[Ti] Protecting your Data [was: TiBook 1GHz/SuperDrive US Mac OS ROM file?]

Robert Nicholson robert at elastica.com
Tue Dec 31 02:07:14 PST 2002


What prevents me from

booting from an external OS X disk that I have root access on, copying  
over the user files from this disk and "recreating" that user on the  
other machine? Now I have the password to that users account as I've  
created it. The only difference is that I've replaced the Users home  
directory. As the password is stored in the Users keychain and I assume  
keychains allow themselves to be copied around like any other file and  
then logging in as that user and gaining access to this encrypted image?

On Monday, December 30, 2002, at 10:40  PM, Neil Cadsawan wrote:

> This was posted on Slashdot the other day and I thought that some  
> people here might find it interesting:
>
> http://apple.slashdot.org/article.pl?sid=02/12/29/ 
> 1353252&mode=thread&tid=179
>
> This is actually something that is covered in the new Mac OS X  
> Administration and Integration sysadmin technical training course from  
> Apple that will be going live in January. As the author of that  
> section of the course, let me give you a bare bones outline here.
>
>
>    1. Log in as the user whose files you want to secure.
>    2. Create an encrypted disk image using Disk Copy at the top level  
> of the user's home directory. When it asks for the disk image  
> password, be sure that the "remember password" option is checked --  
> this saves the disk image's password on the user's default keychain.
>    3. Use ditto to copy over the following directories from the user's  
> home folder onto the encrypted disk image:
>       ~/Desktop
>       ~/Documents
>       ~/Library/Mail
>       ~/Application Support/Addresses
>       ~/.ssh These are the important ones; you can copy over other  
> items as well, but definitely don't do the entire ~/Library folder,  
> and don't do the ~/Library/Keychains or ~/Library/Preferences folders.
>    4. Set the disk image to automount on login by dragging it into the  
> Login Items preferences pane.
>    5. Use mv to shift the directories aside (e.g. mv ~/Documents  
> ~/Documents.save) and set up symlinks onto the disk image (e.g. ln -s  
> /Volumes/Secure/Documents ~/Documents).
>    6. Log out and log back in again. The disk image will be  
> automounted at login, using the password stored on the default  
> keychain which also unlocks on login. Everything should just work! :-D
>    7. Now for the housekeeping: delete the .save directories you  
> created earlier, and be sure to turn off automatic login in the  
> Accounts preferences pane.
>
> Why do it this way instead of the way that Joshua Gitlin wrote up?  
> First, you don't need admin access to a machine to make it work. You  
> may not have admin access on a company machine, or as a sysadmin you  
> may not want to give admin access to most of your users.
> Second, using Joshua's method, once the disk image is mounted it's  
> open to anyone who has admin access on that machine, whether or not  
> you are logged in at the console. By using an automounted image with  
> the password stored on the keychain everything is secure until you  
> actually log in, and everything is secured once you log out.
> Third, this way is a lot more convenient. If you make security too  
> inconvenient, users will circumvent it. Instead of two logins, you  
> only have to do one. Techincally unsophisticated users (secretaries,  
> lawyers, vice-presidents, etc.) don't need to do anything different.
>
> <BLATANT PLUG>
> Go to Apple Training [apple.com] and sign up for a course or two.  
> They're well worth the money and help me keep my job. :-D
> </BLATANT PLUG>
>
> --Paul
> psuh at apple dot com
> Curriculum Developer
> Techincal Training and Certification
> Apple Computer
>
>
> -Neil
>
> -------
> http://rainer3.com
>
>
> ----------
> Check out the Titanium email list FAQ
> http://www.themacintoshguy.com/lists/Titanium.html
>
> To unsubscribe, E-mail to: <Titanium-off at lists.themacintoshguy.com>
> To switch to the DIGEST mode, E-mail to  
> <Titanium-digest at lists.themacintoshguy.com>
> Need help from a real person? Try.   
> <Titanium-request at lists.themacintoshguy.com>
>
> ----------
> $14.99 Unlimited Nationwide Mac Dialup and Mac Web Hosting from your  
> Mac ISPSerious Mac Internet Solutions From NineWire!    
> http://macinternetaccess.com
>
> RoadTools $30 PodiumPad available at Apple retail stores, $20  
> TravelerCoolPad at Staples. Both in white for iBooks at  
> <http://roadtools.com>
>
>  Cyberian   | Support this list when you buy at Outpost.com!
>  Outpost    |         http://www.themacintoshguy.com/outpost.shtml



More information about the Titanium mailing list