Can Internet Sharing Be Permanently Disabled?

Discussion in 'Mac OS X 10.3 (Panther) Discussion' started by Makosuke, Jun 8, 2004.

  1. Makosuke macrumors 603

    Joined:
    Aug 15, 2001
    Location:
    The Cool Part of CA, USA
    #1
    I just ran into a nasty little problem on my campus network. Someone in the lab I take care of enabled Internet Sharing on his computer. This of course fired up a nice little DHCP server built into OSX and started handing out IP addresses to anybody who plugs into the campus network.

    This is bad. It does not make the IT people happy, and they cut the entire lab off the network.

    A few phonecalls and I eventually found out what had happened and turned it off, but now I'm wondering if there's a way to permanently disable that feature in OSX, to prevent anybody else from accidentally turning it on.

    I could obviously just lock the System Preferences application, but that locks down Energy Saver and a couple other preferences people will want access too. They also have admin privleges on their own machines, so they could unlock it if they felt like it.

    And yes, I can of course just tell people not to check that box, but a more permanent solution is always preferable, and makes the IT guys happier--they're not huge Mac fans, despite this being a university with a reasonably large Mac presence.
     
  2. MisterMe macrumors G4

    MisterMe

    Joined:
    Jul 17, 2002
    Location:
    USA
    #2
    If I plug any DHCP-compatible computer into most TCP/IP networks, it will be on the 'net. The only way that your "problem" could be a problem is that the Mac has a fixed IP address. Generally, computers with fixed IP addresses have higher privileges on the network that those that have their IP addresses provided by DHCP. I would bet dollars to donuts that there are numerous Wi-Fi or Wireless-G base stations on your network. If that is the case, then just about anybody can access your network. If your IT people are serious, then you have much more serious problems than one rogue Mac.
     
  3. crazzyeddie macrumors 68030

    crazzyeddie

    Joined:
    Dec 7, 2002
    Location:
    Florida, USA
    #3
    I think the problem was that the Mac was handing out IP addresses instead of the main DHCP server on the network...

    I see no way to stop access to this if everyone is the admin of their own machine. Maybe you could remove the prefpane itself from the System? That would prevent any GUI access to Internet Sharing. Its located in: " /System/Library/PreferencePanes/SharingPref.prefPane ". Now, don't ask me what affect this will have on the system, and if you do this, even the root user would have no GUI access to it, since you are removing it from the entire system, but its the only thing I can think of.
     
  4. Counterfit macrumors G3

    Counterfit

    Joined:
    Aug 20, 2003
    Location:
    sitting on your shoulder
    #4
    That would work, but they could get around it in Terminal if they knew how.
     
  5. saabmp3 macrumors 6502a

    Joined:
    Jul 22, 2002
    Location:
    Tacoma, WA
    #5
    If a person got into the terminal to enable this and they all have their own admin accounts (that's how I read it) you could easily find out who is doing this after telling them not to and give that person a beat down. That is going beyond accidental activation as using a terminal command requires a little bit of know how into the whole DHCP system. I second a vote for the removal of the GUI.

    BEN

    Edit: Just make sure you know how to turn it off after it has been activated through the terminal as there will be no GUI button to uncheck.
     
  6. MisterMe macrumors G4

    MisterMe

    Joined:
    Jul 17, 2002
    Location:
    USA
    #6
    That's what Makosuke says, but it is not at all clear what he means. You seem understand him to mean that the Mac is giving out conflicting IP addresses via DHCP. That was not my understanding, but who knows. If your interpretation is correct, it seems to me that the solution is simple. IT should warn the owner of the rogue machine to turn off the pirate DHCP server. If the pirate DHCP server is not turned off, then IT should have the intitution's DHCP server deny the rogue machine an IP address.
     
  7. 7on macrumors 601

    7on

    Joined:
    Nov 9, 2003
    Location:
    Dress Rosa
    #7
    You could always move the Sharing prefpane into the admin account's home library folder so that only the admin has access.
     
  8. Makosuke thread starter macrumors 603

    Joined:
    Aug 15, 2001
    Location:
    The Cool Part of CA, USA
    #8
    This would be true for most TCP/IP networks, but you're wrong in this case, although my tale of woe doesn't directly relate to my actual question anyway--not like I'm the one who decided to shut down my office network.

    My University network is set up such that a computer needs to have its MAC address specifically registered with central computing before the main DHCP server will give you an IP address. This way, no unauthorized computers get access to network services--same as with some wireless networks, and the same thing you can do with a home router as well if you're paranoid.

    In this case, it was an authorized computer, but once it started running its own DHCP server (as a wireless router or little linksys job would, which NO, there aren't any of on campus outside of a couple hotspots the Big IT Guys have installed), anybody could plug into the network and grab an IP from it, registered MAC address or not.

    And as you said, their solution is to kill the Pirate DHCP server, which (apparently due to however our local hub is set up) involved cutting this entire leg off the network and killing the whole office. They could, however, tell what MAC address that was acting as the DHCP server, so they had no trouble telling me which machine to look at (confused the heck out of me at first, since at first it didn't register that OSX even had an internal DHCP server).

    But it looks like the bottom line is, admin access=access to this feature. Too bad, but that's the way it works. Not like somebody is going to bring down the whole University network with it, and I'm not locally worried about malicious users (if somebody actually was, IT would shut them down anyway), just people fiddling where they shouldn't be.

    Thanks for the suggestions, though!
     

Share This Page