About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Home » Learning Curve

1st Time CLIX?

A tutorial that coincides with the upcoming CLIX release.


Buy It

Try It

The overwhelming majority of CLIX users 'get it' at first glance. Some however do not. Perhaps a slow run-through would dispel any remaining confusion.

1st Glance

Opening the CLIX download and running the app for the 1st time may prove perplexing for some.

There's nothing in the window. It's empty.

The trick here is getting people to understand this is no different from how Terminal and TextEdit greet them.

The CLIX window is a document window and you're expected to put things in it.

1st Command

The CLIX document window has four columns for data.

Title An arbitrary title for your command. You decide.
Category An arbitrary category for your command. You decide.
Description An arbitrary description for your command. You decide.
Command Line   This is not arbitrary. This is the command you wish to run.

A simple command shows it best - a command to simply list the contents of the 'default directory'.

  1. What you want is to open the CLIX command sheet so you can add your command.

  2. Highlight the 'Edit' menu on the menu bar and select 'Add'. As you can see the command is also served by the keyboard shortcut ⌥⌘↩ which is option-command-enter.

  3. Invoking the 'Add' command now opens the CLIX command sheet.

  4. Type in a suitable title in the first field such as 'List Default Directory'. Tab to the next field.

  5. Type in a suitable category such as 'List'. [You might think of something better.] Tab to the next field.

  6. Type in a description of the command. Such as 'list contents of default directory'. Tab to the next field.

  7. Type in the command itself. Which is simply 'ls'.

  8. You'll notice as you type that certain buttons along the bottom of the sheet light up. The 'Save' button becomes enabled as soon as you change anything - which for a new command means putting in anything at all.

  9. The 'Run' button becomes enabled as soon as you enter text in the 'Command Line' field - certainly you can't run a command if there's no command to run.

  10. At this point you're ready to run your command. Either click the 'Run' button or - if the button appears default - hit ⌘↩ - command enter.

What you get should be very similar to what's pictured below.

1st Questions Answered!

  • What's a 'default directory'? Easy - and this is one of a great number of safety features in CLIX.

    Your 'default directory' is the directory whence the current document came - or in the case of 'untitled' (never saved) documents your login home directory.

    This feature is essential so you don't issue the wrong commands in the wrong directories. It also helps economise the commands you use as they can rely on paths relative to this directory.

  • What's the 'Copy' button do? Easy again. It copies your command output to the clipboard (as plain text) so you can paste it in and save it if you want.

  • The little dot above the output field? That's so you can drag open the command line field more. Or less. You can also drag out the sheet more from the lower right corner if you want.

  • That 'Run' button turned quickly to 'Stop' and back again? Yes - you can stop a command whenever you like.

  • What does the 'Save' button do? That should be obvious - it saves your command to your list. From there you can save your document as a whole and give it a name.

  • What if I want to change my command? Easy again. Just invoke the 'Edit' command from the same ('Edit') menu. It's right below 'Add' and has the keyboard shortcut ⌘↩ which is command-enter.

  • Can I copy, cut, delete, drag-drop, paste my command? Of course. All commands are system standard.

Securing Your Computer

Now that you've got a basic idea of what CLIX does and how you do things it's time to stop and make sure your computer's safe to use. CLIX provides a number of safety (security) features which work well with a strengthened security policy on your computer.

The 1st thing you need to do is make sure rogues can't 'piggyback' onto your command line sessions, whether from Terminal.app or CLIX or anywhere else. The instructions are also found in a Rixstep tutorial from June 2007 but they're reprinted here for your convenience.

[If you don't feel up to this then don't fret - but promise to come back to it later. The good news is you only ever need to do this once. Ed.]

  1. You have to run visudo. From a command line. You must do this from an administrator account.
  2. Go to a command prompt (Terminal.app) and type in 'sudo visudo'. You'll be prompted for your passphrase. Give it.
  3. Use arrow down to get to the line that says '# Defaults specification'. Hit 'o' on your keyboard.
  4. Type in 'Defaults tty_tickets'. Hit Enter. Type in 'Defaults:ALL timestamp_timeout=0'. Hit <Esc>.
  5. You should now have this.
    # Defaults specification
    Defaults tty_tickets
    Defaults:ALL timestamp_timeout=0
  6. Type ':q!' if you make a mistake and want to exit without saving changes.
  7. Type ':w' followed by Enter then ':q' followed by Enter to save your changes.

What you've just done (if you've done it) is make sure rogues can't piggyback onto any session you're running with escalated privileges. By default an escalation is good for five minutes by anyone asking for it. You've just made sure only you are affected by any escalation you receive and that whoever it is asking for escalation will be required to submit the password each time.

And that's a Good Thing™!

Using Sudo

The sudo command ('substitute user and do') is what you use on Unix to change or escalate privileges. Normally this is used for privilege escalation to root (the system or superuser account) but it needn't be so.

Sooner or later you're going to want to run critical applications through CLIX. Some files (and programs) are otherwise protected and require privilege escalation. You submit your password to CLIX from the 'Edit' menu seen above - the command's right below the 'Add' command.

You won't be told immediately if you typed your password correctly. And that's the whole idea. You're only told when a command you're running requires it.

This makes it all the more difficult for (physical) interlopers to hammer away at your computer in search of your password. They get told the password is incorrect; they have to close the CLIX command sheet; they have to try again; it's a hassle.

Then again CLIX can alert you every time your command or something it invokes wants your password.

The password is never written to disk and CLIX is immediately aware when your computer is going to sleep and removes your password everywhere - from memory, from a possibly open password sheet - everywhere. And does it all again when you exit.

This is one of the reasons CLIX is so secure in practice: most people are going to balk at having to submit their password each and every time in Terminal - they'll turn those 'visudo' security settings off.

Prefab Commands

CLIX is an engine - no more no less. Just as Terminal.app is a mechanism for submitting Unix commands. Or TextEdit is an application for writing and saving text. With CLIX you write and save commands - and run them too. And everything else above and beyond that is up to you. But certainly you're not going to get very far with a single command. Particularly if you're new to Unix. You'll need to start somewhere.

Fortunately for you there are currently approximately 1,896 (one thousand eight hundred ninety six) places to start. And with the new anti-trojan file you can add 7 more.

These commands are found in the 'Command Files' directories in the 134 KB CLIX download. They've been collected over the years. Some worked on 10.2 Jaguar but not since; some on Panther or Tiger; a separate directory is provided for 10.5 Leopard and necessary changes to command syntax.

These 1,896 commands aren't part of the application proper but they're packaged along for your benefit. The idea is for you to add commands of your own.

And here's one you can start with right away - for the file 'iTrojan.clix' to help you further the fight against the 'bad guys'.

com.apple.systemloginitems

The file /Library/Preferences/com.apple.systemloginitems.plist is an especially dangerous one. This represents a gaping security hole Apple never seem to get around to fixing. It's been open for years. Rixstep have published numerous proofs of concept for this hole but nothing's ever done about it.

Basically it works like this. Any rogue running on your default account can either create this file or insert something in it so it takes over your computer. The commands in this file are run each time you log in. But they're run in single user mode which is beyond what even root can accomplish (or destroy).

The file is a property list file - a configuration file. It might be stored in a binary format and be unreadable by a text editor. It can look like this - if you've already been taken over by a rogue.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AutoLaunchedApplicationDictionary</key>
    <array>
        <dict>
            <key>Hide</key>
            <true/>
            <key>Path</key>
            <string>/Users/Shared/.SLIHack/ASK.app</string>
        </dict>
    </array>
</dict>
</plist>

The ASK.app in the (somewhat) hidden directory /Users/Shared/.SLIHack will run on login - in single user mode.

And you probably don't want that!

So what you can do - until Apple finally plug the hole - is check regularly to make sure nobody's tinkering with your system.

  1. Open iTrojan.clix in the Command Files directory.

  2. Use 'Add' on the 'Edit' menu to add a new command.

  3. Put 'Show System Login Items' in the title field. Tab to the next field.

  4. Put 'iTrojan' in the category field. Tab to the next field.

  5. As a description use 'show system login items'. Tab to the next field.

  6. Use the following for the command line field. Note you don't append the file extension.

    defaults read /Library/Preferences/com.apple.systemloginitems

  7. Run the command.

Note if your output is as above - if the system says the 'domain' com.apple.systemloginitems does not exist - then you're in the clear!

Help!

So where do you go from here? Assuming of course you as so many others have a thirst for knowledge? CLIX has a few things to help you there as well.

Go back to that system login items command again. Bring it up. Suppose you're wanting to know a bit more about the 'defaults' command? No problem! Just hold down (option) and double-click the word 'defaults' in the command line field.

And there you have it - the complete 'official' documentation for the defaults command. You can of course copy this out to a text editor like before.

And if you were really fast you noticed a new text field peeking out.

You can click on this area to the immediate left of the 'Close' button at any time to summon up the text field. Type in anything and hit (enter).

Hidden but Documented

Other apps have hidden settings only hackers can ferret out. The 'hidden' CLIX settings are all out in the open - they're in the bundle's Info.plist and the official documentation.

<key>RxDefaults</key>
<dict>
    <key>Construct</key>
    <false/>
    <key>OutputRGB</key>
    <array>
        <string>0 0 30</string>
        <string>153 153 255</string>
        <string>30 30 0</string>
        <string>255 255 153</string>
    </array>
    <key>RunHotKey</key>
    <true/>
    <key>SudoAlert</key>
    <false/>
</dict>

So Why Use It?

  • CLIX can do things you're going to want to do over and over again. Sooner or later you'll see how important this is.

  • CLIX is a rolodex - it's all your commands at a click. You don't have to search them out or remember them. They're already there. Don't type them in to run them - click them.

  • The CLIX 'Save' button is a virtual lock - as soon as you've tested and saved a command it's not going to fail you. Keep your eye on that 'Save' button for accidental typos - as long as it's not enabled you're OK.

  • CLIX is in many ways more secure than Terminal.app. Your precious $PATH system variable can be hijacked within Terminal.app but it can't be hijacked within CLIX.

  • The CLIX method of privilege escalation is more secure than has been found in 'system maintenance' utilities such as Cocktail and OnyX.

  • You might learn things with Terminal.app but you aren't going to learn anything with the GUI based utilities.

  • You won't ever again have to resign yourself to using an AppleScript wrapped in Cocoa that only runs the same commands anyway - after taking precious megabytes of your disk free space.

  • GUI based utilities lock you into what's currently being offered - you can't add new commands of your own.

  • It's free.

Lots More

There's a lot more to CLIX than can be covered in a brief tutorial. There are many additional security features built into CLIX that haven't been mentioned yet. There's the cool 'command share' feature which hasn't been discussed either. See the forum and check out what others are talking about.

Upcoming

The current ACP version of CLIX is also available in the Xfile Test Drive. A new standalone version incorporating many of the new features is also slated for release. Watch this site for further information.

Testimonials

Turn to the press page to see what others have said about CLIX.

Further Information

This site is ripe with information about CLIX, Unix, and computer security. The following selection might start you off.

CLIX
Defaults
Sudo Fun
ACP Text Services
Too Much Sudo Fun
CLIX: Safer than Terminal?

TTY Tickets
'If you can't type - click.'
The Zero Time Stamp Timeout

Cookie Tin Tips I
Cookie Tin Tips II
Cookie Tin Tips III
Cookie Tin Tips IV
Cookie Tin Tips V

Cool Clever Stuff with CLIX I
Cool Clever Stuff with CLIX II
Cool Clever Stuff with CLIX III

About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.