Sharing

Sharing

Date:                Friday, November 21st, 2008
Time:                2:00 - 3:30 pm
Where:                Marriott Library, Multimedia Center, Classroom 1705A

It is assumed you know how to setup the services with the GUI.  I will not discuss configuring the services in depth as that is covered in depth on the web, other than some very small basics.
Class will cover:
- Privilege separation
- Apache, AFP, SMB, FTP, SSH, SFTP on Mac OS X
- How services are enabled and configured w/o the GUI Prefs
- Creating shares on OS X
- ipfw again
- NAT and DHCP and "Internet Sharing"
- Firewire Networking

Class Notes from February 2008

Unix permissions for privilege separation - why apache can't show a gui

http://en.wikipedia.org/wiki/Privilege_separation

Privileged ports 0-1023

------------------

How services are started up

/System/Library/LaunchDaemons
/System/Library/StartupItems
/etc/rc
/etc/mach_init.d

This will be covered again in chapter 13 (we are currently on chp 10).

------------------

Filesharing

---

afp

/Library/Preferences/com.apple.AppleFileServer.plist
You can turn off guest login.
/Library/Logs/AppleFileService/AppleFileServiceAccess.log

afp is cleartext (except for authentication).  If you have sensitive data, you want to enable afp over ssh.  (I'm not sure if this works in 10.5)

http://docs.info.apple.com/article.html?artnum=25758

Or do it manually (aka "tunnel afp through ssh").  On client:
sudo ssh server.example.com -l username -L 22:127.0.0.1:548
Finder -> Go -> Connect to Server... "127.0.0.1:22" username and password is from server.example.com

---

ftp
? who cares....
/etc/ftpusers

---

sftp
Enabled with ssh.  To disable, edit /etc/sshd_config and comment out "Subsystem       sftp    /usr/libexec/sftp-server"
It will look like this:

sftp bla.example.com
Connecting to bla.example.com...
Password:
Request for subsystem 'sftp' failed on channel 0
Connection closed

---

smb
/etc/smb.conf
The password hash...

---

Creating shares (10.4):

NetInfo Manager

/config/SharePoints/

directory_path: /tmp
afp_shared: 1
afp_guestaccess: 1
afp_name: tmp
afp_use_parent_privs: 0
afp_use_parent_owner: 0
ftp_shared: 1
ftp_guestaccess: 1
ftp_name: tmp
smb_shared: 1
smb_guestaccess: 1
smb_name: tmp
smb_inherit_permissions: 0
smb_createmask: 0644
smb_directorymask: 0755
smb_oplocks: 0
smb_strictlocking: 1

Shares in 10.5 will be very similar, only they will use the dslocal domain.

Stupid default umask.  Files/folders created in home directories (/Users/*) are readable.  So treat /Users/* as a public folder...

---

Essential Mac OS X Panther Server Administration by Michael Bartosh

http://books.google.com/books?id=_uNPCSUO2NwC&pg=PA361&lpg=PA361&dq=smb_strictlocking+smb_directorymask+ftp_guestaccess&source=web&ots=Laa-L0cNcX&sig=xTBEy8uboMAavmDOYpZA6T8l22c&hl=en

------------------

apache 1.3 (10.4)

/etc/http/httpd.conf

apache 2 (10.5)

/etc/apache2/httpd.conf

---

DocumentRoot "/Library/WebServer/Documents"

<Directory "/Library/WebServer/Documents">
    AllowOverride None

    Order allow,deny
    Allow from all
    Options Indexes
</Directory>

AccessFileName .htaccess

#CustomLog "/private/var/log/httpd/access_log" common
#CustomLog "/private/var/log/httpd/referer_log" referer
#CustomLog "/private/var/log/httpd/agent_log" agent
CustomLog "/private/var/log/httpd/access_log" combined

ScriptAlias /cgi-bin/ "/Library/WebServer/CGI-Executables/"

To enable a cgi script, make it executable (755).  It will run as www user.

------------------

sshd

http://tinyapps.org/docs/ssh_osx_and_sshfs.txt

~/.ssh/known_hosts
~/.ssh/id_dsa
~/.ssh/id_dsa.pub

---

~/.ssh/authorized_keys
from="10.0.1.1",command="/etc/rsync-wrapper.sh" ssh-rsa  A-BIG-LONG-KEY  root@server.example.com

---

service ssh restart

------------------

man ipfw

------------------

"Shared Internet Connection" basically turns on NAT and DHCP.  If the computer is connected directly to a DSL or cable modem, you have to have 2 network interfaces (either airport, firewire, or an extra ethernet card) or you will screw up things.

Note, firewire networking is supposedly slower than tcp.  However, in my tests, it is actually faster than mounting a computer in target disk mode.  I have no idea why that is.