As a web developer, information is your lifeblood, the tool and the substance of your trade. Keeping your information secure requires that your systems be protected from those looking to alter pages, steal data, or simply make sites unavailable. When using Mac OS X for web development, there are concepts you should understand and precautions you should take to make sure your development environment is secure.

This article presents topics that will help you make Mac OS X secure. If you are familiar with UNIX systems, you may want to skip the following section, which discusses some basic UNIX concepts, and move to the later portion of the article, which looks at the specifics of Mac OS X security. If, however, you come to Mac OS X from OS 9.x and would like some UNIX background information, be sure to read what follows.

A Quick Primer in UNIX/BSD

Mac OS X is new, but it has a long family history. It is a descendent of the BSD UNIX family and the original AT&T UNIX, which have been around more than 30 years. (See this Salon article for some interesting background.) This history provides Mac OS X with excellent power and stability, as well as a great deal more flexibility than earlier versions of Mac OS. This is especially true if you’re willing to take a look under the hood and work with the BSD subsystem directly.

As you start working with the UNIX system, you should be familiar with a few key concepts. These include:

• The multi-user nature of UNIX systems.
• The UNIX file system and associated permissions model.
• The way UNIX provides network services.

UNIX’s Multi-user Nature

There are multiple user accounts in every UNIX system. Most of these accounts are associated with actual, human users. For example, you created an account when you supplied a username and password upon installing Mac OS X. Every process and application is associated with a user. So when you start an application after logging in, that application will be associated with your username.

UNIX systems also have accounts that are not associated with any person logging into the system; rather, they are built into the system. Five accounts are installed by default in Mac OS X: daemon, nobody, root, unknown, and www. To understand the full significance of these accounts, you’ll need to understand UNIX permissions, which will be discussed shortly. For now, keep in mind that www is the account used by the built-in web server, unknown and nobody provide minimal permissions, and daemon runs system services that need some permissions.

The root account is very special — it has no restrictions. Any application or process running with the privileges of the root user can read, write, or delete any file on the system; stop or start any application on the system; or do anything else it pleases. There is nothing the root user cannot do. Consequently, guarding access to the root account is very, very important.

In addition to users, UNIX has a concept of groups. A UNIX group is a collection of individual accounts. In the UNIX file permission scheme, which will be discussed shortly, you can grant permissions to a group. This provides a way of allowing a selected set of users to have identical access to files, directories, and applications, while denying access to other users. Individual user accounts belong to a default group and may be given membership in other groups.

UNIX Filesystem and Associated Permissions Model

If you’ve worked with file sharing in previous versions of the Mac OS, what you’ve read so far about users and groups should be familiar. Like the older versions of Mac OS, each object in UNIX systems (a file or folder) is owned by a user and is associated with a group. For each object, specific permissions can be granted to the owner, to the group, and to everyone else.

There are three basic permissions: read, write, and execute. The meanings of read and write are fairly straightforward; execute, however has different meanings depending on whether the object is a file or a directory. For a file, execute means the file is executable (that is, it’s an application or a script), but if the object is a directory, execute means that the class (owner, group, or everyone) has permission to search the directory.

You can view the permissions associated with any file by opening up the Terminal application and using the ls command.

G4-OSX 1% ls -Fla
total 32
drwx------   9 eric  users   512 Mar  1 15:01 ./
drwxr-xr-x  16 eric  users  2048 Mar 11 18:06 ../
drwxr-x---   3 eric  users   512 Jan 12 13:02 Apple/
drwxr-xr-x   2 eric  users   512 Feb 19 15:15 OpenBSD/
-rw-r--r--   1 eric  users  2525 Mar  1 15:01 file_listings
-rw-r--r--   1 eric  users  2408 Mar  1 15:00 file_listings.2
lrwxr-xr-x   1 eric  users    15 Jan 12 12:54 symbolic_link_example@ -> Apple
drwxr-xr-x   3 eric  users   512 Feb  4 11:22 foobar/
drwxr-xr-x   2 eric  users   512 Jan 18 18:02 honeynet/
drwxr-xr-x   3 eric  users   512 Feb  2 13:56 ipf_howto/
drwxr-xr-x   3 eric  users   512 Feb 16 23:20 upgrades/
G4-OSX 2%=20

The collection of letters and hyphens furthest to left indicates exactly what each element is and the permissions for that element. The first column of each line indicates the element’s type: d for directory, - for a regular file, and l for a symbolic link, which is essentially the same as an alias in Mac OS 9.x. The next three columns (rwx) show the permissions for the owner, the next three for the group associated with the file, and the last three for everyone. A - in any position indicates a lack of that permission. For example, rw- indicates read and write permissions, but no execute permission, and r-x indicates read and execute permission, but no write access.

For the third listing above (Apple/), you can look at the permissions (drwxr-x — -) and know that this is a directory (the first letter is d) that has read, write, and execute permissions for the owner (rwx), read and execute permissions for the group (r-x) and no permissions for everyone ( — -).

The owner (eric) and the group (users) are both shown here, as well as the file size in bytes, the last modified date, and the filename. Also shown are the current directory (symbolized by a single dot) and the parent directory (symbolized by two dots).

UNIX Networking

UNIX systems are designed to be used in network environments. Frequently, UNIX systems host network services, such as Web servers, file sharing, and database servers. Although there’s no need to run these services on your Mac OS X box, you do have the option. You can run, for example, the Apache Web server with PHP and Perl and the MySQL database server in your development environment.

UNIX systems natively speak the various protocols of what is commonly referred to as the TCP/IP suite. Each network service will be associated with the IP address assigned to your machine. Additionally, each service will be associated with a TCP or UDP port. Ports are a feature of TCP and UDP that allow many processes on a single host access to TCP and UDP services simultaneously. Ports are numeric in the range of 1 to 65535, some of which are, by convention, assigned to specific services. For example, the HTTP services is commonly assigned to TCP port 80. There are a number of such assigned ports, but there are a far greater number of unassigned ports — that is, ports that are not commonly bound to a service or application.

The combination of an IP address and a port makes a socket, and a pair of sockets define a connection. Applications that provide network services listen for connections on a socket. For example, a secure web server commonly listens on the socket formed by the IP address of the server and TCP port 443.

The more sockets that are active on your machine, the greater the opportunity for an intruder to break into your box. More on this later.

Additional Reading

This has been a very quick introduction to a few important UNIX topics. Further information and details about UNIX, BSD, and UNIX networking can be found at the following sites:

• An Introduction to FreeBSD and UNIX.
• The Challenges of Integrating the Unix and Mac OS Environments — a discussion of some of the differences between Classic Mac OS and Mac OS X.
• An Internet Encyclopedia — includes all Internet standards and course work-type information about the Internet and Internet protocols.
• The UNIX Security Model — an introductory course on UNIX security.
• BSD Devcenter — This O’Reilly network site has good articles, including one on UNIX file permissions.
• Practical UNIX Security — a workshop on UNIX security (from 1997, but with a lot of good background information)

Mac OS X Security Out of the Box

Following the initial install, Mac OS X is fairly secure. A few simple tweaks make it even more secure. But before we get to those changes, there are a few things you should notice during the install process.

Administrative Accounts

The first account created on a Mac OS X system is an administrative account. If possible, this account should not be the account you commonly use; it should be reserved for making changes to the system and installing system-wide applications. After installing Mac OS X, go into the Users item in System Preferences create a new account without administrative access. For your common tasks, log in as that user.

The root has been disabled, although it can be re-enabled if need be. This means that all administrative tasks, such as turning on and off various types of sharing and adding or deleting users, must be done by one of the administrator accounts.

The GUI tools for administrative tasks provide additional restrictions in that they do not allow direct software installs or other edits to the core portions of the OS. These restrictions prevent users from accidentally breaking their systems. Any time you launch an administrative tool, you will have to authenticate yourself by entering the username and password of an administrative account to make changes.

Active Network Services

After the initial install, Mac OS X provides only a few network services, automounter, syslog, sunrpc, and NetInfo, each of which will be described in a moment. Having few network services available is a good way to start off — the fewer services available over the network, the harder it is to break into your system. As an analogy, think of how scaling a smooth wall is much harder than climbing one with good finger- and foot-holds.

The automounter service is used for automatically mounting network volumes; syslog is both a process and a protocol for recording system logs. The sunrpc service maps Remote Procedure Call (RPC) application information into TCP/IP (a.k.a. Internet protocols). RPC is used for services like Network File System (NFS) — the standard method of file sharing in UNIX. You can read more about sunrpc from this W3C description and the RFC.

The NetInfo service is thoroughly described in Apple’s Knowledge Base.

Other Network Services

A variety of other services are available for activation. File sharing (AFP) over both TCP/IP and AppleTalk are available, as is Web sharing. Starting up either of these services opens additional network services and thereby introduces some risk; however, that doesn’t mean these services are insecure.

In-bound SSH and FTP services are also available in the Sharing System Preferences panel but are best left turned off unless you have a specific need for them to be active. SSH does provide for host-to-host and individual account authentication. It does this while encrypting all network traffic between the hosts. However, it is still an open service that may provide an attacker leverage into your system.

Simple Changes to Enhance the Security of Mac OS X

Once Mac OS X is installed, three quick steps will enhance your machine’s security:

• Create an additional, non-administrative account and use that for all of your day-to-day work. Using a non-administrative account will make it harder to damage your system because you won’t have the privileges to commit a serious mistake.
• Use the Mac OS X screen saver (Screen Effects). Not only is it cool to look at, but it can also help protect your machine from others who come by when you’re not around. Turn on the screen saver from within System Preferences (it has its own panel) via the Activation tab — 10 or 15 minutes for a startup time is a good default. Be sure to make the screen saver ask for your password before releasing the machine.
• Turn on Network Time Synchronization. This is a good idea, particularly if you have a constant connection to either a local NTP (Network Time Protocol) server or the Internet. Ask your local systems or network administrator if you have a local NTP server. Keeping your clock synchronized to official time is helpful in coordinating forensics of an attack and detecting alterations to the system.

On-the-box Firewalling

You can minimize the risk of a network service being used to attack your machine by using the firewall built into Mac OS X. Called ipfw, it can prevent potential attackers from reaching these services. As of Mac OS X 10.2, Apple has included a simple GUI for configuring ipfw. The GUI is good for adding simple rules to your machine; more complex rules will require you to use either the command line tools for manipulating the firewall, or a third-party GUI that has more features. Building a comprehensive firewall requires a detailed understanding of what the firewall rules do and a certain amount of skill. Understanding TCP/IP networking is also important. Note that building firewall rulesets can cause your network connection to stop working, so be sure to invoke ruleset additions and changes directly on your machine and not from a remote location.

VPNs

Mac OS X 10.2 includes support for two types of Virtual Private Networks (VPNs), PPTP and IPsec. Using PPTP as a client is fairly easy, the “Internet Connect” application has an easy GUI for accessing PPTP servers. IPsec support is also built into Mac OS X 10.2, but there isn’t a built-in GUI for it. Again, either the command line tools or a third-party GUI tool can be helpful.

Logging

Recording events through system logging and reviewing these logs is a key element of good security. Good logging provides information as to what happened, when it happened, and (usually) who did it. By default, Mac OS X logs a fair bit of information to several files in the /var/log directory. One of these is system.log, which records general information from various subsystems. Examples of the types of events recorded in the logs are:

• Firewall (ipfw) blocked packets.
• Web server access and error messages.
• Use of privilege escalation tools.
• Informational messages, such as subsystem status messages.

Going Further

If you’re willing to take a look under the hood, you can get direct access to the UNIX command line. As a non-administrative user, you navigate through a lot of the underpinnings of Mac OS X and not worry about altering the Mac OS X system. You can still cause yourself some problems; for example you can overwrite your own documents, and alter Classic Mac OS files or volumes, as they default to world-writable directories and files.

Several command-line utilities allow your administrative account to do just about anything. The best of these is sudo, an application that allows specified users to do tasks with (potentially) no restrictions. Tasks are carried out as if they were called by the root user. By default, anyone in the group admin is allowed to do use sudo. The good part about sudo is that it logs all usage along with the user who executed the command, which makes for good accountability and good debugging (you can see what you did to cause problems). If you find a need to do any administrative tasks from the command line, use the sudo command.

Working at the UNIX command line level, you can install and access a wide variety of UNIX-based security tools. Some of these tools will need a little programming work to get them to install. The additional resources links below are great places to look for these types of tools and packages.

Additional Resources:

• Apple’s Mac OS X Site — The source for Mac OS X.
• Apple Developer Connection — Apple’s developer site with security info.
• Ultimate Guide to Mac OS Security — A very long list of Mac OS related security links
• OS X FAQ — More Mac OS X information
• MacSecurity.org — More security news relating to Macs.
• osx.hyperjeff.net - Mac OS X information, applications, and more.
• Xappeal.org — Covering Mac OS X since Mac OS X Server 1.0.
• SecureMac.com — Security news and information relating to Macs.
• SecurityFocus.com — An excellent source of security information and resources.

Mention of non-Apple products or services is for informational purposes only. Apple assumes no responsibility with regard to the selection, performance, or use of these products.