Category Archives: security

Unlocking a protected PDF on Mac OS X

Recently I needed to demonstrate proof of purchasing something via my credit card statement. Easy enough, I download my most recent statement as a PDF file from American Express. Then I wanted to use Adobe Acrobat Pro’s nifty redaction features to redact all the irrelevant information from the appropriate page of the bill. Except Amex has decided that the statement should be a protected PDF, which means you can view it but cannot change it. This is of course totally bogus DRM, it’s my statement afterall! I suppose they hope to curb statement forgeries, but as anyone akamai knows: if I can view it, I can edit it. I think Preview.app on Mac OS X used to ignore DRM and let you edit protected PDFs, but doesn’t seem to on Snow Leopard.

I hunted around for a tool to unlock the PDF. There are lots of tools for Windows, which didn’t interest me. One person suggested opening the PDF and “printing” it to a PDF, but Adobe has disabled those features of the Print dialog box on Mac OS X (presumably since it would allow trivial circumvention of the DRM).

PDFKey Pro looks like a reasonable option for Mac OS X, but it is $25 which seems kinda steep for a single use. They have a downloadable demo, but it will just create an unlocked version of the first page of the PDF, which wasn’t the page I wanted. And of course I can’t edit the source PDF because it is protected, so the demo wasn’t useful to me.

Then I came upon MuPDF, which is a “lightweight PDF viewer and toolkit written in portable C”. It has an X11 GUI component, as well as command line tools. One of the command line tools is “pdfclean”, which will remove the DRM from a PDF.

Unfortunately, MuPDF isn’t in MacPorts yet, so I had to compile it by hand. It uses the Perforce jam tool instead of make, and has three library dependencies: zlib, libjpeg, and freetype2. Luckily, all of these are available in MacPorts, so I was able to install them and then edit the Jamrules file to point at the MacPorts location. Here is the updated section of Jamrules:


if $(OS) = MACOSX
{
    Echo Building for MACOSX ;

    BUILD_X11APP = true ;

    CCFLAGS = -Wall -std=gnu99 -I/opt/local/include -I/opt/local/include/freetype2 ;
    LINKFLAGS = -L/usr/X11R6/lib -L/opt/local/lib ;
    LINKLIBS = -lfreetype -ljpeg -lz -lm ;
    APPLINKLIBS = -lX11 -lXext ;

    if $(BUILD) = debug   { OPTIM = -g -O0 -fno-inline ; }
    if $(BUILD) = release { OPTIM = -O3 ; }

    if $(HAVE_JBIG2DEC) { LINKLIBS += -ljbig2dec ; }
    if $(HAVE_OPENJPEG)    { LINKLIBS += -lopenjpeg ; }
}

pdfclean worked like a charm, removing the DRM from the statement. After that I was able to redact the statement without incident.

Perhaps in my copious spare time I will make a MuPDF portfile for MacPorts, but until then perhaps this will help others who want an open source way to remove bogus PDF DRM.

Sharing iPhoto and iTunes libraries between users

I was looking for a way to share iPhoto and iTunes data between two accounts on the same Mac. There are a variety of old solutions that involve adding both users to the same group (like “staff”) and then changing the group and permissions on the files to be read/write for the group. For me (using Mac OS X 10.4.10 and iPhoto 6.0.6) this mostly works, but various files get rewritten with new ownership and the wrong group on each iPhoto launch. I worry that new files will not have the proper permissions and this will hose things down the line.

I finally found this technique using Tiger ACLs that looks pretty slick. I have yet to try it, but it should work.

Update: I tried it out and it seems to work. Sweet!

Securing MySQL for development

When developing in Rails, the canonical thing to do is to have a root MySQL account with no password. While this makes the Rails configuration automagic, it leaves things somewhat open because MySQL accepts TCP/IP connections by default. Note that this is separate from the webserver hosting the Rails application on localhost. It turns out that MySQL has a nice command line option --skip-networking, which will turn off all TCP/IP networking. Database connections from the local webserver will go through a Unix socket, so they will continue to work and that’s all you need for development.

I installed MySQL using the MySQL AB official binary distribution. However, I have been starting and stopping MySQL using the conveniently supplied panel for Mac OS X System Preferences, thus preventing my from adding any command line arguments. After some fiddling, it turns out that the preference panel is just calling the shell script /usr/local/mysql/support-files/mysql.server. This file (or one of the scripts that it calls) will read ~/.my.cnf or /etc/my.cnf for MySQL configuration options. To make it work with the pref pane, I had to put the following options in /etc/my.cnf:

# MySQL options file
[mysqld]
# turn off all networking, for safety during development
skip-networking

After that, MySQL is no longer listening via TCP, as confirmed with CocoaMySQL’s Show Variables, and via netstat -a. I feel safer already. 🙂