Tag Archives: Mac OS X

XtraFinder error message “XtraFinder Beta has expired!” fix with applescript

I was recently asked to help with the annoying XtraFinder’s message “XtraFinder Beta has expired!” and make it disappear without user input. As what was suggested in the official support page did not work I went to see what is available online, Google is your friend, right!? ūüôā

Well unfortunately I found only one good and interesting blog post on the subject involving Hopper Disassembler, but that did not worked for me, whatever I tried I did not manage to produce an executable file which will actually work. The tutorial is for XtraFinder version 0.25 where mine was 0.25.8 and though the assembler instructions and the function looked the same I think that matters.

As I am not an assembler guru I went back to the good old applescript to make a few clicks on behalf of a human ūüôā Please check the script below and change it¬†if you need to. The script app has to be in your log in items and will/should work fine even after you upgrade to the latest version of XtraFinder, currently 0.25.9 /which by the way fixes the nag messages, until the time for the next update probably, which if not on time will probably start the receiving of the expire message again.. or may be not… :-)/.

So here we go:

 

delay 3

tell application “XtraFinder” to activate

delay 1

tell application “System Events”

¬†if exists (window 1 of process “XtraFinder”) then

¬† tell process “XtraFinder”

¬† ¬†set XfinderMess to the value of static text 1 of window 1 of application process “XtraFinder” of application “System Events”

¬† ¬†if XfinderMess = “System Integrity Protection is enabled.” then

¬† ¬† click button “OK” of window 1 of application process “XtraFinder” of application “System Events”

    delay 10

¬† ¬† tell application “System Events”

¬† ¬† ¬†if exists (window 1 of process “Finder”) then

¬† ¬† ¬† tell process “Finder”

¬† ¬† ¬† ¬†set finderMess1 to the value of static text 1 of window 1 of application process “Finder” of application “System Events”

¬† ¬† ¬† ¬†if finderMess1 = “XtraFinder Beta has expired!” then

¬† ¬† ¬† ¬† click button “OK” of window 1 of application process “Finder” of application “System Events”

        delay 6

¬† ¬† ¬† ¬† tell application “System Events”

¬† ¬† ¬† ¬† ¬†if exists (window 1 of process “Finder”) then

¬† ¬† ¬† ¬† ¬† tell process “Finder”

¬† ¬† ¬† ¬† ¬† ¬†set finderMess2 to the value of static text 1 of window 1 of application process “Finder” of application “System Events”

¬† ¬† ¬† ¬† ¬† ¬†if finderMess2 = “You‚Äôre up-to-date!” then

¬† ¬† ¬† ¬† ¬† ¬† click button “OK” of window 1 of application process “Finder” of application “System Events”

           end if

          end tell

         else 

          quit

         end if 

        end tell

       end if

      end tell

     else

      quit

     end if

    end tell

   end if

  end tell

 else

  quit

 end if

end tell

 

Enjoy ūüôā

 


AppleScript execution depending on system event

Some time ago I had to create a script to execute on startup, do its job and reboot the computer if needed, but how do you prevent going in to rebooting loop? Luckily after a bit of wondering around I managed to find a solution Рthe system_profiler command! It gives the opportunity to track the hardware state and if there is any change it can be used to trigger a script execution.

I do not know about your experience with Macs and multiple displays, but according to mine it can get messy, especially if you have more then two displays or /god forbid! ;-)/ Apple plus other display manufacturers.

In my case the problem was not having all the displays on after initial boot, the main Philips display comes on, but both Apple Thunderbolt displays did not. After a reboot though everything comes back to normal. The task was to make a script checking the state of the screens and automatically reboot if there is a problem.

So this is the script I have made to solve the problem, you can tweak it the way you want and need /may be if you use it or post it somewhere mentioning me would be nice :-)/:

delay 15
set display to (do shell script “system_profiler SPDisplaysDataType | grep Thunderbolt; echo $?”)
if display = “1” then
¬†¬†¬†¬†do shell script “open /Path/To/Your/Scripts/Reboot.app”
else
¬†¬†¬†¬†display notification “No Need to Reboot!”
    delay 5
    quit
end if

Reboot.app is just a script to reboot the computer, you can make your own, use my previous posts or use any other means to achieve the goal.

And finally – if you insist on having your application windows exactly on the screen you want and at the location you want them to be, there is one very good application called Stay, it is not free, but does the job nicely.

Enjoy!


ApleScript examples for Mac OS X El Capitan

Time is tight as usual, so let‚Äôs not waste it and get on with the already delayed El Capitan post. ūüôā

As some of you already know Apple introduced a new security feature to their latest OS X called System Integrity Protection (SIP). What it basically does is to limit access to sensitive parts of the OS, prevent code injection, etc. This is all fine probably for most users, but limits the possibilities of tweaking the system as well as flexibility of manipulating certain aspects of the OS’s behaviour.

So this brings some inconvenience when you try to automate certain aspects of your daily routine. For example the bless command will not work, you can no longer ‚Äúempty trash‚ÄĚ while a file is still engaged in a process, if disable SIP you can no longer do repair permissions on your system files as this feature has been removed from Disk Utility.

Simply said ‚Äď if you want the full control over the OS you will have to disable SIP. I am not going in to details on how to do it, there are many articles on internet about that. Here are just few links if you are interested:

Apple’s official article Рhttps://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html

 

XtraFinder’s article on how to partially disable SIP Рhttps://www.trankynam.com/xtrafinder/sip.html

or this one for some more customisation – https://www.reddit.com/r/osx/comments/3hv3kk/update_on_rootless_the_configuration_mechanism/

 

Below you will find two AppleScripts, one for automating the process of repairing file permissions and the other one is for empting your trash.

First the script which does the permission repair. Before using it you will need to download and install the utility from here https://www.firewolf.science/2015/07/repairpermissions-v2-0-cli/

Make sure you follow the installation guidance, read the notes section ‚Äď it is kind of important.

Alternatively if you do not want to use this utility you may prefer to do it differently by using repair_packages command following this tutorial: http://lifehacker.com/verify-and-repair-permissions-from-the-command-line-in-1741718667

 

And the script itself, change the necessary bits with your data or change it the way it suits you:

 

display dialog¬†“Repair Disk Permissions”¬†buttons¬†{“VolumeName 1”, “Volume Name 2”, “QUIT”}¬†default button¬†“QUIT”

if¬†button returned¬†of¬†result¬†= “QUIT”¬†then

     quit

else

     set diskVol to the button returned of the result as text

¬† ¬† ¬†tell¬†application¬†“Terminal”

          activate

¬† ¬† ¬† ¬† ¬† set¬†RP¬†to¬†do script¬†“sudo /usr/local/bin/RepairPermissions \”/Volumes/” & diskVol¬†& “\” “

          delay 1

¬† ¬† ¬† ¬† ¬† tell¬†application¬†“System Events”

¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬†keystroke¬†“YourPassword” &¬†return

          end tell

          set mainID to id of front window

¬† ¬† ¬† ¬† ¬† close¬†(every¬†window¬†whose¬†id¬†‚Ȇ¬†mainID)

          repeat until busy of RP is false

               delay 1

          end repeat

     end tell

end if

delay 30

tell¬†application¬†“Terminal”¬†to¬†quit

 

The second script for empting the trash looks a bit bloated, but as AppleScript has no understanding of ‚Äúgo to‚ÄĚ statement /at least I could not find any referral to it, though for some reason this statement is considered a bad practise/ I had no choice but to leave it as it is. Any suggestions are welcome.

As per my previous post regarding AppleScript you will have to adjust some details in the script:

 

 

do shell script¬†“sudo nvram SystemAudioVolume=%80”¬†password¬†“YourPass”¬†with¬†administrator privileges

do shell script¬†“defaults write com.apple.loginwindow TALLogoutSavesState -bool false”¬†password¬†“YourPass”with¬†administrator privileges

set¬†trashcontents¬†to¬†quoted form¬†of¬†(do shell script¬†“ls ~/.Trash”)

if¬†trashcontents¬†= “”¬†then

¬† ¬† ¬†tell¬†application¬†“Finder”¬†to¬†activate

¬† ¬† ¬†tell¬†application¬†“System Events”

¬† ¬† ¬† ¬† ¬† tell¬†process¬†“Finder”

¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬†click¬†menu item¬†13¬†of¬†menu¬†1¬†of¬†menu bar item¬†“Apple”¬†of¬†menu bar¬†1

          end tell

     end tell

    delay 5

¬† ¬† ¬†tell¬†application¬†“System Events”

¬† ¬† ¬† ¬† ¬† tell¬†process¬†“loginwindow”

               activate

               click button 2 of window 1

          end tell

     end tell

else

¬† ¬† ¬†do shell script¬†“sudo rm -rf ~/.Trash/*”¬†password¬†“YourPass”¬†with¬†administrator privileges

     delay 10

¬† ¬† ¬†tell¬†application¬†“Finder”¬†to¬†activate

¬† ¬† ¬†tell¬†application¬†“System Events”

¬† ¬† ¬† ¬† ¬† tell¬†process¬†“Finder”

¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬†click¬†menu item¬†13¬†of¬†menu¬†1¬†of¬†menu bar item¬†“Apple”¬†of¬†menu bar¬†1

          end tell

     end tell

     delay 5

¬† ¬† ¬†tell¬†application¬†“System Events”

¬† ¬† ¬† ¬† ¬† tell¬†process¬†“loginwindow”

               activate

               click button 2 of window 1

          end tell

     end tell

end if

 

And that‚Äôs it for now, hope this helps not just me, but someone else too ūüôā

 

 

 


Debian 7 Wheezy ‚Äď L2TP VPN Server behind NAT with strongSwan and self-signed certificate authentication

As usual before everything else a few good and must read articles on the subject: https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/ – a very good tutorial on setting up strongSwan, http://www.manabii.info/2014/08/debian-wheezy-strongswan-l2tp-ipsec.html – another very good tutorial on L2TP strongSwan configuration /you will have to translate it from Japan unless you are a ninja :-)/ and of course the very important strongSwan wiki documentation at https://wiki.strongswan.org/projects/strongswan.

Why strongSwan and L2TP? Well after some research I have done on the available IPsec implementations for Linux I have decided to go for strongSwan because of its active development. As for L2TP I decided that a bit of overhead, which any modern hardware can handle the capability to use other protocols as well as IP over the VPN connection is worth the hassle.

 

STEP 1 ‚Äď GENERAL PREPARATION

The assumption is you already have control over a DNS server, local network in range of 192.168.0.0/24, a server running Debian 7 Wheezy¬† with IP address 192.168.0.10 and as a good practice advises ‚Äď first make sure your system is up to date, just run /do not forget to be a root user or use sudo when necessary/:

#apt-get update && apt-get upgrade

Normally Debian 7 will install strongSwan 4, but I wanted version 5 because it only runs the charon daemon which handles everything for you and you do not have to configure NAT-T ‚Äď it is triggered for you automatically if needed. To do this you will have to alter the /etc/apt/sources.list file adding those lines in it:

deb http://ftp.debian.org/debian/ wheezy-backports main
deb-src http://ftp.debian.org/debian/ wheezy-backports main

After that you can run the set of commands which will update the sources, install the xl2tpd daemon /this is the software responsible for L2TP/ and install strongSwan:

#apt-get update
#apt-get install xl2tpd
#apt-get -t wheezy-backports install strongswan

Just to check you have the version 5 of strongSwan:

#dpkg -l | grep strong

The next important thing is to change the kernel parameter so it can route the VPN traffic /later on NAT will be configured/. To achieve this in a permanent way some parameters in /etc/sysctrl.conf must be set properly, you will need to have this:

net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0

To apply the changes run the following command:

#sysctl ‚Äďp

 

STEP 2 ‚Äď CERTIFICATES PREPARATION

Before generating certificates find out the fully qualified domain name of your VPN server, make sure an A record for it exist in your DNS server and use it as CN when generating certificates. To find your FQDN run the fallowing command:

#hostname ‚Äďf

Now you are ready to generate the certificate authority key and certificate:

#cd /etc/ipsec.d/
#ipsec pki –gen –type rsa –size 4096 \
–outform pem \
> private/CA_Key.pem

#chmod 600 private/CA_Key.pem

#ipsec pki –self –ca –lifetime 3650 \
–in private/CA_Key.pem –type rsa \
–dn “C=GB, O=SomeName, CN=server.example.com” \
–outform pem \
> cacerts/CA_Cert.pem

 

Create the VPN Server Key and Certificate

#ipsec pki –gen –type rsa –size 2048 \
–outform pem \
> private/VPN_Server_Key.pem

#chmod 600 private/VPN_Server_Key.pem

#ipsec pki –pub –in private/VPN_Server_Key.pem –type rsa | \
ipsec pki –issue –lifetime 3650 \
–cacert cacerts/CA_Cert.pem \
–cakey private/CA_Key.pem \
–dn ” C=GB, O=SomeName, CN=server.example.com ” \
–san server.example.com \
–flag serverAuth –flag ikeIntermediate \
–outform pem > certs/VPN_Server_Cert.pem

 

Create Client Certificate

#ipsec pki –gen –type rsa –size 2048 \
–outform pem \
> private/ClientKey.pem

#chmod 600 private/ClientKey.pem

#ipsec pki –pub –in private/ClientKey.pem –type rsa | \
ipsec pki –issue –lifetime 3650 \
–cacert cacerts/CA_Cert.pem \
–cakey private/CA_Key.pem \
–dn ” C=GB, O=SomeName, CN=server.example.com ” \
–san user@example.com \
–outform pem > certs/ClientCert.pem

 

Export Certificate for the Client as PKCS#12

#openssl pkcs12 -export -inkey private/ClientKey.pem \
-in certs/ClientCert.pem -name “Client VPN Certificate” \
-certfile cacerts/CA_Cert.pem \
-caname “server.example.com” \
-out Client.p12

 

STEP 3 ‚Äď SETTING UP srongSwan

There are few files used to configure strongSwan all located in /etc folder. The file /etc/strongswan.conf I left unchanged as it probably is set correctly for most users, but of course you can check its content and if you are sure you know what you are doing adjust it to your needs.
Next is the file /etc/ipsec.conf, which you can backup first before changing:

#cp /etc/ipsec.conf /etc/ipsec.conf.bac

Then you can create the configuration you need, mine looks like:

# ipsec.conf – strongSwan IPsec configuration file

# basic configuration

config setup
#       strictcrlpolicy=yes
#       uniqueids = no
charondebug=”cfg 2, dmn 2, ike 2, net 2″

# Add connections here.
conn L2TP
forceencaps=yes
auto=add
keyexchange=ikev1
keyingtries=3
rekey=no
ikelifetime=8h
lifetime=1h
type=transport
left=192.168.0.10
leftsubnet=0.0.0.0/0[udp/1701]
leftauth=pubkey
leftcert=VPN_Server_Cert.pem
right=%any
rightsubnet=0.0.0.0/0[udp/%any]
rightauth=pubkey
rightcert=ClientCert.pem
dpddelay=40
dpdtimeout=130
dpdaction=clear

include /var/lib/strongswan/ipsec.conf.inc

And finally the file /etc/ipsec.secrets has to be set so the client can log in. Mine is set as follows:

: RSA VPN_Server_Key.pem
#user1 : EAP “BigSecret”
#user2 : XAUTH “AnotherBigSecret”

It is not a bad idea to set the permissions:

#chmod 600 /etc/ipsec.secrets

To make sure ipsec service loads on boot:

#insserv ipsec

 

STEP 4 ‚Äď SETTING UP L2TP

Three files must be configured so xl2tpd daemon to work properly. First one is /etc/xl2tpd/xl2tpd.conf where the global parameters are set and in my case it is like that:

[global]
[lns default]
ip range = 192.168.111.2 ‚Äď 192.168.111.254
local ip = 192.168.111.1
length bit = yes
refuse chap = yes
require authentication = yes
name = l2tp
pppoptfile = /etc/ppp/l2tpd-options

The next one is obviously the file /etc/ppp/l2tpd-options where you set some PPP options and mine are set as:

name l2tp
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
nodefaultroute
lock
nobsdcomp
mtu 1280
mru 1280

And finally you set the PPP user in the file /etc/ppp/chap-secrets:

# client    server  secret      IP addresses
vpnuser¬†¬†¬† l2tp¬†¬†¬† “aPassword”¬† *

 

STEP 5 ‚Äď SETTING UP NAT

We are almost there now. The final bit is to set up the NAT, which is done with iptables, but before that I recon it is not a bad idea to install the iptables-persistent package and have your rules saved and loaded properly on reboot. To do this you will have to:

#apt-get install iptables-persistent

Then you can create the rule and have it saved. To go for SNAT or Masquerading is a personal choice, but as you most likely will have a static IP address for your server probably SNAT is better:

#iptables -t nat -A POSTROUTING -j SNAT –to-source 192.168.0.10 -o eth+
#iptables-save > /etc/iptables/rules.v4

To check if your services are running you can see their status or/and network activity:

#service –status-all

or

#netstat -lnput | grep charon
#netstat -lnput | grep xl2tpd

Do not forget to forward UDP ports 500, 1701 and 4500 on your router.

And now the funny part‚Ķ ÔĀä Connecting your clients. Android devices connect effortlessly, just install your client certificate using the p12 file, put your PPP username and password as well as the server IP address /which will be the public address of your router/ or its DNS name /should resolve to your router‚Äôs public address/ and you are done.
Have not tried iOS device yet, but as Mac OS X connects I would assume there will not be a problem, though it was a bit tricky with the Mac. Make sure you install the client certificate in your System key chain and then make it trusted. Make sure you have a record in your DNS server with exactly the same name of your VPN server as it is in the certificate and when setting the connection do not use the IP address, use the domain name. If you do not do it this way you will not be able to connect.
Windows‚Ķ well I could not manage to connect even a single Windows 7 client PC regardless of what I tried ‚Äď switching off firewall and antivirus software, changing the configuration of the VPN server, had the certificates properly installed with MMC, and before you ask ‚Äď yes, I have had the AssumeUDPEncapsulationContextOnSendRule in the registry set to 2. Nothing worked. Had a brief look at third party VPN clients for Windows, but could not find a good enough to support L2TP VPN with certificates. So if anyone have experience with this I will be happy to see what is wrong and where, I could not figure it out from the server logs.

‚ÄúAnd that’s all I’ve got to say about that‚ÄĚ ‚Äď Forrest Gump ūüôā

For now. ūüôā