Apple Still Has Not Patched the DNS Hole

Steve Shockley notes an article up at TidBITS on Apple's unexplained failure to patch the DNS vulnerability that we have been discussing for a few weeks now. "Apple uses the popular Internet Systems Consortium BIND DNS server, which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."

Typical Apple Situation

Waiting for the port.

The patch is undocumented

[commodoresloat]

The problem is that they didnt apply the patch to the OS; they applied a patch directly to the Reality Distortion Field, ensuring that this isn't a vulnerability in the first place.

Re:in case you didnt get the memo

What are you smoking? Apple has always been evil. Extremely litigious and questionable methods.

Mac OS X ...Server?

[sexconker]

Wait, what?

Re:Mac OS X ...Server?

Wow, sounds great, tell me more about the security, i want to use their super-slick interface for my DNS servers.

Re:Mac OS X ...Server?

[jc42]

Hmm ... I don't think I'd recommend a Mac OSX machine for a server, especially to a small site without technical expertise. When I tried this a couple of years ago, it took me the longest time to figure out why not only that machine, but also a lot of machines in the neighborhood, were so flakey.

One of the issues was the "Internet Sharing" buzz phrase. If you google that now, you'll find lots of warnings that if you enable this in OSX, it silently starts up a DHCP server. If there's already a DNCP server anywhere on the local network, you now have two of them battling it out, and the symptoms aren't something I'd wish on anyone but a networking expert. Apple's CS people were supremely unhelpful, too. They just made it clear that my problem was that we were running non-Apple equipment on the network, and we would have to shut them off before they could diagnose the problem. Yeah, right. I shut the OSX box off instead, and then started learning what it took to explain why that fixed the other machines' problems. If you're a novice, you really don't need a rogue DHCP server on your network. When the other users figure out that it's on your machine, they will not be very friendly.

I've also experimented with an OSX web server. The main problem here is that OSX does funky things with file names, starting with their "caseless" feature. This works if everything was developed on OSX. But if you're running a web server, you're probably going to be including things from other machines in the vicinity. If they're not OSX, you'll go crazy trying to figure out what's going on with the file names. And you probably won't be able to fix it.

The conventional answer you get from the OSX folks is to run the HFS+ file system, which supports case. Well, I tried that. It turns out you have to reformat the disk for HFS+; you can't just flip a bit to turn HFS into HFS+. I did that, and reloaded from backup. Then a couple months later, we had some problems with the disk. I sent it off to Apple for diagnosis, and it came back apparently fixed. Actually, they had replaced it with a new disk, and they copied all our files over. It was formatted as HFS. Oooops! This happened a couple of times with other Macs, so it seems to be a systemic problem. Pointing out to them that you're using HFS+ has no effect.

And even with HFS+, there are some funky file naming problems that I don't understand. I saw a lot of cases where an rsync would produce strange file names on just the OSX system. Linux, Solaris, *BSD systems, and usually even Windows could rsync back and forth, and they'd end up with the same file names (though Windows would proceed to ignore case and get the wrong files at times). But on OSX, we'd see non-ASCII chars simply garbaged with no obvious pattern.

So unless you know that you'll never want to copy directories full of files from a non-OSX machine, I'd advise against using OSX as a serious server. It won't work, and Apple's people won't cooperate with diagnosing the problems. (And you'll just get insults if you mention it here on /. ;-). Save yourself the headaches and wasted weekends, and build a server with a real unix-type file system that accepts any bit patterns except '/' and NUL in file names without damaging them.

(And I have occasionally wished that I could use '/' and NUL in file names. I wonder if there's a system that allows all 256 8-bit bytes in a file name... ;-)

(And I wonder if there are linux systems that do "intelligent" things with file names. If so, should we also be warning people to avoid them as servers?)

Re:Mac OS X ...Server?

[raddan]

As of today, we've extricated ourselves from the hell that was Xserves. We purchased a number of these machines because it seemed like an easy and cheap way to get a fileserver going that did both AFP and SMB, was AD-integrated, and could have its file store on a SAN. Well, after much money and a year later, the answer is that Apple very much oversold their ability to integrate into a Windows environment. Here are my gripes:

• AD-binding is not straightforward. Apple really wants you to run an OpenDirectory, as this allows you to both manage Apple desktops and do single-sign on. If you just want to allow AD authentication on your MacOS X servers, good luck. You're in for a bugfest, with partially-working GUIs and many, many quirks.
• #1 quirk being: you can't do cross-domain authentication, even if those domains are trusted. This was a showstopper for us.
• There is only ONE backup application for Xsan that is both a) reliable, and b) has a reasonable support contract. We tried Retrospect (total POS), Veritas (ridiculous wait times for support), and finally, BRU. BRU has a decent product, but the number of MacOS bugs that plague this application make it unreliable and frustrating to use. OSS applications don't handle the numerous HFS+ corner cases. Rsync, which we used for snapshots, routinely hemorrhaged itself on files with extended attributes, despite the fact that this was APPLE'S OWN VERSION.
• Ever try running a shared AFP/SMB volume on an Xsan? You can't. Surprise, surprise: Xsan is not HFS+ formatted. It uses CVFS, which is a Quantum/ADIC filesystem. Why? Because Xsan is simply a rebadged version of StorNext! So your AFP daemon will spew Mac metadata everywhere which your SMB daemon will not honor, thus totally corrupting your data. Fuck you, Apple. Seriously.
• You can't modify MacOS X Server files on the command line. Oh, well, you could on 10.4 server; then lock the file and hope you never had to use the GUI again. But on 10.5, even that does not work-- it still overwrites your file; smb.conf is a perfect example. I figured, OK, maybe I should set the immutable flag, but then I started thinking... WHY am I using Apple products again?
• Apple's enterprise support blows. Sometimes you get an answer, but no matter what, expect a long wait while people on the other end decide whether they want to bother answering your question or not. Want to follow-up on a bug that someone else reported? Good luck. Their bug reporter is terrible. Would it be so hard to run Bugzilla?

Apple needs to get their shit together. Unless your needs are VERY straightforward, even 10.5 does not solve them. I'll admit that 10.5 has a much nicer server admin GUI, but it does not overcome the problems with the platform.

We've moved all of these services to CentOS machines. By contrast, getting them working reliably was a walk in the park. Equivalent hardware (hotswap RAID (SCSI, I should add), redundant PSU, fiber channel card, GigE, dual processor machines in a 3U form factor (SuperMicro chassis) come out to about $1k less than an Xserve, on average. And when a part dies, like a backplane, I can BUY THAT PART. With Apple, you have to buy an entire parts kit, which comes with stuff you may not want.

We now run Samba and Netatalk on CentOS on generic server hardware, connected to our StorNext network. There may be better SAN stuff out there than StorNext (in fact, their licensing department leaves much to be desired-- do they even know how to use their own product?), but we already had a lot invested (three Xserve RAID cabinets). Things run great now, and with the Linux version of BRU, our full tape backup [inexplicably] finishes 9 hours earlier (used to take 60 hours, now takes 51).

My advice: Apple makes some nice desktops, but their server stuff is only for novices. I went into the experience very optimistic about Apple's stuff, but now I have a very bitter taste in my mouth.

Re:Mac OS X ...Server?

[Whiney+Mac+Fanboy]

its 500 dollars for a unlimited license,

Uhhh? unlimited license? For $500, Apple gives you a 10-client license?

and does a hell of a lot more than throw a few OSS solutions into the box.

OSS solutions:

* Scale up onto hardware Apple can only dream about (talk to Sun or IBM for more info)

* Fit into your existing vmware infrastructure.

* Don't impose bullshit per-client licensing restrictions.

* Don't leave you with a coating of vendor lock-in slime.

Sure, if you're a complete Apple shop (hah!), then OS X server is probably a good fit for you, but in the real world, its mixed clients (or at least looking in that direction).

If your going to comment it helps if you have half a clue what your talking about.

Well - at least we agree on this....

Re:Mac OS X ...Server?

AD-binding is not straightforward. Apple really wants you to run an OpenDirectory, as this allows you to both manage Apple desktops and do single-sign on. If you just want to allow AD authentication on your MacOS X servers, good luck. You're in for a bugfest, with partially-working GUIs and many, many quirks.

Of course with Mac OS X Server 10.5 you can use augmented accounts and run that OD if you desperately think you need to. Depends what services you're trying to run whether you need to or not, some services just need more directory information than AD can provide.

#1 quirk being: you can't do cross-domain authentication, even if those domains are trusted. This was a showstopper for us.

Yes you can. That's what the pretty little checkbox labelled "Allow authentication from any domain in the forest" does. Nifty eh?

There is only ONE backup application for Xsan that is both a) reliable, and b) has a reasonable support contract. We tried Retrospect (total POS), Veritas (ridiculous wait times for support), and finally, BRU. BRU has a decent product, but the number of MacOS bugs that plague this application make it unreliable and frustrating to use. OSS applications don't handle the numerous HFS+ corner cases. Rsync, which we used for snapshots, routinely hemorrhaged itself on files with extended attributes, despite the fact that this was APPLE'S OWN VERSION.

There are other backup applications available, I'm not going to go into them now. Rsync can be made to work fine with Mac OS X, depends on your needs of course. Are you trying to backup HFS+ or Xsan? Or can't you make up your mind where your data is?

If you're backup up Xsan then HFS+ corner cases are pretty much irrelevent given...

Ever try running a shared AFP/SMB volume on an Xsan? You can't. Surprise, surprise: Xsan is not HFS+ formatted. It uses CVFS, which is a Quantum/ADIC filesystem. Why? Because Xsan is simply a rebadged version of StorNext! So your AFP daemon will spew Mac metadata everywhere which your SMB daemon will not honor, thus totally corrupting your data. Fuck you, Apple. Seriously.

That's right, it's not HFS+. Uhm, duh? A cluster file system needs to be, well, a cluster file system. Fortunately for you you've just discovered that this creates the magic of a "._" file (AppleDouble extra data).

Now I've got currently running an Xsan cluster that seems to serve out the same data via AFP and SMB and I haven't had any data eaten. Ever consider that maybe you're doing something wrong?

You can't modify MacOS X Server files on the command line. Oh, well, you could on 10.4 server; then lock the file and hope you never had to use the GUI again. But on 10.5, even that does not work-- it still overwrites your file; smb.conf is a perfect example. I figured, OK, maybe I should set the immutable flag, but then I started thinking... WHY am I using Apple products again?

Right, smb.conf. Maybe you could just read the file and look for the big comment noting:

; Site-specific parameters can be added below this comment.

Maybe you could add your customisations below there like you're told to and be amazed that they don't get overwritten. Reading the documentation, that'd be a novel idea.

Apple's enterprise support blows. Sometimes you get an answer, but no matter what, expect a long wait while people on the other end decide whether they want to bother answering your question or not.

I've had great enterprise support including contact with engineering teams to fix specific issues I've had. Maybe you should be nice to your reps instead of abusing them in public forums.

Want to follow-up on a bug that someone else reported? Good luck. Their bug reporter is terrible. Would it be so hard to run Bugzilla?

Because I know that I want all my confidential data supplied to Apple so they can fix an issue to be public. This just isn't reasonable for any large company. Nor does it make much sense.

If you're having a bug yourse

Steve Jobs?

[st33med]

Maybe because he is sick/out of work is why they can't patch it (They fear their boss might yell at them for patching it without his consent...)

OR They are so stubborn that they believe there is and never will be anything wrong with a Mac.

OR They are still testing the patch (highly unlikely since it has little interference with how the server functions...)

Sure, they can get away with a whole lot of stuff since they aren't a monopoly like MS, but, this is just wrong.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:t3h horror!

[Annymouse+Cowherd]

I would bet it's about as many as are being used as servers, which is not many.

Right on

Well, that's what my Mac using friend whose reality is severely distorted told me - "I don't have to worry, I use Mac.". Further arguments were futile after that.

Re:Hey, I just wrote about this

[Pfhor]

this is related to Apple's OS X Server product, which runs DNS (bind in fact), and many mac businesses do in fact use it, if even as a local DNS cache (which a simple fix now would be to configure their boxes to us opendns).

The bigger issue is this is a pretty big deal on the security front, all of the businesses that apple has to compete with in the server space (especially in the eyes of enterprise IT), have had a fix and a public statement about it out the door. Apple is the big unix vendor missing off the list, and has not even made a public statement as such to inform it's users about the issue. Not exactly the best way to talk about how secure their products are (client and server).

Of course, they still haven't gotten around to fixing the ARDAgent.app vulnerability from a few weeks back either.

Re:t3h horror!

I'm not sure. But what I do know is that the patch is going to require a hardware upgrade; Apple would have it no other way.

[runs and hides]

Re:Apple meet real world

[sxeraverx]

apple was never secure. It was just unused. The exact same thing is going ATM with their X server. Not so much a security flaw (though it might be) as much as a major bug. If you send too many events at once (not insane amounts, just a lot) it simply crashed, bringing down all the X apps with it. Upstream was fixed over a year ago, they just refuse to roll out an update. I guess it's an attempt to make debs port to coco/carbon/whatever-it's-called, but for some of us, that's just not an option. More specifically, it's a program developed by part of a university bioinformatics lab, and we just don't have the manpower or the grant support to do it. So we're either stuck with only supporting Linux, trying to find a wrkaround, or just ignoring it and hope it doesn't happen to often. The last option is what we ended up choosing.

Apple + patches == ohnoes

[HEMI426]

As someone that's cursed to administer an OS X Server machine, I have nothing good to say about Apple in general and OS X Server in particular. Apple's history of patching---or, in this case, not patching---stuff has been lukewarm at best and downright abysmal at worst. The Server 10.5.3 update introduced something that causes ClamAV to crash/reboot a Server machine when mail is turned on (since ClamAV is on by default. Nice one. They've had other stellar examples of their extreme lack of QA for their Server software, such as updating their included PHP to a version that was known to break Squirrelmail (the default webmail that comes with OS X Server), even though a fix had been available for months from the PHP maintainers.

I'm a huge fan of FreeBSD. I have been doing this OS X Server thing for more than two years now. I went in to it with an open mind, hoping that Apple wouldn't screw things up too badly. I was disappointed. The only things I've learned is that their Server QA is awful, they don't actually use their own Server software internally, their customer service is horrible when it comes to their Server stuff and their Server documentation is awful. I could rant about that for several pages. All of this leads me to believe that Apple really doesn't want to do well in the "server" segment of the market...Which is really too bad, cause they've finally got the hardware side of it to the point where there's not much separating them from most other low-end server vendors.

Now, that I've got that all that off my chest, Apple's dropped the ball on the BIND update. This is not surprising. Anyone that's administered OS X Server for any length of time probably feels the same way. It's so bad that I will suppress my OS X experience next time I am in the job market again; I hope to never work with OS X (particularly as a server) again and will do everything in my power to avoid doing so. I'm batting a thousand on persuading people interested in using OS X Server to use anything else...Apple really has to get things together or get out of the "server" market.

Re:t3h horror!

[JanneM]

Either that, or a $20 charge for "new features"...

Come now, give Apple some credit. This isn't just some run-of-the-mill bug, this is a serious security issue that could cause their customers some serious harm if not fixed.

I'd expect $100 at least; or perhaps they'll introduce the innovative "iLease", with a "lease to own" path for the fixed bug where it's patched permanently on your server after only three years of monthly bug fix rental.

Re:Is it really so hard?

[MrNaz]

Personally, the brazen "stomp everywhere and expect the world to bow to their whims" attitude reminded me of Microsoft in the mid 90s.

Now, complacency with regards to security confirms it: Apple are following Microsoft's path 15 years after them.

It's just a matter of time until geeks wake up and start hating them. Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie. Everyone wanted to be Bill Gates back then, he was the noble knight/geek taking on the world and bringing down empires like IBM and DEC with his accessible to all consumer computers. It was only after Linux came on the scene that geeks turned on him like the fickle fashionistas that they claim they aren't.

Face it, Apple, like Microsoft before the, are just the flavor of the month.

Lawyered up

[markdowling]

Why patch when you can tell your lawyers to issue cease and desist letters to everybody - starting with that Kaminsky guy

Re:Is it really so hard?

[ktappe]

Oh, and don't claim you hated Microsoft prior to 1995, you know it's a lie.

Fail. I was a vocal opponent of Windows 3.1, calling it the abomination it was. Also, you seem to think there are no geeks hating on Apple now. I'm not sure what blogs/newsgroups/boards you read, but if you can't find plenty of anti-Mac/Apple hate, you must have some pretty good filters.