Sharing
Revised: 2008-11-05 jamesSharing
Date: Friday, November 21st, 2008
Time: 2:00 - 3:30 pm
Where: Marriott Library, Multimedia Center, Classroom 1705A
It is assumed you know how to setup the services with the GUI. I will not discuss configuring the services in depth as that is covered in depth on the web, other than some very small basics.
Class will cover:
- Privilege separation
- Apache, AFP, SMB, FTP, SSH, SFTP on Mac OS X
- How services are enabled and configured w/o the GUI Prefs
- Creating shares on OS X
- ipfw again
- NAT and DHCP and "Internet Sharing"
- Firewire Networking
Class Notes from February 2008
Unix permissions for privilege separation - why apache can't show a gui
http://en.wikipedia.org/wiki/Privilege_separation
Privileged ports 0-1023
------------------
How services are started up
/System/Library/LaunchDaemons
/System/Library/StartupItems
/etc/rc
/etc/mach_init.d
This will be covered again in chapter 13 (we are currently on chp 10).
------------------
Filesharing
---
afp
/Library/Preferences/com.apple.AppleFileServer.plist
You can turn off guest login.
/Library/Logs/AppleFileService/AppleFileServiceAccess.log
afp is cleartext (except for authentication). If you have sensitive data, you want to enable afp over ssh. (I'm not sure if this works in 10.5)
http://docs.info.apple.com/article.html?artnum=25758
Or do it manually (aka "tunnel afp through ssh"). On client:
sudo ssh server.example.com -l username -L 22:127.0.0.1:548
Finder -> Go -> Connect to Server... "127.0.0.1:22" username and password is from server.example.com
---
ftp
? who cares....
/etc/ftpusers
---
sftp
Enabled with ssh. To disable, edit /etc/sshd_config and comment out "Subsystem sftp /usr/libexec/sftp-server"
It will look like this:
sftp bla.example.com
Connecting to bla.example.com...
Password:
Request for subsystem 'sftp' failed on channel 0
Connection closed
---
smb
/etc/smb.conf
The password hash...
---
Creating shares (10.4):
NetInfo Manager
/config/SharePoints/
directory_path: /tmp
afp_shared: 1
afp_guestaccess: 1
afp_name: tmp
afp_use_parent_privs: 0
afp_use_parent_owner: 0
ftp_shared: 1
ftp_guestaccess: 1
ftp_name: tmp
smb_shared: 1
smb_guestaccess: 1
smb_name: tmp
smb_inherit_permissions: 0
smb_createmask: 0644
smb_directorymask: 0755
smb_oplocks: 0
smb_strictlocking: 1
Shares in 10.5 will be very similar, only they will use the dslocal domain.
Stupid default umask. Files/folders created in home directories (/Users/*) are readable. So treat /Users/* as a public folder...
---
Essential Mac OS X Panther Server Administration by Michael Bartosh
http://books.google.com/books?id=_uNPCSUO2NwC&pg=PA361&lpg=PA361&dq=smb_strictlocking+smb_directorymask+ftp_guestaccess&source=web&ots=Laa-L0cNcX&sig=xTBEy8uboMAavmDOYpZA6T8l22c&hl=en
------------------
apache 1.3 (10.4)
/etc/http/httpd.conf
apache 2 (10.5)
/etc/apache2/httpd.conf
---
DocumentRoot "/Library/WebServer/Documents"
<Directory "/Library/WebServer/Documents">
AllowOverride None
Order allow,deny
Allow from all
Options Indexes
</Directory>
AccessFileName .htaccess
#CustomLog "/private/var/log/httpd/access_log" common
#CustomLog "/private/var/log/httpd/referer_log" referer
#CustomLog "/private/var/log/httpd/agent_log" agent
CustomLog "/private/var/log/httpd/access_log" combined
ScriptAlias /cgi-bin/ "/Library/WebServer/CGI-Executables/"
To enable a cgi script, make it executable (755). It will run as www user.
------------------
sshd
http://tinyapps.org/docs/ssh_osx_and_sshfs.txt
~/.ssh/known_hosts
~/.ssh/id_dsa
~/.ssh/id_dsa.pub
---
~/.ssh/authorized_keys
from="10.0.1.1",command="/etc/rsync-wrapper.sh" ssh-rsa A-BIG-LONG-KEY root@server.example.com
---
service ssh restart
------------------
man ipfw
------------------
"Shared Internet Connection" basically turns on NAT and DHCP. If the computer is connected directly to a DSL or cable modem, you have to have 2 network interfaces (either airport, firewire, or an extra ethernet card) or you will screw up things.
Note, firewire networking is supposedly slower than tcp. However, in my tests, it is actually faster than mounting a computer in target disk mode. I have no idea why that is.