TN2459: https://developer.apple.com/library/content/technotes/tn2459/_index.html introduces that under macOS High Sierra user approval is required for loading new third-party kernel extensions.
The kext that I would like to test has been loaded before upgraded to High Sierra, so loading the same kext after upgrade does not trigger the user approval flow which I would like to test against.
The kernel extension user consent is enabled:
$ spctl kext-consent status
Kernel Extension User Consent: ENABLED
I deleted the entry that corresponds to the kext in the kext_policy table in /private/var/db/SystemPolicyConfiguration/KextPolicy under recovery mode and restart several times. But the user approval flow is still not triggered when I load the kext.
I wonder if the policy info is cached somewhere else and if I need to clear NVRAM for my machine or tell syspolicyd to clear its cache? Or there is other things that I need to do?
In short, you have to boot in recovery mode (Mac+R) and edit the sqlite table /private/var/db/SystemPolicyConfiguration/KextPolicy.
This table is accessible in read-only mode in normal boot:
sqlite3 /private/var/db/SystemPolicyConfiguration/KextPolicy
sqlite> SELECT * FROM kext_policy;
sqlite> SELECT * FROM kext_load_history_v3;
You have to remove your entries (recovery mode) and reboot, like this (Replace 'G43BCU2T37' with your team_id):
sqlite> DELETE FROM kext_policy WHERE team_id = 'G43BCU2T37';
sqlite> DELETE FROM kext_load_history_v3 WHERE team_id = 'G43BCU2T37';
sqlite> .exit
To avoid the reboot every time, you could alter the "System Integrity Protection" configuration (in recovery mode): csrutil enable --without fs --no-internal. Now kext_policy is changeable from normal boot.
The whole procedure is described here: https://forums.developer.apple.com/thread/79172#248518.
Was able to test it using a high sierra vm. The full step of installing the vm is: https://www.howtogeek.com/289594/how-to-install-macos-sierra-in-virtualbox-on-windows-10/
Related
I've noticed recently that my distribution db is massive, and while searching for solutions, I keep coming across articles mentioning that these 2 jobs should be running:
"Agent History Clean Up: Distribution" and
"Distribution Clean Up: Distribution"
Other users have reported that these seem to be disabled by default, but, I do not see them at all(under SQL Server Agent > Jobs). To ensure that it wasn't something to do with my specific instance of replication, I created a dummy instance and the jobs were still not created.
How do I ensure that these are properly created?
I ended up having to completely disable distribution on the server, and re-configure it, from scratch (I used the GUI).
I created kernel extension for mac high sierra.
When i load kernel extension file in high sierra user should allow from security & privacy.
How can i verify that user allowed my kernel extension from security & privacy?
Is there any file in which user allowed kernel extension detail are stored.
The information about approvals is stored in sqlite3 database:
/var/db/SystemPolicyConfiguration/KextPolicy
The table is kext_policy. E.g.
sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
select * from kext_policy;
BTW, I have no idea how much you can rely on this, i.e. whether Apple will decide to change this in Mojave or any future MacOS release.
There is also spctl kext-consent <action> command, but it does not work properly on my 10.13.6 system. Maybe this will be the "correct" approach in the future.
Recently I changed the permissions of the file system and gave myself all the rights. I logged out of the system and I couldn't log back in. I got the error message
Could not update ICEauthority file /home/marundu/.ICEauthority</>
I did a live boot with a Fed 17 disc and replaced my .ICEauthority file with the live-user version and it worked for a time, until I logged out again. Now, the login progress screen is all that shows. I can log into command mode (Ctrl-Alt-F2) but I can't sudo - I get the error messages:
sudo:/usr/libexec/sudoers.so must be only writable by owner and sudo: fatal error. Unable to load plugins.
I just found a good link on Ubuntu:
Ask Ubuntu: ICEauthority permissions problem
Some things to note:
I tried the obvious things like changing file permissions, but found my whole home directory was somehow owned by root. I believe this was due to a failed package update.
I used a recovery disk (Knoppix ISO) for ease of use: Better UI
When mounting the bad home partition, I used the most common Linux file type (Ext4)
I used 'sudo mount -o r,w -t ext4 /dev/sda1 /mnt'
When changing ownership, I used the numeric user:group specification, since the recovery disk doesn't have the symbolic users and groups: 'sudo chown -R 1000:1000 /mnt/home/userdir'
I verified that /home/userdir had rwx for owner, r-x for group / other. This is noted as a valid set of permissions for ICEauthority; others can work. See the linked discussion.
Hope that helps someone...
I got the “Could not update ICEauthority file” error and found that my home partition was in "Read-Only" mode. Thus, this error made sense.
The real question was what caused the "Read-Only" attribute on the partition. I ran "dmesg | read-only" and found that there were serious errors with the file system on my home partition which the kernel had set to "read-only during the boot process.
I then booted from a USB key (CDROM would do as well) and ran "sudo fsck /dev/sdXY" where /dev/sdXY is the partition containing my home directory. fsck corrected a number of file system errors on my home partition.
I then reboot after removing the USB key/CDROM and the problem went away.
Bottom line: Check if your home partition has file system errors. They might be the cause of this error. If so, run fsck from an external device on the partition containing your home directory.
Is there any way to restore a snapshot from inside a VBox guest machine?
I have a Windows machine that hosts numerous machines. Currently we are working with something using a Ubuntu guest and it is really painful to have to keep switching machines just to revert a snapshot.
What I had in mind is setting the machine to a "base" state and every time I want to go to that I just type some command like:
revertbase
Than the machine would restart in the previous snapshot and I would just need to restart ssh to continue.
You cannot snapshot a running machine, you have to freeze it before, so my guess is that the host itself cannot do that.
In the host machine, from command line you can do this using VBoxManage.
The file is located in
Program Files/Oracle/VirtualBox/VBoxManage.exe
and is used as a command-line interface with VirtualBox.
Using the command:
VBoxManage snapshot "MachineName" take SnapShotName
Them after that:
VBoxManage snapshot "MachineName" discardcurrent -state
To return to the last state, for more read the text bellow, to have easy acess to VBoxManage add it to your path:
PATH=%PATH%;c:\Program Files\Oracle\VirtualBox
Taken from: http://www.linux.com/news/enterprise/systems-management/8224-secrets-for-controlling-virtualbox-from-the-command-line
Managing snapshots
One of the most useful feature of virtualization software is its ability to take snapshots of VMs. It's always a good idea to take a snapshot of a VM before making changes to it. Snapshots help on the hardware level to recover a system that has been rendered unusable due to changes to the hardware configuration, and on the software level they protect against data loss due to accidental deletion or virus.
Taking a snapshot from the VirtualBox CLI is child's play. VBoxManage snapshot "Fedora" take snap1-stable-system takes the snapshot of a stable Fedora VM when everything is working perfectly. Saving a snapshot might take some time, depending on the VM and the resources on the host. To make sure you don't make changes to a system while a snapshot is being taken, VirtualBox grays out the whole VM interface, and you cannot use it until the snapshot has been saved.
With a stable snapshot in hand, go ahead and play with the system. If you get in trouble and your machine won't boot or starts behaving abnormally, you can revert to the snapshot of the stable machine. To do this, first power off the VM with VBoxManage controlvm "Fedora" poweroff, then revert to last snapshot with VBoxManage snapshot "Fedora" discardcurrent -state. If you have multiple snapshots, you can revert to the last but one snapshot with the -all switch instead of -state.
Of course when you revert to an older state, all the changes you made since that snapshot was taken are lost, including all configuration changes and changes to old and new files. You can work around this by specifying that your data should be stored on a "writethrough" disk, which behaves like a normal disk but isn't affected by snapshots. Put another way, when you take a snapshot, VirtualBox ignores the writethrough disk. You can store all your important data and files or your complete /home directory on that disk.
 
To add a writethrough disk, use the -type writethough option when creating a new disk with createvdi. You can also change a disk you created earlier and make it writethrough. To do so, first unattach it from the VM with VBoxManage modifyvm "Fedora" -hdb none, and then unregister it with VBoxManage unregisterimage disk fourgig (using the name of the disk on your system in place of fourgig). Now register it back again but as a writethrough disk with VBoxManage registerimage disk "fourgig" -type writethrough. Finally, attach it back to the VM using VBoxManage modifyvm "Fedora" -hdb fourgig.
Now you can safely save data on this disk, and no matter what state the VM is in, the data will always be safe. But remember not to revert back to a state that was saved before this disk was created; if you do, VirtualBox will simply delete the disk, becase it didn't exist in that state. Also, VirtualBox doesn't currently let you take a snapshot of a VM that has a writethrough disk attached, so you have to unattach a writethough disk before saving the state of the VM and then reattach it. I hope in upcoming VirtualBox versions the presence of a writethrough disk will have no influence on the snapshot process.
An updated answer. You still can't do it from the guest directly.
You could trigger the host to restart the guest by means of a shared drive/folder and a script running on the host which will reload the guest when a shared file is updated.
Included is my windows script to restart the guest. The commands as given by Canesin did not work for me. I have the following in a CMD file.
PATH=%PATH%;c:\Program Files\Oracle\VirtualBox
vboxmanage controlvm "DEMO" poweroff
timeout /t 10
vboxmanage snapshot "DEMO" restorecurrent
timeout /t 10
vboxmanage startvm "DEMO"
I've installed Trac .10.5, configured the trac.htpasswd file, and am able to log in and view/create tickets.
The problem is that I am currently unable to administer ticket components such as the versions that appear in the drop list on New Ticket.
From command line, I issued the following command:
trac-admin /foo/bar/trac/ permission add myusername TRAC_ADMIN
User "myusername" is listed in /foo/bar/trac/conf/trac.htpasswd, and I am able to successfully log in with that account.
Is there another step I'm missing in order to get access to a system configuration area? (for instance, setting up version numbers)
EDIT:
I discovered that version .10.* and below do not have web admin capabilities installed by default. http://trac.edgewall.org/wiki/WebAdmin
I downloaded the plugin source:
svn export http://svn.edgewall.com/repos/trac/plugins/0.10/webadmin/
Then ran setup.py, which generated a dist/TracWebAdmin-0.1.2dev-py2.6.egg file.
I then issued
easy_install TracWebAdmin-0.1.2dev-py2.6.egg.
Here's the output:
Processing TracWebAdmin-0.1.2dev-py2.6.egg
removing '/usr/lib/python2.6/site-packages/TracWebAdmin-0.1.2dev-py2.6.egg' (and everything under it)
creating /usr/lib/python2.6/site-packages/TracWebAdmin-0.1.2dev-py2.6.egg
Extracting TracWebAdmin-0.1.2dev-py2.6.egg to /usr/lib/python2.6/site-packages
TracWebAdmin 0.1.2dev is already the active version in easy-install.pth
Installed /usr/lib/python2.6/site-packages/TracWebAdmin-0.1.2dev-py2.6.egg
Processing dependencies for TracWebAdmin==0.1.2dev
Finished processing dependencies for TracWebAdmin==0.1.2dev
My trac/conf/trac.ini file has this section:
[components]
webadmin.* = enabled
I restarted the httpd server (trac uses Apache), and still have no Admin button.
Help greatly appreciated.
You're a bit too hastily seeking advice. Quoting my recent replies to trac-users mailing-list here:
This is most probably a permission issue and will continue with any more
recent Trac environment. Do something like
trac-admin permission add TRAC_ADMIN
to grant full permission to an admin user account, that is usable for
administration tasks. As known elsewhere, you should create a less
privileged account for your regular work to just use Trac.
But please note: Because you've got Python2.6, go for Trac-1.0, don't dare to use anything before this current stable version for a new project, really. Trac-0.10 has been abandoned long ago and 0.11 is unchanged since 2010 too.
You'll have no luck on almost any issue you may encounter, and you miss
a truck-load of great features that have been introduced. Trac 0.11 had
major API changes in many respects, 0.12 went for full i18n support, if
you care for that, and 1.0 is just on the edge, supporting the new db
access API as well as retaining compatibility code for not-yet-updated
plugins (quite a lot to be honest).
I had a similar issue with 0.11.x (minus the plug-in installation), and it turned out that the user account I was logging into via the shell was not the user account that owned the installation. This meant that the changes I was making did not have the right permissions - it is a requirement that all trac-admin changes are made by the installation owner.
Let's say the user that installed Trac was "jim", and I'd logged in as "bob" to use trac-admin in interactive mode. Reapplying a pre-existing permission to a will cause Python to throw an error and kick you off trac-admin. You have to remove the permission first, then reapply it as the other shell user.
The solution was to:
log back in as "bob" via the shell (e.g. "ssh -l bob trac.url.com")
trac-admin path/to/my/project
permission remove TRAC_ADMIN
exit (trac-admin)
exit (ssh)
log in as "jim" via the shell (e.g. "ssh -l jim trac.url.com")
trac-admin path/to/my/project
permission add TRAC_ADMIN
exit (trac-admin)
exit (ssh)
Now when you log into Trac as via a web browser, hopefully you should see the Admin button top right.