From: Greg N. <Gre...@di...> - 2007-12-17 22:29:57
|
Several weeks ago, there was a discussion here on what to put in the leopard base negative transcript. I flagged lots of filesystem items for consideration. I've discovered an issue with this item: /private/var/db/SystemKey After some experimenting, this appears to to be the key used to unlock /Library/Keychains/System.keychain. Both files are created during the OS install, and are a matched set - if you use a /private/ var/db/SystemKey file from a separate install of Leopard, you'll see messages like this in the system log on startup: Dec 17 14:02:44 aquaman _mdnsresponder[56]: Recreating System.keychain because it cannot unlock; see /usr/libexec/security- checksystem and you'll find that both /Library/Keychains/System.keychain and / private/var/db/SystemKey have been moved aside with a time/datestamp and replaced with freshly generated files. Unfortunately, the new / Library/Keychains/System.keychain is empty, which in probably not what you want. I fixed this problem for myself by copying over both files from a fresh Leopard install on another machine, then merging them into my 10.5.1 transcript (and removing /private/var/db/SystemKey from the negative transcript) So it appears that /private/var/db/SystemKey must be in a positive transcript, and both files must be captured from the same install run. I'm guessing that this is a small security measure - if an attacker managed to munlock the System.keychain on one machine, he/ she would not necessarily be able to do so on another. If you use radmind to manage both files on all your machines, they will be able to be unlocked with the same password, so be aware of this lessening of security. This may also meant that you cannot simply put all of /private/var/db in a negative transcript unless you have an alternate way to ensure that /private/var/db/SystemKey is the correct key for your specific / Library/Keychains/System.keychain. -Greg |