16.3. Email

16.2. Built-in Services: The Sharing Panel

Mac OS X includes many built-in services that are based on common open source servers such as Samba , Apache, and OpenSSH . Although you can enable and disable these using the Sharing preference panel (System Preferences Sharing), theres not much configuration you can do there. This section describes each of these services and what you can do to customize them to your liking.

16.2.1. Personal File Sharing

This option controls the AppleTalk Filing Protocol (AFP) service, and corresponds to the AFPSERVER enTRy in /etc/hostconfig (see Chapter 4 for more information on hostconfig). When you enable Personal File Sharing, your Mac shares your Home directory and any mounted volumes (including external drives) with the connected machine.

16.2.2. Windows File Sharing

This option turns on the Samba service, and removes the Disable key in /System/Library/LaunchDaemons/nmbd.plist (the NetBIOS name server for resolving Windows server names) and /System/Library/LaunchDaemons/smbd.plist (the server that handles Windows file sharing ).

You can add a new share by editing /etc/smb.conf, and adding an entry. For example, you could share your /Applications directory with this entry:

     [Applications]     path = /Applications     read only = yes 

Next, use the command sudo killall -HUP smbd nmbd to restart Samba networking with the new configuration file, and without closing any existing connections. Stopping and restarting Windows File Sharing terminates any existing connections. Although Windows clients will usually reconnect to shared resources without complaining, they will get an error if a file transfer is in progress when you interrupt the connection.

16.2.3. Personal Web Sharing

The Apache server is activated when you enable Personal Web Sharing in the Sharing preferences panel (it is disabled by default). This corresponds to the WEBSERVER entry in /etc/hostconfig. Apache's main configuration file is /etc/httpd/httpd.conf. Individual users' sites are configured with the files that you can find in /etc/httpd/users. Apache keeps its log files in /var/log/httpd.

The Apache server that comes with Mac OS X Tiger is based on Apache 1.3.33, and includes several optional modules , which you can enable or disable by uncommenting/commenting the corresponding LoadModule and AddModule directives in /etc/httpd/httpd.conf. These modules are described in the following sections.

After you've made any changes to these modules, you should test the changes to the configuration with the command sudo apachectl configtest, and then have Apache reload its configuration files with sudo apachectl graceful.

You can browse the source code to Apple's version of Apache, as well as the optional modules, by visiting http://developer.apple.com/darwin/projects/darwin/.

16.2.3.1. dav_module (mod_dav)

This is the WebDAV (Web-based Distributed Authoring and Versioning) module, which lets you export a web site as a filesystem (this is how Apple's iDisk is exported, for example).

If you enable this module with the LoadModule and AddModule directives as described earlier, you can turn on WebDAV sharing by including the directive DAV on within a <Directory> or <Location> element in httpd.conf or one of the user configuration files in /etc/httpd/users. You will also need to specify the lockfile that mod_dav will use. For example, you can enable WebDAV for your web server root by changing httpd.conf as shown in bold:

     DAVLockDB /tmp/DAVLock     <Directory />         Options FollowSymLinks       DAV on         AllowOverride None     </Directory> 

After you make this change and restart Apache, you'll be able to mount your web site with the following command:

     $ mkdir /mnt     $ mount_webdav http://127.0.0.1/ /mnt 

See http://www.webdav.org/mod_dav/install.html for complete information on configuring this module.

16.2.3.2. perl_module (mod_perl)

This module embeds the Perl interpreter in each Apache process, letting you run Perl web applications without the overhead of launching a CGI script. mod_perl also lets you develop Perl applications that can hook into Apache's responses at various stages. Tiger ships with mod_perl 1.29.

After you've enabled mod_perl on your server with the LoadModule and AddModule directives as described earlier, you can get up and running quickly by using the Apache::Registry module, which runs most well-behaved Perl CGI scripts under mod_perl. You can set up a virtual directory for Perl scripts by adding the following to httpd.conf and restarting Apache:

     Alias /perl/ /Library/WebServer/Perl/     PerlModule Apache::Registry     <Location /perl>       SetHandler perl-script       PerlHandler Apache::Registry       Options ExecCGI     </Location> 

Next, create the directory /Library/WebServer/Perl, save the following program into that directory in a file called HelloWorld, and set that file as executable with chmod:

     #!/usr/bin/perl -w     use strict;     # workaround for a bug in Mac OS X 10.3     tie *STDOUT, 'Apache';     # run 'perldoc CGI' for more information     use CGI qw(:standard);     print STDOUT header( );     print STDOUT start_html("Sample Script");     print "hello, world";     print end_html( ); 

If you point your browser at http://localhost/perl/HelloWorld, you should see a friendly greeting. If not, check /var/log/httpd/error_log for error messages. You can find complete documentation for mod_perl at http://perl.apache.org/docs/1.0/index.html.

16.2.3.3. ssl_module (mod_ssl)

This module allows you to serve documents securely using the HTTPS (TLS/SSL ) protocol. To properly configure HTTPS, you need to obtain a server certificate signed by a Certifying Authority (CA). However, after you've enabled mod_ssl in httpd.conf, you can whip something up pretty quickly for testing using the following steps:

1. Create and change to a working directory for creating and signing your certificates:

        $ mkdir ~/tmp     $ cd ~/tmp 

   
   

2. Create a new CA. This is an untrusted CA. You'll be able to sign things, but browsers won't trust you implicitly:

        $ /System/Library/OpenSSL/misc/CA.sh -newca     CA certificate filename (or enter to create)     Making CA certificate ...     Generating a 1024 bit RSA private key     .......................................++++++     ..++++++     writing new private key to './demoCA/private/./cakey.pem'     Enter PEM pass phrase: ********     Verifying - Enter PEM pass phrase: ********     -----     You are about to be asked to enter information that will be incorporated     into your certificate request.     What you are about to enter is what is called a Distinguished Name or a DN.     There are quite a few fields but you can leave some blank.     For some fields there will be a default value,     If you enter '.', the field will be left blank.     -----     Country Name (2 letter code) [AU]:US     State or Province Name (full name) [Some-State]:Rhode Island     Locality Name (eg, city) []:Providence     Organization Name (eg, company) [Internet Widgits Pty Ltd]:Gold and Appel Transfers     Organizational Unit Name (eg, section) []:     Common Name (eg, YOUR name) []:Hagbard Celine     Email Address []:hagbard@jepstone.net 

   
   

3. Next, create a certificate request; this generates an unsigned certificate that you'll have to sign as the CA you just created:

        $ /System/Library/OpenSSL/misc/CA.sh -newreq     Generating a 1024 bit RSA private key     ................++++++     ................................................................++++++     writing new private key to 'newreq.pem'     Enter PEM pass phrase: ********     Verifying - Enter PEM pass phrase: ********     -----     You are about to be asked to enter information that will be incorporated     into your certificate request.     What you are about to enter is what is called a Distinguished Name or a DN.     There are quite a few fields but you can leave some blank.     For some fields there will be a default value,     If you enter '.', the field will be left blank.     -----     Country Name (2 letter code) [AU]:US     State or Province Name (full name) [Some-State]:Rhode Island     Locality Name (eg, city) []:Kingston     Organization Name (eg, company) [Internet Widgits Pty Ltd]:Jepstone     Organizational Unit Name (eg, section) []:     Common Name (eg, YOUR name) []:Brian Jepson     Email Address []:bjepson@jepstone.net     Please enter the following 'extra' attributes     to be sent with your certificate request.     A challenge password []:     An optional company name []:     Request (and private key) is in newreq.pem 

   
   

4. Now, you must sign the key. The passphrase you must enter in this step should be the passphrase you used when you created the CA:

        $ /System/Library/OpenSSL/misc/CA.sh -sign     Using configuration from /System/Library/OpenSSL/openssl.cnf     Enter pass phrase for ./demoCA/private/cakey.pem:  ********     Check that the request matches the signature     Signature ok     Certificate Details:             Serial Number: 1 (0x1)             Validity                 Not Before: Nov 11 19:34:22 2003 GMT                 Not After : Nov 10 19:34:22 2004 GMT             Subject:                 countryName               = US                 stateOrProvinceName       = Rhode Island                 localityName              = Kingston                 organizationName          = Jepstone                 commonName                = Brian Jepson                 emailAddress              = bjepson@jepstone.net             X509v3 extensions:                 X509v3 Basic Constraints:                 CA:FALSE                 Netscape Comment:                 OpenSSL Generated Certificate                 X509v3 Subject Key Identifier:                 1C:AA:2E:32:15:28:83:4B:F4:54:F1:97:87:12:11:45:7C:33:47:96                 X509v3 Authority Key Identifier:                 keyid:DC:C0:D7:A5:69:CA:EE:2B:1C:FA:1C:7A:8A:B2:90:F1:EE:                 1E:49:0C                 DirName:/C=US/ST=Rhode Island/L=Providence/O=Gold and Appel                 Transfers/CN=Hagbard Celine/emailAddress=hagbard@jepstone.                 net                 serial:00     Certificate is to be certified until Nov 10 19:34:22 2004 GMT (365 days)     Sign the certificate? [y/n]:y     1 out of 1 certificate requests certified, commit? [y/n]y     [... output truncated ...]     Signed certificate is in newcert.pem 

   
   

At this point, you have two files for use: the signed certificate (~/tmp/newcert.pem) and the request file, which also contains the server's private key (~/tmp/newreq.pem). The private key is protected by the passphrase you supplied when you generated the request. To configure your server for HTTPS support:

1. Convert the server key so it doesn't require a passphrase to unlock it (you'll need to supply the passphrase you used when you generated the request). This removes the protection of the passphrase, but is fine for testing. If you don't do this, you'll need to supply a passphrase each time Apache starts up (See http://www.modssl.org/docs/2.8/ssl_reference.html for documentation on the SSLPassPhraseDialog, which allows you to send the passphrase to Apache in a variety of ways):

        $ sudo openssl rsa -in newreq.pem -out serverkey.pem     Enter pass phrase for newreq.pem: ********     writing RSA key******** 

   
   

2. Copy these files to a location on your filesystem that's outside of the web server's document tree:

        $ mkdir /Library/WebServer/SSL     $ cp ~/tmp/serverkey.pem /Library/WebServer/SSL/     $ cp ~/tmp/newcert.pem /Library/WebServer/SSL/ 

   
   

3. Enable the LoadModule and AddModule directives for mod_ssl, and add the following lines to httpd.conf:

        <IfModule mod_ssl.c>       SSLCertificateFile    /Library/WebServer/SSL/newcert.pem       SSLCertificateKeyFile /Library/WebServer/SSL/serverkey.pem       SSLEngine on       Listen 443     </IfModule> 

   
   

4. Stop and restart the web server (it is not enough to use apachectl graceful when you install a new certificate):

        $ sudo apachectl stop     /usr/sbin/apachectl stop: httpd stopped     $ sudo apachectl start     Processing config directory: /private/etc/httpd/users/*.conf      Processing config file: /private/etc/httpd/users/bjepson.conf     /usr/sbin/apachectl start: httpd started 

   
   

Now, try visiting https://localhost in a web browser. You should get a warning that an unknown authority signed the server certificate. It's OK to continue past this point.

For more information about configuring mod_ssl for Mac OS X, see Using mod_ssl at http://developer.apple.com/internet/serverside/modssl.html. The mod_ssl FAQ includes information on getting a server certificate that's been signed by a trusted CA: http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real.

16.2.3.4. php4_module (mod_php4)

Enable this module to start serving PHP 4 documents from your Macintosh. After you turn on this module and restart Apache, you can install PHP scripts ending with .php into your document directories. For example, save the following script as hello.php in /Library/WebServer/Documents:

     <html>     <head><title>PHP Demo</title></head>     <body>     <?       foreach (array("#FF0000", "#00FF00", "#0000FF") as $color) {         echo "<font color=\"$color\">Hello, World<br /></font>";       }     ?>     </body>     </html> 

Next, open http://localhost/hello.php (use https:// if you've still got SSL enabled from the previous section) in a web browser; the phrase "Hello, World" should appear in three different colors. If it does not, consult /var/log/httpd/error_log for messages that might help diagnose what went wrong.

16.2.3.5. hfs_apple_module (mod_hfs_apple)

This module is enabled by default, and provides compatibility with the HFS+ filesystem's case insensitivity. For more information, see http://docs.info.apple.com/article.html?artnum=107310.

16.2.3.6. bonjour_module (mod_bonjour)

This module is enabled by default. However, mod_bonjour does not automatically advertise these user sites. Instead, it only advertises user sites whose index.html has been modified.

If you are using PHP as the index document (~/Sites/index.php), Apache may not register your site as changed, and thus won't advertise it over Bonjour. For mod_bonjour to notice that a file has changed, you must restart Apache (sudo apachectl restart) after a page is modified for the first time.

If you want to override the default mod_bonjour settings and advertise all user sites on your server, change the relevant section of httpd.conf. Here is the default configuration for the mod_bonjour section:

     <IfModule mod_bonjour.c>         # Only the pages of users who have edited their         # default home pages will be advertised on Bonjour.         RegisterUserSite customized-users         #RegisterUserSite all-users         # Bonjour advertising for the primary site is off by default.         #RegisterDefaultSite     </IfModule> 

To advertise all user sites, comment out the existing RegisterUserSite directive, and uncomment the one that specifies the all-users options, as shown here:

     <IfModule mod_bonjour.c>         # Only the pages of users who have edited their         # default home pages will be advertised on Bonjour.       #RegisterUserSite customized-users         RegisterUserSite all-users         # Bonjour advertising for the primary site is off by default.         #RegisterDefaultSite     </IfModule> 

You can also enable Bonjour advertising of the primary site by specifying the RegisterDefaultSite directive. Sites that are advertised on Bonjour appear automatically in Safari's Bonjour bookmark list (Safari Preferences Bookmarks Include Bonjour).

16.2.4. Remote Login

When you turn on Remote Login, the OpenSSH server is enabled. This option removes the Disable key in /System/Library/LaunchDaemons/ssh.plist. You can configure the OpenSSH server by editing /etc/sshd_config. For example, you can configure OpenSSH to allow remote users to request X11 forwarding by uncommenting the line:

     #X11Forwarding yes 

to:

     X11Forwarding yes 

After you make a change to sshd_config, restart xinetd with sudo killall -HUP xinetd.

16.2.5. FTP Access

When you turn on FTP Access in the Sharing preferences panel, the Disable key in /System/Library/LaunchDaemons/ftp.plist is removed as launchd enables the FTP server. Although Mac OS X comes with an FTP server, its capabilities are limited. We suggest bypassing the FTP server that's included with Mac OS X, and installing PureFTPd via Fink (you may need to use the unstable repositories. For more information, see Chapter 13).

To install PureFTPd, issue the command fink install pure-ftpd and follow the prompts (if any):

     $ sudo fink install pure-ftpd     Information about 4787 packages read in 3 seconds.     The following package will be installed or updated:      pure-ftpd 

To switch Mac OS X over to PureFTPd, follow these steps:

1. Make sure that FTP Access is off in System Preferences Sharing.

2. 
   

3. Next, use System Preferences Sharing to restart FTP Sharing.

You'll now need to add users to the PureFTPd password file (/sw/etc/pureftpd.passwd). To create a user, use pure-pw. Specify an ftp username as well as the uid (-u), gid (-g), and home directory (-d) of a real user to map that ftp user to. You'll be prompted for a password (we suggest you use something different from your login password):

     # pure-pw useradd bjepson -u 501 -g 501 -d /Users/bjepson/ftpfiles     Password: ********     Enter it again: ******** 

This way, the insecure FTP password can be different from the login password. Note that we used a subdirectory of the user's home directory. Used in conjunction with the -A argument (which chroot's the ftp sessions), this is an acceptable compromise given the insecurity of ftp, which passes usernames and passwords in cleartext.

After you set the user's password, you must create the password database (pureftpd.pdb) with pure-pw mkdb.

Now, when you log in, you're trapped in the ftpfiles subdirectory. As far as the remote user is concerned, it's the root of the filesystem. This way, even if an attacker obtains your ftp password, they are limited in the damage they can do.

     $ ftp jepstone.homeunix.net     Trying ::1...     Connected to localhost.     220---------- Welcome to Pure-FTPd ----------     220-Local time is now 17:33. Server port: 21.     220 You will be disconnected after 15 minutes of inactivity.     Name (localhost:bjepson):     331 User bjepson OK. Password required     Password: ********     230-User bjepson has group access to:  80       501     230 OK. Current directory is /     Remote system type is UNIX.     Using binary mode to transfer files.     ftp> ls     229 Extended Passive mode OK (|||65321|)     150 Accepted data connection     226-Options: -l     226 0 matches total     ftp> cd /     250 OK. Current directory is /     ftp> ls     229 Extended Passive mode OK (|||18080|)     150 Accepted data connection     226-Options: -l     226 0 matches total 

16.2.6. Printer Sharing

When you turn on Printer Sharing , the cups-lpd server is enabled. This option toggles the Disabled key in /System/Library/LaunchDaemons/printer.plist. For more information, see "Printer Sharing" in Chapter 6.