[
http://jira.magnolia-cms.com/browse/MAGNOLIA-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21113#action_21113
]
Philipp Bracher commented on MAGNOLIA-1959:
-------------------------------------------
Thought I share that with you. Quoted from: http://db.tidbits.com/article/9294
{quote}
There's one behavior that caught me completely by surprise and calls for an
immediate fix. If you have the firewall set to control applications, those
applications that don't already have their code signed are signed by Leopard
when they access the network. (Code signing is the process of affixing a
digital signature to an application, such that the operating system can tell if
the application has been modified by malware, because the application's
checksum would no longer match the checksum in the signature.) If the
application changes itself while running, as Skype does (and as some other
applications do too), it won't
{quote}
An other article saying the same:
http://www.heise-online.co.uk/security/Apple-documents-Leopard-firewall-functionality-and-holes--/news/98695
{quote}
The new firewall recognises applications by means of digital signatures. If a
rule is required for an unsigned program, the operating system generates one on
the fly. This ad-hoc code signing modifies the program file on the hard drive.
This means that programs like Skype or WoW which test their own integrity may
subsequently have problems due to a modified checksum. A problem which Apple
fails to mention are programs in interpreted languages such as Java or Perl.
Here, the user can only define rules which relate to the runtime environment
itself, and therefore to all Java or Perl programs.
{quote}
So the application might indeed be blocked by the fact that we write into the
repository or change files in the webapp. None of the articles tells clearly
how one can get rid of that behavior.
> Leopard (osx 10.5) issues
> -------------------------
>
> Key: MAGNOLIA-1959
> URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-1959
> Project: Magnolia
> Issue Type: Bug
> Affects Versions: 3.5
> Reporter: Gregory Joseph
> Assignee: Gregory Joseph
>
> h3. Leopard's application level firewall :
> Leopard's firewall behaves significantly differently than the firewall
> shipped with OSX 10.4. The symptoms are that Tomcat seems unreachable
> ("kCFErrorDomainCFNetwork:302"), but unfortunately no log message *clearly*
> identifies the issue.
> It seems the behavior was different prior to OSX 10.5.3, but at least in
> 10.5.4 the following seems to work:
> - "allow incoming connections" for the Magnolia and Tomcat scripts
> ({{magnolia_control.sh}}, {{startup.sh}}, {{shutdown.sh}}, {{catalina.sh}}),
> as well as the Java binary (ie
> {{/System/Library/Frameworks/JavaVM.framework/Versions/1.5.0/Commands/java}})
> - it seems sometimes necessary to "lock" and "unlock" the firewall settings
> pane, so as to force it to take the new settings into account.
> - if Magnolia was started, you'll have to kill it (-HUP works and shuts it
> down nicely) and restart.
> h4. More comments and questions
> - somehow, setting the firewall too "allow all" does not seem to help.
> - {{sudo launchctl remove com.apple.alf}} should remove the application-level
> firewall, but for some reason, this hasn't proved very useful. Will have to
> try again.
> h4. Log files to watch:
> * {{/var/log/system.log}}
> * {{/var/log/secure.log}}
> * {{/var/log/appfirewall.log}}
> h4. Some interesting links:
> * http://securosis.com/2007/11/01/investigating-the-leopard-firewall/
> * http://documentation.magnolia.info/administration.html#Knownissues which
> links back to here but has a nice little screenshot of Leopard's firewall
> configuration gui ;)
> h3. "Max.files opened"
> There might be some "max.files opened" issues, with settings which are
> different from Tiger(10.4), although this hasn't been reported in a while.
> There is unfortunately not much we can do about this issue at the moment, as
> far as we know.
> *Feel free to comment on your own experience below and contribute tips and
> tricks !*
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------
