Configuring
a File Sharing server
EFile
Sharing Control Panel
•
Owner Name
•
Owner password (NOT BLANK!)
•
Computer Name.
The IP address will be filled in automatically.
Default: Computer name will be “<name’s> Macintosh.” Change
it. |
Open
the File Sharing Control Panel. Before you can start sharing
files, you have to define an Owner Name, an Owner password
(DON’T LEAVE IT BLANK!), and a Computer
Name. The IP address will be filled in automatically.
By default, your computer name will be “<name’s> Macintosh.” I
recommend that you change this, or don’t use your real name
in the Owner box, because otherwise anyone surfing through the Chooser
will be able to see that and know it’s your Mac. Never give
potential attackers more information than you must. You can name
your Mac pretty much anything you want, with or without spaces, but
spaces are not recommended due to potential network incompatibility. |
|
File
Sharing control panel
|
| |
|
Security
Through Obscurity
If
computer name is revealing, then login should be different
Don’t make it easy for attackers to gather info from public
information. |
| If
your computer’s name is something revealing about you
(like “Joe Smith’s House of MP3s”) then
perhaps your login should NOT be “joe” or “smith” or “jsmith” etc.
If attackers can enumerate likely usernames or passwords
from public information, like the computer name, then you’ve
significantly decreased the amount of effort it will take
for them to break in. Don’t give out clues. |
|
Owner
is Omnipotent
If
FS is on, Owner can already log in and get to everything
No matter what you do with specific shared items, Owner can see it
all.
Protect Owner’s login info! |
| Keep
in mind that once you turn on File Sharing, anyone who can
log in as Owner will be able to do anything to your data
(including most of your system files -- enough to render
your Mac un-bootable). This is true EVEN IF you do
not explicitly share anything. If file sharing is turned
on, Owner basically has remote “god” rights.
Owner is a special account, the closest thing to root on
MacOS, and the rest of the sharing privileges you specify
are moot for the user logging in as owner. Protect this login
and password! |
|
File
Sharing over TCP
You
can allow FS over TCP/IP
Faster, but more revealing
•
AFPoverTCP will show up on portscan
Routers and AppleTalk
•
Now, more of the Internet can see your Mac
But, AppleTalk is clear text. Pro, con, pro, con, etc. |
Now
that file sharing is turned on, you can start tweaking. You
can choose to allow File Sharing over IP -- this means that
clients can connect to your Mac by its IP address, and use
TCP/IP to transfer data. This is faster than AppleTalk and
has the advantage of TCP’s connection integrity maintenance,
but keep in mind that it also pulls the curtain aside a little
more than plain old AppleTalk. Your Mac will now have AFPoverTCP
services listening on TCP ports; this will show up on a portscan,
and it’s a dead giveaway that your machine is a Mac.
Furthermore, most routers do not route AppleTalk, but they pretty
much all route TCP. This is a double-edged sword; a user on the other
side of your network’s router could theoretically (assuming
the network admins don’t specifically filter out afpovertcp
at the border) connect to your Mac. This is a nice idea for legitimate
use, but it also opens you up to an even bigger pool of potential
bad guys. If you use AppleTalk, then your machine is only visible
to users on Dartmouth’s local network.
BUT the disadvantage to using AppleTalk is that your password will
be sent clear-text.
So there’s always give-and-take with this. It depends on your
configuration (do you have a firewall?) and what’s most important
to you. For the sake of this example, I’m going to sacrifice
password security in order to minimize my overall exposure to potential
bad guys. This would not be the best choice for everyone. |
|
Apps
over the net and Program Linking
You
can share apps such that a remote user can launch an app on
the Mac server from another Mac. It runs over the network and
displays on your local screen.
Nice idea, but…not really.
• Resource/network hog
• CRASH
Program Linking is an AppleScript thing. Scary. |
If
you share an application (or a folder containing an application),
remote users can launch the app over the network to do stuff
on their client Macs. In other words, I could be working
in a lab and discover that someone deleted Microsoft Word
off the computer I’m using. I need to use Word to write
my paper. So I simply connect to my Mac and launch MY copy
of Word over the net. It opens on my screen, and I can open
and save files with it on my local lab Mac. This is a cute
idea, but in my experience, it’s such a huge resource
hog that it typically causes one or both Macs to crash. It’s
also pretty unkind to other users on the network. And good
luck if two of your users try to launch the same program
simultaneously.
Program Linking (now known as Remote Apple Events) allows one Mac
to send AppleScript commands (“Apple Events”) to applications
on another Mac via AppleTalk or TCP/IP. For normal users (with passwords),
they would need to login for each Event. But if you give Guests PL
privs AND you enable PL for a given app, then anyone with a Mac could
send Events to that app. You might ask, why would anyone do such
a thing? Well, in my experience, new users who are trying to get
File Sharing to work have a tendency to think “Jeez, I just
want this to work, I’m gonna check EVERY BOX until it does.” And
keep in mind that the Finder is scriptable -- this means that, if
PL is enabled for the Finder, remote users could send Apple Events
to the remote machine’s Finder telling it to, say, delete some
System files. Or shut down the computer. Remember the LoJack story
and what he was able to do with AppleScripts, then realize that someone
could do all that without even loading a file onto the hard disk. |
|
Recommended
initial setup
Assume
recommended initial setup:
•
Computer name not too revealing
•
Owner
name not related to computer name
•
Good strong password
•
File
Sharing enabled but not over TCP
•
Program Linking NOT
enabled
Test config from another machine. |
If
you are the only one who’s ever going to be using your
Mac, and you trust yourself to have full privileges (i.e. Owner),
then you’re done. You can test your setup by using another
Mac to connect to yours; you should NOT be able to logon as “Guest” (which
requires no password).
|
|
Other
users
If
you want to have other users or guests:
•
First create
their accounts/enable their access
•
The Guest account
already exists, and cannot have a password.
So, ANYTHING you
make accessible to Guest will be accessible to ANYONE. |
Now,
if you want to have other users or guests connecting to your
Mac, you must first create their accounts (in the cases of
other named/passworded users) or enable their access (in the
case of the Guest user).
The Guest account already exists, and cannot have a password.
So keep in mind that ANYTHING you make accessible to Guest
will be accessible to ANYONE who can
connect to your Mac (in our case, anyone with a Mac at Dartmouth) with no password
required. |
|
Creating
accounts
File
Sharing Control Panel -> Users and Groups
Later on, specify
which volumes/folders/files users can connect to
Right now, you’re
defining the basics (what accounts exist, whether or not they
can connect at all, etc.) |
In
the File Sharing Control Panel, click on the Users and Groups
tab. This is where you can edit the privileges of an existing
user (for example, if you wanted to enable Guests to connect,
then double-click the Guest user, drop down the “Sharing” menu
option, and click the appropriate boxes).
Later on, you will specify which volumes/folders/files users
can connect to;
right now, you’re defining the basics (can Guests connect at all, what
are your users’ names and passwords, can they change their passwords, what
groups do they belong to, etc.) |
|
Users
and Groups
Here, I have defined two users, joeblow and joeschmoe,
in addition to the built-in owner and guest accounts.
I
also have a group called my-users. |
 |
|
| |
|
User
Identity
This
is the box you see when you create a new user. You
must set an initial password.
Notice that you can
choose whether or not to allow your users to change
their passwords.
Another note: As an administrator,
you can reset a user’s password, but you can’t
see the old one.
|
 |
|
| |
|
User
Sharing
From
the popup menu in this window, select “Sharing” (instead
of “Identity”) and this is where you can
specify whether to allow the user to connect at all,
and whether that user can make use of Program Linking
(only applicable if you enabled PL in the initial setup.)
|
 |
|
| |
|
Groups
The group
my-users contains both joeblow and joeschmoe. So if
I want to share a folder to the two of them, but no
one else, I can use this group. (This will be made
more clear in a couple slides.)
|
 |
|
| |
|
<<Back | Index | Next >>
|
