About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch

Cheat Sheet

Provided by one sole mole who naturally wishes to remain anonymous.

Get It

Try It

You'll be asked this again at the end, but for now answer this.

Do you regard yourself as an adequate 'expert' on user interfaces?

- Getting there.

Do you regard yourself as an adequate 'expert' on machine interfaces?

- Same. But there's no one in HI who knows or cares about the 'machine'.

What interfaces are you responsible for when you work with the 'man-machine' paradigm?

- Both man and machine. But the others don't accept that.

Is it acceptable to research only from your own expectations of usability, or should you also be adept at the machine's possibilities?

- The latter, of course.

Do you know what happens when you power-on a Mac? Can you give a short description of the sequence of events?

- There has to be a mechanical trigger somewhere to load a start sequence. Goes to disk ASAP.

At what point does 'on-disk' code and data take over? Can you identify this code?

- I could once upon a time. Not any longer. Suppose I could look it up again.

What user account is running the Mac before the first login? After logout? Between logout and login?

- None to all three.

How often have you run dmesg? Your impressions?

- A few times. It's mostly for troubleshooting, I suppose.

Please describe the relevance of $PATH. Where does its value come from?

- The directories searched for commands. Initially it comes from the kernel.

Is there any way to corrupt $PATH? Can this corruption be avoided? How?

- In user mode? Of course. Reset a shell variable. Avoid by using only the kernel-protected $PATH.

What effect will $PATH have on code execution?

- $PATH is easy to exploit, so it can have a great effect.

Can you describe the difference between a physical device and a logical volume?

- One is physical, the other is logical. Disk Utility shows clearly which is which. Volumes always have their own ilists (and device numbers AFAIK).

What is the name of Apple's new file system?


How many volumes does a standard Mac have under root, excluding mounts under /Volumes? Can you name them and explain what they do?

- Four? Root, /dev, /home, /net. Root is root, /dev is device files, not too up on /home and /net.

Certain volumes are marked with special flags. Can you name these flags and explain their significance?

- A few of them. MNT_AUTOMOUNTED, MNT_DONTBROWSE, MNT_JOURNALED, MNT_NOSUID. There's more. Fairly self-explanatory.

What is the meaning of the 'Hidden' file flag? The 'Restricted' file flag? What level of the system observes these flags? What does MNT_DONTBROWSE indicate? MNT_LOCAL?

- Hidden sounds like a Finder artifact. Restricted sounds spooky. Finder mostly. MNT_DONTBROWSE means it's probably best not to enumerate.

What's in /.vol? In /dev? How and when is the contents of /dev created? What does it do?

- /.vol is for conversion from CNID-type stuff to Unix inodes, /dev is device files generated on startup.

Please name the two core frameworks of the user interface. One is abstract and one is not. Can you explain why? What is their internal relationship?

- AppKit and Foundation. Foundation is abstract, for objects that have no visual interface. AppKit classes can often build on Foundation classes.

Where do you find ordinary user applications? Why? What locations are acknowledged by the system?

- In /Applications, in ~/Applications, also in the network.

As some third-party software is licensed on a per-user basis, where should this software be installed? Does this cause any conflicts?

- ~/Applications causes no conflicts if it's written properly.

Can you briefly describe the purpose and inner workings of sudo?

- sudo is marked 4511. So it can escalate you to root but it can only be run, not modified, not even read. It does a lot of error-checking and fraud-checking, then runs your command as another user (default root).

What is a sudo 'grace period'?

- Standard 5 minutes from time of last use where you don't need to authenticate again.

What are 'TTY tickets'?

- Teletype tickets. The wrong setting can lead to the system being hacked.

Please expand the acronym 'POSIX'. Who is responsible for its definition?

- 'Portable Operating System Interface - X'? The IEEC IIRC.

What is/was 'Carbon'? Does Carbon still exist on the Mac?

- Transition interface for legacy MacOS code, not intended as an active platform. Yes it still exists in Apple code.

What is the difference between 'current user' and 'effective user'?

- Current user is you, effective is who you're posing as, such as through su or sudo.

What is the standard numerical user ID of the first created user account on a Mac? What is the standard numerical user ID of the second?

- 501, 502.

What are the two most common user groups for the first user account?

- admin and staff? Or perhaps they changed? Not sure on this one.

Can the 'root account' perform everything on the Mac? Explain.

- No it cannot. Some ops require SUM.

Give the names of the user:group combination 0:0.

- root:wheel.

Describe the difference between a hard link and a symbolic link. Why are hard links traditionally not allowed on directories?

- Symlinks point to another location. Hard links are just different names for the same thing. Hard links on directories can lead to endless recursion loops.

The HFS Catalogue Node ID (CNID) and the Unix inode are bridged. What are they used for?

- They're indexes into the ilist.

Where does Unix find information on file system allocations for a specific file?

- In the file's iblock, located at an index in the ilist.

Is a directory a file or not? Explain. Does Unix have other generic file types? Can you name them?

- For Unix systems, everything is a file. Other types include pipes, char devices, block devices, symlinks, sockets.

What is a 'whiteout'?

- That's what happens when something is mounted over an existing node.

Unix on the Mac today has three paradigms for access control. Can you name them and rank them? What paradigm overrides what paradigm, and so forth.

- Not public or official, but seems to be 1) file flags 2) access control entries 3) ordinary file permissions.

Name the three types of standard Unix file permissions.

- Read, write, execute.

Name the three user groupings used in defining standard Unix file permissions.

- User, group, other.

Do text files on the Mac, by default, use a single-character or a double-character escape for line feeds? What character(s) is/are standard?

- Single-character, \n (0x0A).

How does a user enable a shell script so it can be run?

- Set the 'x' bit.

How does a user mark a file so it can't be read by anyone?

- Set mode to 000.

Is there any point in allowing a file to be written but not read?

- Of course. Other users might need to append a file but should not be allowed to read it. There are many examples.

Is there any point in allowing a directory to be written but not read? To be read but not written? Give some examples.

- To add files but not be able to list them. Of course. Not written means you can't add or rename or remove. Or course. Real world.

What happens when you lack permission to 'run' a directory?

- Then you can't enter it, or make it your working directory.

What is the 'sticky bit'? What is the 'set GID' bit? What is the 'set UID' bit?

- Sticky bit is different today, it limits the rights of users other than the owner. Set GID and set UID pave the way for privilege escalation.

How can the 'sticky bit' be used to protect directories and their contents?

- So users other than the owner can't tamper.

How can the 'set GID' bit and the 'set UID' bit be used to enhance the user experience?

- Some commands need to be run with escalated privileges. Obviously.

How must file permissions be set to avoid abuse of the above?

- Not sure what's meant here.

If system modules are owned and protected by root, what prevents a malicious player from replacing them with malware?

- The permissions on the parent directory.

User Experience
Given standard default administration tools on the Mac, how does a user:

Determine the presence of a 'sticky bit'? A 'set GID' bit? A 'set UID' bit? The 'executable' bit?

- Can't be done. You need the command line. The Mac's pretty crippled.

Determine which user-level file flags are in play for a given file, flags such as 'No Dump', 'Immutable', 'Append', 'Opaque', 'No Unlink', 'Tracked', 'Data Vault', and 'Hidden'?

- Can't be done. You need the command line. The Mac's pretty crippled.

Determine which system-level file flags are in play for a given file, flags such as 'Archived', 'Immutable', 'Append', 'Restricted', and 'No Unlink'?

- Can't be done. You need the command line. The Mac's pretty crippled.

What is the general caveat when setting system-level file flags? Explain the procedure to reset a system-level file flag.

- Can only be reset in SUM. You reboot into SUM and do it there.

Can an ordinary user set the user-level flag 'Compressed'? Explain.

- No, it's a read-only attribute. NeXT's workspace had an API for this but Apple never added back the code. A lot was lost when they migrated File Viewer and the Workspace to Finder.

What is an access control entry? What is an access control list? In the event of a conflict between a file flag and an access control entry, who wins? In the event of a conflict between either of the two above and standard file permissions, who wins?

- ACEs are grouped in an ACL. They're rules for allowing or denying various types of file access. File flags seem to win over ACLs, permissions always come last.

What happens when you 'delete' a file? Explain in detail. Be very precise.

- Delete doesn't delete, on Unix it doesn't, it only removes a path, an entry in a directory. Physical files have a link count stored in their inode data. Files are only gone when the link count reaches zero.

What does a zero inode value indicate?

- The physical file's scheduled for deletion. (The system uses 'lazy write'.)

Describe what 'spatiality' means to you personally.

- A royal pain in the arse, especially the idiots who pimped it.

A file has been written to but its inode has changed. What does that tell you?

- That it hasn't really been written to. That somebody fucked with the original code.

Can the Mac file system run out of inodes? What happens then?

- Inodes are usually used sequentially. The system should have rollover today. Still a mystery why things have to be sequential. Perhaps to help with file recovery. There were reports back in the day that that you could run out. One rocket scientist claimed this was not a problem, as all he had to do was copy out all his files to an external drive and then reformat and reinstall his entire system. (Yes, really.)

How many time stamps does a traditional Unix file have? How many time stamps are there today?

- Traditionally three, today four (holds in BSD too AFAIK).

Are any of these time stamps immutable? Explain. Can any of these time stamps be programmatically modified? Which, in such case? Can any of these time stamps not be programmatically modified? Why not, in such case? Explain.

- Create should be (must be actually) immutable. But who knows? Changed should be controlled at kernel level. HFS incorrectly allowed Changed to be programmatically modified - a security vulnerability.

What is the minimum number of entries in a standard Unix directory? Can you explain their use?

- Two. '.' and '..'. '.' is the directory itself, '..' is its parent. cd uses them. Anyone can in theory. Very important from a security POV today.

Why are the inodes of the first entries in the root directory always the same?

- Because the parent of root is root itself.

What are 'dotted' directories? How many of these directories are found default at root on a Mac? Can you name them and describe what they do?

- .DocumentRevisions-V100 is for archiving file changes, fseventsd is for FSEvents, .HFS+ Private Directory Data is for Time Machine, the PKInstall directories are for incoming updates, Spotlight-V100 is for Spotlight.

The root directory '.HFS+ Private Directory Data?' does not actually have a question mark ('?') at the end of its name. What does that question mark represent, and why?

- The carriage return ('\r'). Perhaps because the engineers are still using old Mac tools to get around in there (we don't know actually).

The root directory '.HFS+ Private Directory Data?' still carries special data attribute fields that define its horizontal and vertical coordinates at (16384, 16384). What does that mean? Why is it used to this day?

- Who knows what they're thinking. Perhaps they're paranoid that ordinary users will see the directory in their Finder. (SRSLY.)

Unix has traditionally four 'binary' directories, repositories for standard programs. Can you give the full paths for these directories? Two of those directories are primarily meant for system administration tools. Can you name them?

- /bin, /usr/bin, /sbin, /usr/sbin. The latter two are for admin tools.

What is a 'daemon'? What is the difference between a 'launch daemon' and a 'launch agent'?

- A background process. Launch daemons are system-wide, launch agents are per-user.

Can you describe the on-disk architecture of a standard Cocoa application bundle?

- Top level is a directory normally with extension 'app'. Then Contents which has only the Info.plist. Under that are MacOS and Resources. MacOS has the executable, Resources has the resources.

- What text file is absolutely essential to run a Cocoa bundle application? What data is absolutely essential in that file?

- Info.plist. NSPrincipalClass and NSMainNibFile are rather crucial.

- What is an 'lproj' directory? How does the system choose which of these directories is to be used on any one given occasion?

- Has localisation files. System uses the language order found in System Preferences.

Where is the default search location for Cocoa bundle resource files?

- The Resources directory.

What is 'designable.nib'? Is it used by a running Cocoa application?

- Used by Interface Builder to create a NIB. No, it is not used.

What is 'keyedobjects.nib'? Is it used by a running Cocoa application?

- Used by Interface Builder to create a NIB. Yes, it is used.

What are 'classes.nib' and 'info.nib'? Are they used by a running Cocoa application?

- Legacy IB helper files. No, they are not (were not) used.

The file 'keyedobjects.nib' can take on another name when a project build is complete. Can you explain the new name it assumes?

- Takes on the name of its parent directory.

Approximately how big is the current Safari application bundle? With approximately how many files?

- 25-30 MB with about 3000 files.

Approximately how big is the current Finder application bundle? With approximately how many files?

- 35-40 MB with perhaps 4000 files. (But who cares.)

Which of the above two is bigger?

Finder. Then, with all its dependencies, it's a real monster. Crash-prone too. Unbelievably enough.

Safari's 'logic' comes from the 'WebKit' module. What is the corresponding module for Finder?

There is none. That's why there's such a panic. They screwed up and they know it.

Have you ever used the NeXTSTEP OS or the OPENSTEP OS? How would you compare them with regard to file management and overall system design?

- Some use. They were on the right track but had a bit further to go. But they were definitely on the right track.

Have you ever used any of the Linux user interfaces, such as Gnome and KDE? How would you compare them with regard to file management and overall system design?

- The interfaces themselves are for shit, but functionally and in terms of usability, their file management is more complete. Programmatically they're both pretty messy with no signs of anything encouraging on the horizon.

Have you ever used an IBM Unix/Linux user interface? How would you compare it with regard to file management and overall system design?

- AIX was awesome. As it would be, coming from IBM. But IBM got heavily into OO w/o understanding what it's really all about.

Based on your personal experience on the Mac, how would you rate the system's file management capabilities? Is there anything in particular you'd like to praise? Are there any areas for improvement, in your estimation? This information will remain confidential.

- System's file management capabilities are rock-bottom. Nothing to praise. It's a mess. They need to create the counterpart to WebKit and publish the code. But they've currently backed themselves into a corner with all this SIP mania. You know how that's going to end.

See Also
Industry Watch: Thanksgiving Day Remedial
Industry Watch: Course Review, Study Questions

About Rixstep

Stockholm/London-based Rixstep are a constellation of programmers and support staff from Radsoft Laboratories who tired of Windows vulnerabilities, Linux driver issues, and cursing x86 hardware all day long. Rixstep have many years of experience behind their efforts, with teaching and consulting credentials from the likes of British Aerospace, General Electric, Lockheed Martin, Lloyds TSB, SAAB Defence Systems, British Broadcasting Corporation, Barclays Bank, IBM, Microsoft, and Sony/Ericsson.

Rixstep and Radsoft products are or have been in use by Sweden's Royal Mail, Sony/Ericsson, the US Department of Defense, the offices of the US Supreme Court, the Government of Western Australia, the German Federal Police, Verizon Wireless, Los Alamos National Laboratory, Microsoft Corporation, the New York Times, Apple Inc, Oxford University, and hundreds of research institutes around the globe. See here.

All Content and Software Copyright © Rixstep. All Rights Reserved.

John Cattelin
Media Contact
ACP/Xfile licences
About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.