Monitoring and Administering a Network

In addition to the tools you need to configure and start various network services, such as file sharing or FTP, Mac OS X includes tools you can use to monitor and administer your network. Two of these are the Network Utility, which enables you to diagnose your network connections, and the NetInfo Manager, which provides comprehensive control over many aspects of a Mac OS X machine.

Using the Network Utility to Assess Your Network

The Network Utility provides a set of tools you can use to assess the condition of communication across machines on your network as well as a set of tools that enable you to get information about various sites on your network and the Internet.

When you launch the Network Utility (Applications/Utilities), you will see a window with nine tabs, one for each service the application provides (see Figure 33.13).

Figure 33.13. Ping is a useful way to test your connection to another machine (in this case, I pinged `10.0.1.4`, which is another Mac on my LAN).

Table 33.2 summarizes the tabs in the Network Utility application.

Table 33.2. Tabs in the Network Utility Application
Tab	Function
Info	Provides information about the interface selected on the pop-up menu. For example, you can get the IP address, connection speed, connection status, and hardware information. You also see the statistics about the transfers over the selected interface.
Netstat	Presents various statistics about the performance of the various network protocols. To access this data, select the Netstat tab, choose one of the options by selecting a radio button, and click Netstat. The data appears in the Netstat pane.
AppleTalk	Provides information about active AppleTalk services on the machine.
Ping	Contacts a specific server to assess network performance between the current Mac and a network resource. When you can't connect to a resource, ping its address to see whether your Mac can communicate with it. If the ping isn't successful, you will know that the machines are unable to communicate.
Lookup	Provides various information about a specific Internet address. For example, you can enter a URL and get the IP address for that site.
Traceroute	Traces a specific route between machines and provides statistics about that route, such as the maximum number of hops needed.
Whois	Enables you to look up information about a domain or an IP address, such as to whom it is registered.
Finger	Reports information about a specific individual based on the person's email address.
Port Scan	Enables you to scan for open access ports on a specific domain or IP address.

Covering each of these services in detail is beyond the scope of this chapter, but the next couple of examples should be helpful in getting you started using this tool.

Checking Network Connections with Ping

Troubleshooting network problems can be difficult because identifying where the source of the problem is can be hardfor example, with the machine you are using, with the machine you are accessing, with an application, and so on. Ping is a way to check on the fundamental communication between two machines. If the ping is successful, you know that a valid communication path exists between two machines. If it isn't successful, you know that a fundamental problem exists with the communication between the machines, and this helps you know where to troubleshoot.

To ping a machine, perform the following steps:

1.	Open the Network Utility and click the Ping tab.
2.	Enter the IP address or URL for the machine you want to ping.
3.	Click "Send an unlimited number of pings" to send a continuous number of pings, or click "Send only ___ pings" and enter the number of pings if you want to send a specific number.
4.	Click Ping.

Watch the results in the lower part of the window. You will see your machine attempt to communicate with the machine whose address you entered. If they are able to successfully communicate, you see statistics about how fast the pings are (refer to Figure 33.13). If the pings are successful, you know the communication path between the machines is valid. If not, you know you have a fundamental connection problem between the two machines.

Tracing a Route with Traceroute

Sometimes looking at the specific route between two machines can help identify the source of problems you might be having:

Open the Network Utility and click the Traceroute tab.

Enter the domain name or IP address to which you want to trace a route, and click Trace. The lower pane of the window will be filled with information that shows each step of the path from your machine to the one whose information you entered (see Figure 33.14).

Figure 33.14. This Traceroute window shows the path from my machine to www.apple.com.

Understanding and Setting Permissions

Access to items on your Mac OS X machine, whether from the machine directly or over a network, is determined by the access privileges set for those items. Three levels of access privilege can be set for any item; these are the following:

Owner
Group
Others

The owner is the owner of the item.

The group is a set of users. By default, Mac OS X includes several groups for which various permissions are assigned to different volumes and directories. Many of these default groups look odd, and some are even nonexistent (for example, in certain places, you will see Members of group "").

Others include those users who are neither the owners nor members of a group.

Each level of access has four access options:

Read & Write This is the broadest level of access and lets the user to whom it is assigned read and write to the item to which it is assigned.
Read only This privilege lets a user see items in a directory but not change them. For example, if a user has read-only access to a folder, they can copy its files, but they can't change the files stored in that folder.
Write only (Drop Box) With this access, a user can place items in a directory but can't see the contents of that directory. By default, each user has a Drop Box folder in the Public folder in her Home folder.
No Access The user can't do anything with the item.

If you open the Info window for an item and expand the Ownership & Permissions area, the current access permissions for the item will be shown. If you expand the Details area, the current permissions set for the owner, group, and others will also be displayed. For example, Figure 33.15 shows the Permissions information for the volume on which Mac OS X is installed, whereas Figure 33.16 shows similar information for a document within the logged-in user's Home directory.

Figure 33.15. This Info window for the startup Mac OS X volume shows that the current user (`You can`) can read and write to the selected volume; the owner (system) and anyone in the admin group has the same access while others can only read from the disk.

Figure 33.16. This Info window is for the Documents folder within a user's Home directory; its pop-up menus are active and you can use them to set access permissions for the item.

TIP

To change permissions, click the Lock icon next to the Owner pop-up menu and authenticate yourself as an administrator of the Mac. When the Lock icon is unlocked, the pop-up menus become active.

There are several things you need to know about the Ownership & Permissions information shown in the Info window.

First, unless you are logged in under the root or administrator account, you can't use the pop-up menus to change the permissions assigned to items on the Mac OS X startup volume above the current user's Home directory. However, when you open the Ownership & Permissions area of the Info window for an item on another volume or within a user's Home directory, the pop-up menus become active and you can use them to change the privileges for the items that folder contains.

Second, the groups you see in the Info window are default groups created when you install Mac OS X. The user accounts that are members of these groups can access the item with the group's privileges. You can't change the members of those groups from the Finder; you have to use the NetInfo Manager application, as you will see in the next section.

To configure access privileges for most items, you need to either be logged in as an administrator or authenticate yourself in the Info window. To do so, click the Lock icon and enter an administrator username and password.

To set the access privileges for all items, perform the following steps:

1.	Log in under the account that is the owner of the items for which you want to change access permissions. For example, to change the access permissions for the items in a user's Home directory, log in under that user account. (You can see the owner for any item by opening the Details area of the Ownership & Permissions area of the Info window for that item; the current owner is shown on the Owner pop-up menu.) NOTE The owner for most items you will see is the original administrator account. The owner of items with the user directories is the user account for that directory, and the owner of system items is `system`, which is actually the root account. To learn how to log in under the root account, p. 253.
2.	Select the item for which you want to set permissions and press -I.
3.	Expand the Ownership & Permissions section in the Info window and then expand the Details section. Use the access permission pop-up menus to set the access privileges for each type of user. Different pop-up menus are active depending on the specific item for which you are setting access permissions and the user account you are using. If you aren't in a position to change an aspect of the permissions, the pop-up menus for that aspect will be disabled.
4.	If the Owner pop-up menu is active, use it to set the owner of the item. When you open this menu, you see each user account on the machine plus many other user accounts you probably have not seen before (see Figure 33.17). The primary ones you need to concern yourself with are `system`, which is the root account, and `nobody`, which makes no account the owner of an item. The current owner is indicated by the check mark. Figure 33.17. You can use the Owner pop-up menu to set the owner for an item. TIP If you select Other on the Owner pop-up menu, you see the User Listing dialog box, which shows every user on your machine.
5.	Use the Access pop-up menu under the Owner pop-up menu to configure the access the owner has to that item. Typically, the owner of an item is granted Read & Write access, which is the broadest access possible.
6.	Open the Group pop-up menu and assign a group to the item. As with the Owner pop-up menu, all sorts of odd-looking groups appear on the Group pop-up menu. The staff group is selected for many items by defaultyou are a member of this group. The other groups you see have been created by default or by using the NetInfo Manager application. You can determine the members of the groups by using the NetInfo Manager application as well. NOTE The default group for an item within a user's Home folder is the user's user account.
7.	Use the Group Access pop-up menu to configure the access that members of the group you selected in the previous step have to the item. Usually, you should allow Read access for a group.
8.	Use the Others pop-up menu to set the access everyone else (everyone who is not the assigned owner or a member of the assigned group) has. Typically, you allow either No Access or Write only (Drop Box) to others.
9.	If you want the same privileges to apply to every item contained in the item you selected, click the button labeled "Apply to enclosed items." The same set of permissions are then applied to every item contained in the current item.
10.	Continue setting permissions for other items as necessary.

Under Mac OS X, you can open multiple Info windows at the same time. This is a handy way to compare and contrast the permissions provided for different items.

Using the NetInfo Manager to Administer Your Network

The NetInfo Manager application (Applications/Utilities) can be used to view and change an extensive amount of configuration information for a system. The application presents information based on a selected directory; by default, this is the information for the localhost directory, which is the machine on which Mac OS X is installed.

CAUTION

Using the NetInfo Manager application is not for the faint of heart. The information it presents and the controls it provides are complicated and can be quite dangerous to your system. This section can only scratch the surface of this application, and you should be careful if you explore the application on your own.

When you open the application, click the Lock icon and enter your administrator account information to enable changes to be made. The application's two-paned window and toolbar will become active (see Figure 33.18).

Figure 33.18. This NetInfo Manager window shows information for the base level of the localhost machine.

Networks and Complexity

As you explore networking, you might find yourself thinking that Mac OS X security is complicated to set up and manage. If you have these thoughts, I agree with you.

This complexity is part of the price paid for the additional capabilities and security of Mac OS X when compared to previous versions of the OS. Mac OS X is based on Unix, and the complexity of Unix comes to the forefront more in some specific areas of the OS than in othersnetworking is a prime example of where Unix really moves to the foreground. Fortunately, as you have seen, using the default configuration to provide basic services, such as file sharing, websites, and so on, is relatively easy. It is only when you are doing more complex tasks, such as changing the composition of the default user groups, that you have to get face-to-face with some of the complexity of the system underlying Mac OS X.

In the upper pane is a browse window that works similarly to a Finder window in the Columns view. In the center column, you can browse the contents of an item selected in the left column. Similarly, in the far right column, you can browse the contents of an item selected in the center column.

In the lower pane are the details for the item you have selected in the upper pane. The specific details you see are related to what you have selected in the upper pane. For example, Figure 33.19 shows the details for the user account bradmselected in the upper panein the lower pane of the window.

Figure 33.19. You can use the NetInfo Manager to view and change information about the items you select.

When you have selected an item, you can change its information by editing the property and value data in the lower pane of the window.

NetInfo Manager is an extremely powerful utility, and you can administer many parts of your system with it. Because of space limitations, I can't cover it in much detail. However, a sample task will show you how it works in general.

You can change the members of a group through which access privileges are assigned by changing the members of that group. For example, you can add members to the group admin to change which user accounts have administrator privileges on your machine:

1.	Open the NetInfo Manager application (Applications/Utilities).
2.	Authenticate yourself as an administrator by clicking the Lock icon and entering an administrator username and password.
3.	In the center column of the window, click `groups` and then select `admin` in the right column. The lower pane displays the various properties and their corresponding values for the admin group.
4.	Click the expansion triangle next to the users property to expand it (see Figure 33.20). Each member is listed on a separate line. If you have created only one administrator account, that account and the root account appear in the list. If you have created more than one administrator account, each administrator account and the root account will be listed. Figure 33.20. Expanding the users property by clicking its expansion triangle reveals the members of the admin group (in this case, root, and bradm).
5.	Select Directory, New Value. A new line is added to the users property; the value is `new_value`.
6.	With `newvalue` highlighted, change it to the short name of the user account you want to make a member of the admin group; then press Return.
7.	Repeat the steps to add other members to the admin group.
8.	Quit the application. In the Quit dialog box, click Review Unsaved, and then click Save in the Warning dialog box.
9.	In the next dialog box, click the "Update this copy" button.

TIP

If the changes you make don't appear to be reflected, restart Mac OS X to force the new values to be implemented.

NOTE

You can make copies of directories so you can make changes to one and use it without writing over the previous version. This gives you a way to recover in case you mess something up.

The users you added to the admin group now have the privileges designated for this group. Opening the Accounts pane of the System Preferences application shows that the user accounts you added to the admin group are now designated as administrator accounts.

You can change the members of other groups you encounter in the same way.

NOTE

Of course, it would be a lot faster to use the Accounts pane of the System Preferences application to edit a user account to make it part of the admin group, but this example serves to show you generally how the NetInfo Manager application works. To change the members of other groups, you have to use the NetInfo Manager application; you can do so using the same steps as those to change the members of the admin group.