

[Tim+C]

It's "supposed", not "suppose". Yes I am a grammar nazi, yes I have lost, etc.

Oh and moderation isn't so much broken as pointless. I hit the karma cap years ago - seriously, who cares?

Re:Slashdot and Apple Schizophrenia

[mrsteveman1]

You got all the karma you can get, now it's time to just start being a whore.

Re:Slashdot and Apple Schizophrenia

I hit the karma cap years ago - seriously, who cares?

What is the karma cap?

(Posted anon because I modded GP "+1 Insightful." Just doing my bit to add to the schitzophrenia.)

Re:Slashdot and Apple Schizophrenia

Never mind. My question was answered in the FAQ. I'll just content myself with adding to the mis-spellinks.

Re:Slashdot and Apple Schizophrenia

[stewbacca]

It's "supposed", not "suppose".

I supposed you are right.

really?

[pak9rabid]

when asked by the Apple community why Apple still has not issued a patch for the well known recently discovered DNS exploit, Jobs replied "we actually have OS X Server users?"

Automated Email Reply

[Stickerboy]

Dear valued Apple customer:

We received your message regarding "unpatched Mac OS X Server security hole". We appreciate your business, and we will do everything to address your concerns as soon as possible. Unfortunately, Steve is away from his desk on leave due to health concerns related to his non-lethal pancreatic cancer. He will be happy to fix the problem with "unpatched Mac OS X Server security hole" as soon as he returns to work.

Sincerely,

Apple Customer Service

Apple + patches == ohnoes

[HEMI426]

As someone that's cursed to administer an OS X Server machine, I have nothing good to say about Apple in general and OS X Server in particular. Apple's history of patching---or, in this case, not patching---stuff has been lukewarm at best and downright abysmal at worst. The Server 10.5.3 update introduced something that causes ClamAV to crash/reboot a Server machine when mail is turned on (since ClamAV is on by default. Nice one. They've had other stellar examples of their extreme lack of QA for their Server software, such as updating their included PHP to a version that was known to break Squirrelmail (the default webmail that comes with OS X Server), even though a fix had been available for months from the PHP maintainers.

I'm a huge fan of FreeBSD. I have been doing this OS X Server thing for more than two years now. I went in to it with an open mind, hoping that Apple wouldn't screw things up too badly. I was disappointed. The only things I've learned is that their Server QA is awful, they don't actually use their own Server software internally, their customer service is horrible when it comes to their Server stuff and their Server documentation is awful. I could rant about that for several pages. All of this leads me to believe that Apple really doesn't want to do well in the "server" segment of the market...Which is really too bad, cause they've finally got the hardware side of it to the point where there's not much separating them from most other low-end server vendors.

Now, that I've got that all that off my chest, Apple's dropped the ball on the BIND update. This is not surprising. Anyone that's administered OS X Server for any length of time probably feels the same way. It's so bad that I will suppress my OS X experience next time I am in the job market again; I hope to never work with OS X (particularly as a server) again and will do everything in my power to avoid doing so. I'm batting a thousand on persuading people interested in using OS X Server to use anything else...Apple really has to get things together or get out of the "server" market.

Re:Apple + patches == ohnoes

[Pfhor]

I understand your pain. On the plus side, if you are a python / ruby developer, you have some things to look forward too, as a lot of apple's own components are being written in them, so those installs actually work most of the time. The perl one, not so much.

Of course, the biggest limitation to their serious server implementation is that there is not apple provided forum for users to be able to discuss their issues with beta release software. Let alone a publicly searchable bug tracker (right now we search by submitting bugs and waiting to see how long until the ticket is closed as either "by design" "we will get on it" or "duplicate"). So why should I bother to actually install a beta build of apples stuff to test, I can't really give any feedback, and there isn't any documentation out there floating around on how AD binding works in 10.5 vs 10.4. Which is a great example, apple's implementation of 10.5's ad plugin did not take into account that there could be multiple servers available, and that the first record returned for the ldap service may not be the same server as what was returned for the KDC. Why? probably because they only tested this with a single windows server in their test lab. So their engineers never even thought this was a problem. Of course, if we could test such things in beta, and they could see a group of folks bitching on the forums (all under NDA) about it, then they could probably even post a hot patch to the people with the issues and get faster feedback as a communication between the engineers and the people who are actually USING their code.

Re:Apple + patches == ohnoes

[Neanderthal+Ninny]

Ditto. Apple has been extremely slow to patch anything and I personally have to resort to using 3rd party and forums to patch Mac OS X Server to some secure level. I think they are concentration too much on the "eye candy" (ie iPhone, iPod, etc) and not putting any effort on the high end system like servers we have.
However, I haven't used the my XServer as a primary system (DNS or Mail) but as an file server for Apple, Windows and Linux files.
I don't know what is in the mind of the people Infinite Loop but I wish they could keep security which they tout so much in the forefront for all systems.

Re:Apple + patches == ohnoes

[catmistake]

Its really not all that hard to understand what their Server market is... "Servers for the rest of us." OS X Server is to the server market what their desktop is to the desktop market: a kinder, gentler server for those that don't really know everything they're doing. Someone who does know, perhaps like yourself, that is happy without a pretty GUI and easy to use tools shouldn't bother. Stick with CLI and FreeBSD or Linux or AIX or Solaris. Apple is targeting someone else and apparently you are just collateral damage.

Re:Apple + patches == ohnoes

[bigbadunix]

In the *real* world, where patching cycles are often monthly, and immediately patching production systems isn't an option [due to whatever managerial decision prevents it], I wonder how many real [i.e. production] systems are actually patched as I write this.

I'm not saying a patch shouldn't have been released now, I'm just saying just because a vendor-supplied patch is available doesn't mean that these systems are actually getting patched.

We all know well enough to use the right tool for the right job, and utilizing OS X Server as core infrastructure is like using a dremel when you need a belt sander. So there you go, 2 disjointed thoughts, making it my $0.04

In my NOC, nobody can hear you scream.

Re:Apple + patches == ohnoes

[HEMI426]

Oh, trust me, I wouldn't be using this thing if it weren't for my boss being a True Believer. At least I've managed to persuade him to let me run the web stuff on a FreeBSD VM (through VMWare Fusion, unfortunately, instead of a product I don't have to be logged in to use)...We needed PHP compiled with Oracle support and the FreeBSD stuff is just so much easier to manage than the Apple stuff once you get outside the box.

Re:Apple + patches == ohnoes

[catmistake]

Well, gotta admit the XServe hardware is pretty slick, at least. But style doesn't really count for much when the hardware is hidden in some cage somewhere. But it surely runs FreeBSD just fine. Also, if you like vmware and virtual servers, check out the free ESX (in another /. summary). Maybe your boss won't notice the difference... ESX sounds a lot like OS X (when pronounced wrong... which is usually).

Re:Apple + patches == ohnoes

[Sir_Real]

I'll second that, and add that their AD integration is absolutely horrifying.

I think they know they can't compete in the server market. Their hardware is too expensive, their software isn't free (and doesn't work better than the free alternative). There's no compelling reason to choose them over Dell unless you happen to have a staff of Apple admins that can't transfer their skill sets over to linux.

I don't want to call the product shit, but I don't know how to finish this sentence.

Re:Apple + patches == ohnoes

[rat_herder]

It's pretty obvious that Windows is now the dominant small business server of choice... also not free and doesn't work better than the free alternative.

People bitching about AD integration need to consider that AD is a proprietary protected setup.

Re:Apple + patches == ohnoes

[LizardKing]

Well, gotta admit the XServe hardware is pretty slick, at least.

No it isn't. On our sole Xserve (bought by my predecessor because he claimed "it's better for graphics" - essential for a headless server) there's no way to fit a second power supply, no Integrated Lights Out, no hardware RAID by default and mounting it on rack rails is a pain in the arse. Slick to look at, but shit to work with.

Re:Apple + patches == ohnoes

[catmistake]

ok, well, those problems have been addressed in the new one (pretty sure it now has redundant power supplies and lights out management, as well as up to 32gb ram and other new things), and it still looks pretty.

And if that is still hated, I have an ANS with redundant power supplies for sale (runs AIX... or NetBSD or yellow dog), raid card, extra drawers... parity memory... she's a beast

Re:Apple + patches == ohnoes

[HEMI426]

Apple has indeed caught up to most other low-end server vendors as far as hardware features goes. You can get an XServe with redundant power supplies now! They've even got a rack kit that isn't an absolute nightmare! They have LOM! You can option the machines with a RAID controller, but in our case we just reinstalled on to a software RAID mirror set up by Disk Utility. Their hardware is nowhere near anything special (although their one-piece drive sleds work decently), but it's nice to see that they're at least trying on the hardware front. If they did the same on the software front they might have something.

All of this stuff is present (and the RAID controller is available) for the Intel XServe I'm using now. It wasn't (except I think you could purchase a RAID controller) for the G4 XServe it replaced. I believe some of these features showed up in the G5 XServes.

My favorite new feature that Apple added to the XServe hardware? Link LEDs on their network interfaces.

The hardware isn't "slick." It's finally "not awful."

Re:Apple + patches == ohnoes

[amsr]

Of course, the biggest limitation to their serious server implementation is that there is not apple provided forum for users to be able to discuss their issues with beta release software. Let alone a publicly searchable bug tracker (right now we search by submitting bugs and waiting to see how long until the ticket is closed as either "by design" "we will get on it" or "duplicate"). So why should I bother to actually install a beta build of apples stuff to test, I can't really give any feedback, and there isn't any documentation out there floating around on how AD binding works in 10.5 vs 10.4. Which is a great example, apple's implementation of 10.5's ad plugin did not take into account that there could be multiple servers available, and that the first record returned for the ldap service may not be the same server as what was returned for the KDC. Why? probably because they only tested this with a single windows server in their test lab. So their engineers never even thought this was a problem. Of course, if we could test such things in beta, and they could see a group of folks bitching on the forums (all under NDA) about it, then they could probably even post a hot patch to the people with the issues and get faster feedback as a communication between the engineers and the people who are actually USING their code.

You *can* apply for the OSX Server customer seed program and get beta releases of the OS. IIRC they provide a discussion forum (under NDA) for beta testers. You can also provide feedback through your company's Apple reps/System Engineers.

Re:Apple + patches == ohnoes

[Pfhor]

I am part of the seed program, and there is no apple provided NDA only forum, for any of their products. This is the biggest issue folks are having with their NDA.

That is the problem. I can beta test apple's products, but since it is a one way feedback loop (that I am PAYING to be a part of), what good is it. I can't actively help in the development.

Re:Apple + patches == ohnoes

[amsr]

Really, we must be talking of different seed programs then, because they definately had a message board when I did it. The ADC program doesn't, but the customer seeding program does. http://appleseed.apple.com check it out...

Apple != Software || Hardware

Apple has never been good at software or hardware.

They gave up even maintaining their core operating system, switched to someone elses hardware and still cling to that stupid one button mouse.

I doubt most people working for Apple even know what bind is. Someone is fixing their operating system for free and they still don't get it.

Even microsoft had an offical patch out asap.

Where is the Slashdot Suxors guy?

Perfect headline-skewing opportunity..."Apple still has not patched the Goatse hole."

Apple not alone in leaving DNS hole unpatched

[ericferris]

I have a DSL broadband subscription with AT&T (it used to be a small local company and they got bought by whatever is now called AT&T).

I noticed that their DNS was unpatched and I used their support forms to report the problem.

The reply came only a few hours later. To quote: "We regret we cannot help you with your WorldNet dialup problem".

Huh?

So their networking department is not patching critical protocol flaws, and they programmed their answerbots to laugh at us users if we attempt to point out said flaws. Since when does Simon the BOFH work for AT&T DSL support?

AT&T network admin? It's a great job if you can get it.

Re:Apple not alone in leaving DNS hole unpatched

[duplicate-nickname]

Same here...I am on AT&T DSL service and the DNS servers are unpatched, and they haven't released patches for their 2wire DSL modems which do DNS proxying (hopefully not caching). I've switch my machines to OpenDNS, but I don't know how an ISP the size of AT&T is not taking this seriously.

Re:Apple not alone in leaving DNS hole unpatched

[jc42]

I don't know how an ISP the size of AT&T is not taking this seriously.

"We're the phone company. We don't care. We don't have to."

(Two points for getting the reference. ;-)

Re:Apple not alone in leaving DNS hole unpatched

[TooMuchToDo]

Lily Tomlin/SNL. Do I get extra credit if the skit took place 6 years before I was born (1976)? =)

3rd pty app for mouse accel adjust?

[reiisi]

Is the keyboard and mouse preferences panel in the system preferences not enough?

worried about moderation?

[reiisi]

If you're more worried about how you get moderated and what the results are than about saying what you really think, you're worried about the wrong thing.

Moderation is a gimmick to get people to come talk here. I sometimes succumb to the temptation to check how I've been moderated, too. But the only way I (think I) am letting moderation affect my posts is to motivate me to write clear, succinct, logical posts. And you can see that I don't let moderation motivate me very much. :|-

Re:worried about moderation?

[networkzombie]

I wish I had mod points so I could... Nevermind.

Re:Typical Apple Situation ... No, they want to

[davidsyes]

be CORED???

Cobblered?

Clobbered?

Never been truer

[djdavetrouble]

There is always one bad Apple (tm) that spoils the whole bunch.

Re:Never been truer

[yahadayahada]

Do apples grow in bunches? I think one bad one spoils the barrel. I guess the barrel is for cider. I don't know any more. blah

Given the issues this caused with vista...

[plasmacutter]

Given the issues this patch caused with vista, i'm not at all surprised they're putting more thorough testing through on this.

Apple does not want to lose it's "just works" reputation my slaughtering internet connections on its platforms.

Re:Given the issues this caused with vista...

[kisielk]

Apple? Doing thorough testing? You must live in some kind of alternate universe where Apple products don't break with every update...

- Frustrated user of Apple server products.

Re:Given the issues this caused with vista...

[Pfhor]

The problem really hasn't been that we are chiding Apple for(we being the OS X Server admins who support these boxes)most of us have gone and compiled our own versions of bind without issue, or being forwarding all recursion to opendns's servers, etc. (And custom installed BIND versions appear to be working fine in the server so far for most people).

It has been the total lack of response or public acknowledgement of the problem, no timeline for a fix, no patch and or updated knowledge base article on how to resolve the issue.

Apple just doesn't see it as a big enough issue to state it.

They still haven't responded to the ARDAgent.app privilege escalation exploit either.

Re:Given the issues this caused with vista...

Vista did not need a patch.

Re:Given the issues this caused with vista...

[weicco]

Given the issues this patch caused with vista

Issues? What issues? I'm not having any issues with my Vista. Oh, you must be talking about the issue with ZoneAlarm... But that's easy: no ZoneAlarm, no issues.

Apple without Jobs

You see? It starts...

I followed the links in the article . . .

And went to the source, and clicked the little "test my DNS" button, and it says my OS X is OKAY.

Are they sure Apple ain't patched it? Or is their little button broken? Or did they test it on an outdated OS X?

Lawyered up

[markdowling]

Why patch when you can tell your lawyers to issue cease and desist letters to everybody - starting with that Kaminsky guy

Re:Lawyered up

Why patch when you can tell your lawyers to issue cease and desist letters to everybody - starting with that Kaminsky guy

right:)

As a fellow Xserve admin

As a fellow Xserve admin, I have to agree with every gripe you've got up about OS X Server. For anyone who thinks otherwise, an Xserve with Samba and AFP is NOT a simple drop-in replacement for a Windows file server with AFP. I have nothing personal to add because the parent said it plain as day.

They've been plugging holes alright

as they fuck macin-fags in the ass with every dime they spend on shit that apple puts out. aids ass bitches.

Hi I'm a Mac

[Maestro485]

Hi I'm a Mac DNS server, and Windows Vista is way more secure than OSX.

*dives for cover*

Re: This is what I have done

[Douglas+Goodall]

Not being entirely happy with the DNS in Leopard Server, I run several DNS servers on the side that have been patched. What I run on the Apple Server are the Apple specific server apps. There was no particular reason to keep the DNS there.

Re: The killer server app

[Douglas+Goodall]

Mac OS X Server has a server based podcast utility that generates all your desired derivative versions of podcasts for various resolutions. You use a simple video capture client on your desktop or notebook and the video is uploaded to the server where a workflow is applied to it and a lot of stuff is done by one or more distributed machines. A very nice solution if you have more than pone podcast to do or want to support more than one resolution.

Re: The killer server app

[Bill,+Shooter+of+Bul]

I'm sure that's very easy to do, but is there really that much of a demand for the distributed rendering of podcasts? Are most of the killer features av related? That would make some sense.

Re: Maybe not the killer feature

[Douglas+Goodall]

I do Mac development here and I am messing around with podcast production. This just happens to be the first feature I came across that was a really nice touch. Multimedia mastering is big these days, and reducing drudgery is a noble goal. I am sure I will discover other fine features as I go forward, but I was impressed with that one.

Still vulnerable

If only the packages are signed, then an impostor update server could use Apple's older update packages to introduce old security holes into target systems.

The OS should use either SSL connections or signed manifests to avoid this problem.

Re:Still vulnerable

[metamatic]

If only the packages are signed, then an impostor update server could use Apple's older update packages to introduce old security holes into target systems.

...if it wasn't for the fact that the system update program won't downgrade the version of any Apple package.

PS (was Re:Mac OS X ...Server?)

Go read the Xserver mailing list archives

http://lists.apple.com/archives/Macos-x-server/2008/Jul/thrd5.html

Concerning the issue under discussion for a deeper
insight into how the Xserver community thinks.

Still Not Patched

[stewbacca]

Still not patched yet still not hacked (YMMV).

It's only a Windows problem...

[Carik]

...according to the tech support "engineers" at Apple. I spent about two hours on the phone with them Friday, trying to find out when or IF there would be a patch.

No one I talked to had ever heard of the problem.

Two people told me it was a Windows-only issue, and I shouldn't worry about it.

Neither of the two more helpful people I talked to had ever heard of bind.

One person put me on hold for just under five minutes, then told me he had made an "extensive search through Google" and wasn't able to find any information about a DNS vulnerability in Apple, so I must be mistaken.

One person had heard of bind, and told me that if there was a security problem, it would be fixed in the next security update. I asked when that would be released, and he told me "No one below Steve Jobs can tell you that -- it's proprietary information, and we don't release that sort of information."

So you can all relax -- it's not a problem that affects macs, and if it is, someone will fix it. Eventually. Maybe. But if we told you when it will be fixed, we'd have to sue you.

Re:It's only a Windows problem...

[amsr]

Did you call enterprise support? Or did you call 1-800-HALPMYIPODRBROKE? I doubt the tier one consumer support reps would know anything about this..

Re:It's only a Windows problem...

[Carik]

I called the support lines for governmental agencies (I work for a state university) and Universities -- in the past, they've been quite knowledgeable. Or, at least, not this uninformed.

"We sell a server?"

[LongestPrefix]

I had forgotten Apple even sold a server. Unfortunately, so did they.

Re:I guess Microsoft have found the focus of their

[thexile]

I heard that Microsoft has erm... (thinking..) Mojave

Diskliked MS ever since DOS 3.1

[krischik]

Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie.

Well I disliked Microsoft ever since Dos 3.1 (and had no contact with M$ products before). In fact I used DR-Dos if at all possible. M$ products always where something I only used if I where paid for or absolutely had to.

Of course I am not quite sure when my dislike turned into outright hate - but it must have been around the time when M$ betrayed IBM over OS/2.

Give Apple a break!

[200_success]

They're still busy developing a patch for the ARDAgent root exploit.

Re:Give Apple a break!

[shawnce]

They're still busy developing a patch for the ARDAgent [slashdot.org] root exploit.

http://lists.apple.com/archives/Security-announce/2008/Jul/msg00003.html

Open Scripting Architecture
CVE-ID: CVE-2008-2830
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: A local user may execute commands with elevated privileges
Description: A design issue exists in the Open Scripting
Architecture libraries when determining whether to load scripting
addition plugins into applications running with elevated privileges.
Sending scripting addition commands to a privileged application may
allow the execution of arbitrary code with those privileges. This
update addresses the issue by not loading scripting addition plugins
into applications running with system privileges. The recently
reported ARDAgent and SecurityAgent issues are addressed by this
update. Credit to Charles Srstka for reporting this issue. .
 
..also includes the patches to BIND...

BIND
CVE-ID: CVE-2008-1447
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact: BIND is susceptible to DNS cache poisoning and may return
forged information
Description: The Berkeley Internet Name Domain (BIND) server is
distributed with Mac OS X, and is not enabled by default. When
enabled, the BIND server provides translation between host names and
IP addresses. A weakness in the DNS protocol may allow remote
attackers to perform DNS cache poisoning attacks. As a result,
systems that rely on the BIND server for DNS may receive forged
information. This update addresses the issue by implementing source
port randomization to improve resilience against cache poisoning
attacks. For Mac OS X v10.4.11 systems, BIND is updated to version
9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version
9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this
issue.

Patch it yourself?

It's just bind, why not just build a replacement yourself?

(or use macports, which had the patched bind available the day ISC released the patch).

Very interesting story - if slightly belated.

[BuhDuh]

AN excerpt from my submission log:
2008-07-26 15:40:03 Apple Lags Patching DNS Poisoning Vulnerability (Apple,Security) (rejected)
Seems like I have to improve my karma (or something) to get noticed. Ah well, I'll continue reading, I just won't bother trying to submit.

re: Apple is in a different market-segment

[King_TJ]

I hardly think today's Apple is "following Microsoft's path 15 years later"?

Apple puts out quite a few security updates, as far as I can see. My OS X software updates has offered me several of them consistently, every month or so.

The fact is though, market share of Apple Macs running OS X is still well under 10% -- and unlike Microsoft, I don't think Apple as a company is that concerned about it either.

Steve Jobs has said repeatedly that he doesn't aim to be dominant in sales, like Microsoft. He's more comfortable having a company catering to consumers and small business customers, willing to pay a premium for a perceived "higher end" computing experience.

If Apple's business model was anything like Microsoft's - they'd be slashing prices on iMacs and Mac Minis, making sure $200-400 price point systems were out there in every single Wal-Mart and OfficeMax store, and would probably have sold OS X on store shelves for ANY generic PC by now too.

This also means Apple has the luxury of not having to stop what they're doing and immediately jump on patching every new security flaw that comes along. Only big corporate/govt. users are the ones truly paranoid and insistent on this stuff being fixed NOW. Most consumer and small office users don't even READ about such flaws, much less make their purchasing decisions based on how quickly the manufacturer addresses the flaws.

no surprise

beneath the shiny exterior, apple has always sucked tremendously from a technical and user centric focus, prefering to dedicate R & D to appealing to metrosexuals who are more interested in status than functionality.

Haven't you heard?

Apple doesn't have bugs or need patches...or don't you watch tv, read magazines, podcast.......

Only MS os's have to worry about such things the rest of us are as sound as a pound.

Inducing DNS lookups

[DragonHawk]

issues with cache poisoning can be dramatically reduced in risk by limiting requests for recursion to hosts within your own network.

I would generally expect it to be pretty easy to induce network members into doing DNS lookups. Some examples:

* Send spoofed email messages with hyperlinks to a web page you control to users inside your network. Use follow-on links or JavaScript on that web page to manipulate the user's web browser's to requesting the DNS names you want.
* Connect to a mail server that does lookups on the HELO or MAIL FROM domains (most of them, these days).

From there, it's a short trip to explotvile.

Ain't no damn hole and never were

It is a feature.

Clarification

For waht I understand of the pb, you shouldn't have any problem even if your DNS is not patched, unless you use recursion.

So basically, don't use recursion, right? And since you really don't need recursion, waht's the pb ? Misconfigured DNS?

ZoneAlarm was broken; Vista was unaffected

[DragonHawk]

Given the issues this patch caused with vista, i'm not at all surprised they're putting more thorough testing through on this.

The issue wasn't with Windows, it was with ZoneAlarm (which is not a Microsoft product). And Vista wasn't even effected, only 2000/XP, according to the ZA website:

http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html

Specifically, the ZoneAlarm firewall component assumed that DNS queries would always come from a single port. The fix for this DNS vulnerability is to intentionally randomize query source ports. ZoneAlarm simply assumed that DNS queries would only ever come from a single port, and fell apart. From an intrusion-detection standpoint, I could see that change in behavior raising some flags, but apparently ZoneAlarm's initial response was that the patch was defective, which suggests they simply didn't know what was going on.

Does Apple routinely test their OS security updates to make sure they don't break poorly-written third-party software? (I honestly have no idea; I'm not a Mac user.)

Logical Fallacy

[geekoid]

Please stop it.

"apple was never secure. It was just unused."

OSX is far more secure then Windows, always has been.

Typical Crapple

[phlegmboy]

They are a company that cares more about cutesy looks rather resonably priced products, popping out stupid adverts and suing people who have the emerity to make mention of their products before Crapple can have yet another overblowen posefest launch than that do about fixing as soon as issues are found . Once again the problems of a monopolistic structure rather than the more effective and efficient OSS model is showing it's flaws, to the detriment of the customers of that monopolistic monolith.

who cares?

[jcypher]

like who uses OSX server anyway? I've seen scads of macbooks, but OSX servers...? c'mon. I just tested a macbook and it came up just fine on doxpara's test.

hahaha

[sir+fer]

I was shown how secure the average mac is when I was able to crack into a passworded ibook by following some instructions I found using google. Yeah, great OS that MacOS, about as secure as windows.

But macs are great hardware....for running Linux ;o)

Re:hahaha

haha I can crack a linux, bsd or windows box even faster. It's insanely easy when you are at the laptop.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Well, they've patched it. Can we move on?

[argent]

Security Update 2008-005

* Open Scripting Architecture (ARDAgent etc...)
* BIND
* CarbonCore
* CoreGraphics (2)
* Data Detectors Engine
* Disk Utility
* OpenLDAP
* OpenSSL
* PHP
* QuickLook
* rsync