Mac OS X offers a wide range of choices for network management and system administration. You can continue to point and click, of course, but to get the most mileage out of Apple's OS, it's best to know as much about Unix as you can. Learn how and when to use Unix-based commands like 'sudo' and 'su' in this Managing Mac Networks article.
The Macintosh OS first rose to fame on the back of its slick graphical user interface (GUI). While the familiar graphical tools still greet users, Apple's most recent Mac operating system, the Unix-based OS X, also features a command line interface (CLI). As a result, many Mac network managers and systems administrators are eager to learn how to take advantage of Unix commands.
For complete and effective OS X management, administrators really "must know Unix," contends Schoun P. Regan, CEO of The Mac Trainers. In a packed classroom at the recent MacWorld Creative Pro Conference in New York City, Regan led a two-day OS X tutorial heavy on instruction in Unix commands, root setup, and "the sticky bit."
When it debuted two years ago, OS X was the first release in the history of the Mac to have Unix at its core. Apple's custom Unix system, Darwin, is based on BSD Unix and the Mach kernel. Advantages of Darwin include the CLI as well as protected memory, dynamic memory allocation, preemptive multi-tasking, application multi-threading, symmetric multi-processing, and open standards networking.
"Literally thousands of BSD commands and applications are supported. Most users will access these commands through the Terminal Application utility. Basically, when using commands you bypass graphical elements and 'talk' directly to the operating system," Regan said.
Some Mac managers have vehemently opposed inclusion of the Unix command line in OS X. "Has Apple gotten away from what people like most about the Mac OS? Let's see, if your Mac is acting funny, just go to a command line and enter a few totally unintuitive commands and you will be all set," wrote one administrator, in an Internet newsgroup.
Many administrators, though, disagree. "The only real difference is that now, the system is a lot more open for users who really want to get under the hood," responded another.
'Commanding Presence' for Unix
Like Rhapsody, an early development edition of OS X, the commercial OS X includes Terminal Application, a CLI that supports a variety of Unix command shells. Apple has also included tcsh as the default command shell.
For some time prior to the release of the original OS X, however, it was unclear whether the commercial product would follow in Rhapsody's footsteps. The possible omission of a command line did not sit well with some administrators, particularly those managing large crossplatform environments.
"Why is Apple willing to ignore nearly 30 years of Unix admin experience built up in the marketplace?" asked one admin. "One of the great virtues of Rhapsody (and potentially of Mac OS X) is that Unix people in IT organizations could start pulling Macs in as fully participating members of the infrastructure, amenable to the same administrative procedures that applied to the other Unix boxes they already had."
Page 2: Command Line Offers Speed and Power
Command Line Offers Speed and Power
Many built-in and third-party GUI administration tools are available for OS X, yet despite the graphical nature of the OS X environment, administrators should also know how to use Unix commands.
The Unix command line is widely regarded as faster to use than a GUI — once you know what you're doing, that is. The CLI makes it possible to perform a wide range of functions, all from the same place.
For certain functions, the command line is still the only choice, according to Regan. Apple's earlier MacOS 9, for instance, came with unsupported extensions for setting Ethernet ports manually. "In Mac OS X, you need to do this from the command line," by using the ifconfig command, Regan said.
Before demoing sudo, su, and other Unix commands in the "Mac OS X – Advanced Concepts and Administration" session, Regan noted that many of these commands are merely abbreviations. For instance, pwd stands for "print working directory."
"Freeware ManOpen will list commands and open manual pages in the GUI," he added. You can search commands by keyword if you type %man -k <keyword>, and to learn more about a specific command, simply use the manual command — %man pwd, for example. You can quit most commands by just typing Q, and Command -K will clear the screen.
The Mac Trainers also advised admins to "back up your NetInfo database regularly using command line utilities," and "learn some command line tools if you wish to fiddle with your NetInfo database." Useful commands for these purposes include NICL, niload, and nidump. "Don't delete things unless you are SURE you know where they are," warns Regan.
Getting to the Root of Unix
"Mac OS X must have an administrator," Regan emphasized. The first user account, established during OS X setup, is an admin account. The initial admin, though, can be deleted later.
By default, administrators have all the same access privileges as users. Administrators, though, also get perks such as the capability to change any system preference — plus "write" access to the Library folder, the application folder, and the root of the drive.
"The administrator is known as the root user in Unix," Regan said. The root user has "unlimited access to everything." Root access, though, "should only be used when necessary, and otherwise avoided." The downside to root access is that sessions aren't logged.
This 'Sudo' Is for Real
A wiser approach is to disable root access, and then use "sudo" (super user do) when you need to execute other commands as root, Regan said. The sudo configuration file is /private/etc/sudoers.
Any command preceded by "sudo" will execute with the permissions of the root. All "sudo" usage, though, is logged in the system log.
"This is trackable, so it's safer," said Kevin White, Mac OS X training specialist at The Mac Trainers.
Additionally, administrators must authenticate to use sudo, and sudo will stay active for only five minutes without reauthentication.
By default, the root user is not enabled on the OS X client. Administrators, though, can use NetInfo Manager to enable and set up passwords for other root users.
To do so, you must first authenticate, then choose "enable root," and finally enter the new root password twice. Further changes will require you to reauthenticate.
Page 3: A Command Named 'Su'
A Command Named 'Su'
Not to be confused with sudo, the "su" command stands for "substitute user." It allows you to quickly substitute a user for any other user in Terminal Application. With the "su" command you can "go in" as one of your end users, for instance. To use this command, type in "su," followed by the user's name. Hit enter and type in the user's password.
"You really do need the user's password, though. So, this isn't a security hole," says White. To get back to the original account, enter "exit" at the prompt.
Modifying File Ownership and Permissions
Changes in file and folder ownership and permissions can be made either in the Finder, using the Get Info tool, or in Terminal Application. "Ownership and permissions define access to file and folder content. File permissions are defined separately for owner, group, or others. 'Others' are anyone that can somehow access your computer," according to The Mac Trainers.
Furthermore, "every file and folder belongs to one owner and one group. An owner is any user on the system. A group is simply a list of users." Only the owner, though, can change ownership of a file.
If you're using Terminal App, the "chown" command is employed for changing ownership, and the "chmod" command is used for changing permissions.
First, though, you should type in [s-] to view ownerships and permissions, according to Regan. You'll see separate columns for permissions, numbers of files, owner, group, size in bytes, modify date and time, and name. In the permissions column, the first character indicates type: "d" for directory, "l" for link, and "-" for file. Access rights are defined as follows: "r" for read, "w" for write, and "x" for access.
If the character "t" appears at the end of a permissions string, the sticky bit has been set, which means that the file or folder is append only. The sticky bit is typically used for the Shared Folder, in which anyone can add files to the folder, but renaming or deleting the file is restricted to the user who added the file.
Other common Unix commands Mac network administrators should be familiar with include the following:
Move file – mv <original> <destination>
Copy file – cp <original> <destination>
Erase file – rm <filename>
Erase directory – rm –R <directory>
Also in Unix, the cd command is for navigating directories, whereas the ls command is for listing file names. Unix utilizes the standard forward slash, /, to delineate directory hierarchies.
Page 4: Sticking with GUI
Sticking with GUI
Graphical interfaces and applications in OS X allow you, for the most part, to avoid going through the CLI.
NetInfo Manager, for example, allows administration of users, groups, and other computer information stored in the NetInfo database. A reset password utility is also available – for "any password in OS X " – but it runs only from the installer CD.
Other network administration tools include Network Preference Panel, for setup of location, interface order, and protocol structure; Network Port Configurations, for port setup; and Network Locations, for defining the order of network interfaces ("Louisville, Airport Only, and Bluetooth," for example).
"Networking works as a tiered system based on location first. Each location can have several different interfaces structures. Interfaces must be set up with proper protocol information," Regan said.
A tool called Network Utility, on the other hand, is designed to let individual end users gather networking information about their Macs. It provides a tabbed interface for several Unix commands.
Classic, Carbon, Cocoa, and Java
Also included in OS X is Classic Startup, for running many older Mac apps and services in Mac OS 9.2.2 on top of the newer OS. The Classic Environment stays running until shut down or put to sleep.
Mac OS X also runs Carbon applications such as Office X and iTunes 3, which have roots in classic Mac but are updated for OS X; Java 2 applications, such as LimeWire and ColdFusion; and Cocoa applications like Mail and OmniWeb, which are designed only to work with OS X.
Classic, however, is not fully compatible with everything supported by OS 9, Regan said. "Hardware support is particularly tricky. Start troubleshooting by using startup options in the Classic System Preference. Also troubleshoot by booting in Mac OS 9 using the Startup Disk Preference Pane."
Some graphical tools, interfaces, and apps were added in OS X version 10.2. Workgroup Manager, for example, is an LDAP-based replacement for the old Macintosh Manager. Accounts System Preference is for managing user and admin accounts.
OS X 10.2 also added support for the Common Unix Printing System (CUPS). CUPS can be administered through either Print Center, Terminal App, or a web browser.
Another addition as of the 10.2 release is the capability to connect to both LDAP version 2 and LDAP version 3 servers. "Preconfigured settings are available for various types of LDAPv3 servers," according to Regan. With LDAP version 2 servers, though, you need to use the Directory Access application for configuring key value pairs and data types.
Other graphical offerings in OS X include the following:
- Apple System Profiler, for gathering information about software and hardware configurations on the local computer
- System Utilities, which contains a log file viewing console and a CPU monitor
- Disk Copy, an image and device mounting tool recently updated to support CD burning
- Internet Connect and VPN, an application used for dialing the internal or wireless Airport modem
- NetInstall, for automatic software distribution to network clients
- NetBoot, a utility for storing workgroup desktop configurations in a single disk image
OS X also includes these key network services:
- Print sharing, a service in OS X 10.2 that uses Apple's Rendezvous and CUPS for finding and sharing available printers
- Web sharing, a service that uses the Apache Web server to give all OS X machines and users their own web sites
- Jaguar Internet Server, for sharing an Internet connection with others on the network
Appletalk 'On the Way Out'
Meanwhile, OS X is instituting many other adjustments for managers and administrators. For example, Apple officials have long acknowledged that AppleTalk is on the way out.
"AppleTalk support is waning," Regan echoed at this summer's MacWorld. AppleTalk is turned off by default in OS X's Network Preferences. For file sharing, OS X instead uses Apple File Protocol (AFP) 3.0, which supports Unicode, long file names, and file level permissions. Mac OS 9 machines connecting to Mac OS X must use the older AFP 2.x instead.
"Broadcast for discovery is made by AppleTalk, but actual data transfer is over TCP/IP," according to The Mac Trainers. OS X also supports a number of other networking standards, including Internet Protocol (IP) version 6, FTP, SMB, Point-to-Point Protocol (PPP), Point-to-Point Protocol over Ethernet (PPPoE), and Point-to-Point Tunneling Protocol (PPTP) (for virtual private networking). Supported security protocols include IPSec, Secure Sockets Layer (SSL), and Secure Shell 2 (SSH2).
Time to Learn More About Unix?
OS X offers a wide range of choices for network management and system administration. You can continue to point and click, of course. To get the most mileage out of Apple's OS, though, it's best to know as much about Unix as you can. The bottom line is that if you're managing Macs much of the time, you might want to give some serious thought to learning more about the Unix command line interface.
See All Articles by Columnist Jacqueline Emigh