locked
Generic Client Silent App on MAC RRS feed

  • Question

  • Created one for an a particular server on port 80.  Works beatifully on windows.  The ssl swrapper drops the hostname in the hosts file at 127.0.0.xxx, and start a listener on 127.0.0.xxx port 80.

    However on MAC not as sweet... 

    First problem is that it won't start the port 80 listener unless I log into the mac as root.  When i log in as the "main" user, whom i'm told is the original user the MACOS was setup for, it won't start the listener on port 80 and insteads picks some random high number port, which makes app unusable as I can't control the port used in the client app.  do these this user is listed as "Admin" in mac preferences.    Ok, so the workaround here is to login as root.  Hopefully when i can get on another mac i'll find this is client specific, but anyone else seen this?

    Secondly, when i do log in as root, when the ssl wrapper goes to drop an entry in the hosts file it prompts me for the administrator password, TWICE.  And since I am actually starting 4 of these such generic silent apps, I get asked for the password 8 TIMES!  Any one seen this problem, and if so, have a suggestion on a solution?

    BTW-  I also noticed the hosts file does not get cleaned up when i log off from IAG session on MAC.  Doesn't pose a problem when i'm always external, but if this mac was brought to corporate lan and plugged in, none of these apps would work directly due to these hosts entries. Guess this is problem #3.

    Also note that I've tried with "generic carbon hosts required" app and all the aboce still applies..



    Thanks,
    Mark

    Friday, July 24, 2009 7:00 PM

Answers

  • Mark,

    In the unix world the root user is equivalent to the administrator account in windows. Your MAC user needs to be a member of the root users group. This is accomplished by editting the sudoers file. Yes, you are going to need to be the root user in order to edit this file. Yes, Its a per end point change.

    The chmod 777 on the host file only corrects one of the issues. It also open the file perms for modification by the user, group, and world, a security issue. The second credential prompt is the application start up. Ultimately, the user needs to be a a member of the root user group and the sudoers file is the way to get this configured.

    Having the sudoers file correctly configured should eliminate the double credential challenges and get the host file clean up working correctly. I know its not pretty, but that the resolution for this issue.

    Best Regards,

    Dan
    • Marked as answer by Erez Benari Tuesday, July 28, 2009 11:54 PM
    Tuesday, July 28, 2009 9:31 PM

All replies

  • UPDATE:

    Tried from another MAC client and same scenario.  Actually even worse As I found the typical MAC client doesn't even have the root account enabled, so even a semi-knowledgable MAc user would not be able to log in as root, and therefore no listener on port 80 is possible.  So basically have 3 fairly serious issues trying to tunnel an application on port 80 from a MAC:

    1.  Won't start listener on port 80 unless logged in as root.  When non-root, which is way 99.9% of MAC users would log in, its starts the listener on a random high numbered port.  In my case this is useless as the whole point is to catch traffic from an applet that is hard coded to talk to internal name and port 80.

    2.  The very annoying request for root password 8 times as descibed above.  Note that even when only publishing citrix, and not publishing the generic tunnels, it asks for root password twice when not logged in as root.  (which doesn't really make sense as citrix doesn;t utilize hosts file, just dynamically modifies ica file during download)

    3.  As descibde above, host file entries are written into host file when ssl wrapper starts, but not removed when ssl wrapper ends.


    Monday, July 27, 2009 9:03 PM
  • Hi Mark,

    Check the sudoers file in /private/etc/sudoers. You can read the man page for this file and associate elivations of privledge here: _http://developer.apple.com/documentation/Darwin/Reference/ManPages/man5/sudoers.5.htm

    You must be root to use the SSLwrapper. Also, check the logs for the Java console for errors. You may see something about "Failed modifing file '/private/etc/hosts'".

    Dan 
    Monday, July 27, 2009 9:09 PM
  • From experiences with IAG/MAC I'd of thought that maybe that you have to have "Admin" priviledge to use ssl wrapper on MAC, but not root.  I've seen citrix, and vnc and other apps work on a MAC.  And like I said, from teh few i've checked and the documentation i read in last few days, on most MAC's the root account is disabled, and even if enabled, most mac users would have no idea it exists or how to login in with that account versus their regular user account which has "Admin" priviledge.   Unfortunately editting the sudoers file even if it solved one or more the 3 issues I don't think is viable.  Wouldn't the edit in this file be custom per MAC and need to be made by the MAC end user as root?   Catch-22 on the root account... and if I were going to try to take it to this level of manual client customization, I could potentially solve issue #2 by just telling users to su to root, and chmod their hosts file.

    May go thru the process to open this as an official microsoft incident if no other ideas on how to make this application work on a MAC??

    Thanks,
    Mark

    Tuesday, July 28, 2009 6:04 PM
  • Mark,

    In the unix world the root user is equivalent to the administrator account in windows. Your MAC user needs to be a member of the root users group. This is accomplished by editting the sudoers file. Yes, you are going to need to be the root user in order to edit this file. Yes, Its a per end point change.

    The chmod 777 on the host file only corrects one of the issues. It also open the file perms for modification by the user, group, and world, a security issue. The second credential prompt is the application start up. Ultimately, the user needs to be a a member of the root user group and the sudoers file is the way to get this configured.

    Having the sudoers file correctly configured should eliminate the double credential challenges and get the host file clean up working correctly. I know its not pretty, but that the resolution for this issue.

    Best Regards,

    Dan
    • Marked as answer by Erez Benari Tuesday, July 28, 2009 11:54 PM
    Tuesday, July 28, 2009 9:31 PM