Revised: 2008-11-05 james


Date:                Friday, November 21st, 2008
Time:                2:00 - 3:30 pm
Where:                Marriott Library, Multimedia Center, Classroom 1705A

It is assumed you know how to setup the services with the GUI.  I will not discuss configuring the services in depth as that is covered in depth on the web, other than some very small basics.
Class will cover:
- Privilege separation
- Apache, AFP, SMB, FTP, SSH, SFTP on Mac OS X
- How services are enabled and configured w/o the GUI Prefs
- Creating shares on OS X
- ipfw again
- NAT and DHCP and "Internet Sharing"
- Firewire Networking

Class Notes from February 2008

Unix permissions for privilege separation - why apache can't show a gui

Privileged ports 0-1023


How services are started up


This will be covered again in chapter 13 (we are currently on chp 10).





You can turn off guest login.

afp is cleartext (except for authentication).  If you have sensitive data, you want to enable afp over ssh.  (I'm not sure if this works in 10.5)

Or do it manually (aka "tunnel afp through ssh").  On client:
sudo ssh -l username -L 22:
Finder -> Go -> Connect to Server... "" username and password is from


? who cares....


Enabled with ssh.  To disable, edit /etc/sshd_config and comment out "Subsystem       sftp    /usr/libexec/sftp-server"
It will look like this:

Connecting to
Request for subsystem 'sftp' failed on channel 0
Connection closed


The password hash...


Creating shares (10.4):

NetInfo Manager


directory_path: /tmp
afp_shared: 1
afp_guestaccess: 1
afp_name: tmp
afp_use_parent_privs: 0
afp_use_parent_owner: 0
ftp_shared: 1
ftp_guestaccess: 1
ftp_name: tmp
smb_shared: 1
smb_guestaccess: 1
smb_name: tmp
smb_inherit_permissions: 0
smb_createmask: 0644
smb_directorymask: 0755
smb_oplocks: 0
smb_strictlocking: 1

Shares in 10.5 will be very similar, only they will use the dslocal domain.

Stupid default umask.  Files/folders created in home directories (/Users/*) are readable.  So treat /Users/* as a public folder...


Essential Mac OS X Panther Server Administration by Michael Bartosh


apache 1.3 (10.4)


apache 2 (10.5)



DocumentRoot "/Library/WebServer/Documents"

<Directory "/Library/WebServer/Documents">
    AllowOverride None

    Order allow,deny
    Allow from all
    Options Indexes

AccessFileName .htaccess

#CustomLog "/private/var/log/httpd/access_log" common
#CustomLog "/private/var/log/httpd/referer_log" referer
#CustomLog "/private/var/log/httpd/agent_log" agent
CustomLog "/private/var/log/httpd/access_log" combined

ScriptAlias /cgi-bin/ "/Library/WebServer/CGI-Executables/"

To enable a cgi script, make it executable (755).  It will run as www user.





from="",command="/etc/" ssh-rsa  A-BIG-LONG-KEY


service ssh restart


man ipfw


"Shared Internet Connection" basically turns on NAT and DHCP.  If the computer is connected directly to a DSL or cable modem, you have to have 2 network interfaces (either airport, firewire, or an extra ethernet card) or you will screw up things.

Note, firewire networking is supposedly slower than tcp.  However, in my tests, it is actually faster than mounting a computer in target disk mode.  I have no idea why that is.