Mac OS X includes many built-in services that are based on common open source servers such as Samba, Apache, and OpenSSH. Although you can enable and disable these using the Sharing preference panel (System Preferences Sharing), there's not much configuration you can do there. This section describes each of these services and what you can do to customize them to your liking. 13.4.1 Personal File SharingThis option controls the AppleTalk Filing Profile (AFP) service, and corresponds to the AFPSERVER entry in /etc/hostconfig (see Chapter 2 for more information on hostconfig ). When you enable Personal File Sharing, your Mac shares your Home directory and any mounted volumes (including external drives ) with the connected machine. 13.4.2 Windows File SharingThis option turns on the Samba service, and toggles the disable entry in /etc/xinetd.d/nmbd (NetBIOS name server for resolving Windows server names ) and /etc/xinetd.d/smbd (the server that handles Windows file sharing). On Mac OS X, Samba hooks into Open Directory for user authentication. Because of this, you don't need to use smbpasswd to set the password for someone logging into your Mac from a Windows machine; users can authenticate themselves by using their login username and password. You can add a new share by editing /etc/smb.conf , and adding an entry. For example, you could share your Applications directory with this entry: [Applications] path = /Applications read only = yes Next, use the command sudo killall -HUP smbd nmbd to restart Samba networking with the new configuration file, and without closing any existing connections. Stopping and restarting Windows File Sharing terminates any existing connections. Although Windows clients will usually reconnect to shared resources without complaining, they will get an error if a file transfer is in progress when you interrupt the connection. 13.4.3 Personal Web SharingThe Apache server is activated when you enable Personal Web Sharing in the Sharing preferences panel (it is disabled by default). This corresponds to the WEBSERVER entry in /etc/hostconfig . Apache's main configuration file is /etc/httpd/httpd.conf . Individual users' sites are configured with the files that you can find in /etc/httpd/users . Apache keeps its log files in /var/log/httpd . The Apache server that comes with Mac OS X Panther is based on Apache 1.3.28, and includes several optional modules, which you can enable or disable by uncommenting/commenting the corresponding LoadModule and AddModule directives in /etc/httpd/httpd.conf . These modules are described in the following sections. After you've made any changes to these modules, you should test the changes to the configuration with the command sudo apachectl configtest , and then have Apache reload its configuration files with sudo apachectl graceful . You can browse the source code to Apple's version of Apache, as well as the optional modules, by visiting http://www.opensource.apple.com/darwinsource/. 13.4.3.1 dav_module (mod_dav)This is the WebDAV (Web-based Distributed Authoring and Versioning) module, which lets you export a web site as a filesystem (this is how Apple's iDisk is exported, for example). If you enable this module, you can turn on WebDAV sharing by including the directive DAV on within a <Directory> or <Location> element in httpd.conf or one of the user configuration files in /etc/httpd/users . You will also need to specify the lockfile that mod_dav will use. For example, you can enable WebDAV for your web server root by changing httpd.conf as shown in bold : DAVLockDB /tmp/DAVLock <Directory /> Options FollowSymLinks DAV on AllowOverride None </Directory> After you make this change and restart Apache, you'll be able to mount your web site with the following command: mount_webdav http://127.0.0.1/ /mnt See http://www.webdav.org/mod_dav/install.html for complete information on configuring this module. 13.4.3.2 perl_module (mod_perl)This module embeds the Perl interpreter in each Apache process, letting you run Perl web applications without the overhead of launching a CGI script. mod_perl also lets you develop Perl applications that can hook into Apache's responses at various stages. Panther ships with mod_perl 1.26. After you've enabled mod_perl on your server, you can get up and running quickly by using the Apache::Registry module, which runs most well-behaved Perl CGI scripts under mod_perl . You can set up a virtual directory for Perl scripts by adding the following to httpd.conf and restarting Apache: Alias /perl/ /Library/WebServer/Perl/ PerlModule Apache::Registry <Location /perl> SetHandler perl-script PerlHandler Apache::Registry Options ExecCGI </Location> Next, create the directory /Library/WebServer/Perl , save the following program into that directory in a file called HelloWorld , and set that file as executable with chmod : #!/usr/bin/perl -w use strict; # workaround for a bug in Mac OS X 10.3 tie *STDOUT, 'Apache'; # run 'perldoc CGI' for more information use CGI qw(:standard); print STDOUT header( ); print STDOUT start_html("Sample Script"); print "hello, world"; print end_html( ); If you point your browser at http://localhost/perl/HelloWorld , you should see a friendly greeting. If not, check /var/log/httpd/error_log for error messages. You can find complete documentation for mod_perl at http://perl.apache.org/docs/1.0/index.html. 13.4.3.3 ssl_module (mod_ssl)This module allows you to serve documents securely using the HTTPS ( TLS/SSL) protocol. To configure this properly, you should obtain a server certificate signed by a Certifying Authority (CA). However, you can whip something up pretty quickly for testing using the following steps, after you've enabled mod_ssl in httpd.conf :
At this point, you have two files for use: the signed certificate ( ~/tmp/newcert.pem ) and the request file, which also contains the server's private key ( ~/tmp/newreq.pem ). The private key is protected by the passphrase you supplied when you generated the request. To configure your server for HTTPS support:
Now, try visiting https://localhost in a web browser. You should get a warning that an unknown authority signed the server certificate. It's OK to continue past this point. For more information about configuring mod_ssl for Mac OS X, see Using mod_ssl at http://developer.apple.com/internet/macosx/modssl.html. The mod_ssl FAQ includes information on getting a server certificate that's been signed by a trusted CA: http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real. 13.4.3.4 php4_module (mod_php4)Enable this module to start serving PHP 4 documents from your Macintosh. After you turn on this module and restart Apache, you can install PHP scripts ending with .php into your document directories. For example, save the following script as hello.php in /Library/WebServer/Documents : <html> <head><title>PHP Demo</title></head> <body> <? foreach (array("#FF0000", "#00FF00", "#0000FF") as $color) { echo "<font color=\"$color\">Hello, World<br /></font>"; } ?> </body> </html> Next, open http://localhost/hello.php in a web browser; the phrase "Hello, World" should appear in three different colors. If it does not, consult /var/log/httpd/error_log for messages that might help diagnose what went wrong. For information on using PHP with MySQL, see Chapter 14. 13.4.3.5 hfs_apple_module (mod_hfs_apple)This module is enabled by default, and provides compatibility with the HFS+ filesystem's case insensitivity. For more information, see http://docs. info .apple.com/article.html?artnum=107310. 13.4.3.6 rendezvous_apple_module (mod_rendezvous_apple)This module is enabled by default. In Jaguar, it advertised the document root (files contained in /Library/WebServer/Documents ) and individual user sites (files contained in ~/Sites ) over Rendezvous (http://developer.apple.com/macosx/rendezvous/). As of Mac OS X Panther, mod_rendezvous does not automatically advertise these files. Instead, it only advertises user sites whose index.html has been modified. If you are using PHP as the index document ( ~/Sites/index.php ), Apache may not register your site as changed, and thus will not advertise it over Rendezvous. For mod_rendezvous to notice that a file has changed, you must restart Apache ( sudo apachectl restart ) after a page is modified for the first time. If you want to override the default mod_rendezvous settings and advertise all user sites on your server, change the relevant section of httpd.conf . Here is the default configuration for the mod_rendezvous section: <IfModule mod_rendezvous_apple.c> # Only the pages of users who have edited their # default home pages will be advertised on Rendezvous. RegisterUserSite customized-users #RegisterUserSite all-users # Rendezvous advertising for the primary site is off by default. #RegisterDefaultSite </IfModule> To advertise all user sites, comment out the existing RegisterUserSite directive, and uncomment the one that specifies the all-users options, as shown here: <IfModule mod_rendezvous_apple.c> # Only the pages of users who have edited their # default home pages will be advertised on Rendezvous. #RegisterUserSite customized-users RegisterUserSite all-users # Rendezvous advertising for the primary site is off by default. #RegisterDefaultSite </IfModule> You can also enable Rendezvous advertising of the primary site by specifying the RegisterDefaultSite directive. Sites that are advertised on Rendezvous will appear automatically in Safari's Rendezvous bookmarks (Safari Preferences Bookmarks Include Rendezvous). 13.4.4 Remote LoginWhen you turn on Remote Login, the OpenSSH server is enabled. This option toggles the disable entry in /etc/xinetd.d/ssh . You can configure the OpenSSH server by editing /etc/sshd_config . For example, you can configure OpenSSH to allow remote users to request X11 forwarding by uncommenting the line: #X11Forwarding yes to: X11Forwarding yes After you make a change to sshd_config , restart xinetd with sudo killall -HUP xinetd . 13.4.5 FTP AccessWhen you turn on FTP Access in the Sharing preferences panel, the disable entry in /etc/xinetd.d/ ftpd is toggled on to enable the FTP server. Although Mac OS X comes with an FTP server, its capabilities are limited. We suggest bypassing the FTP server that's included with Mac OS X, and installing ProFTPd via Fink (see Chapter 11). To install ProFTP, issue the command fink install proftpd . You will be prompted to choose which proftpd to use; we suggest selecting the default ( proftpd-pam ), since it integrates with Linux-PAM (see Chapter 3): $ fink install proftpd sudo /sw/bin/fink install proftpd Password: ******** Information about 1593 packages read in 2 seconds. fink needs help picking an alternative to satisfy a virtual dependency. The candidates: (1) proftpd-pam: Incredibly configurable and secure FTP daemon (Default) (2) proftpd-tls: Incredibly configurable and secure FTP daemon (TLS) (3) proftpd-ldap: Incredibly configurable and secure FTP daemon (LDAP) (4) proftpd-mysql: Incredibly configurable and secure FTP daemon (MySQL) (5) proftpd-pgsql: Incredibly configurable and secure FTP daemon (PostgreSQL) Pick one: [1] 1 The following package will be installed or updated: proftpd The following 5 additional packages will be installed: anacron daemonic ftpfiles libxml2 proftpd-pam Do you want to continue? [Y/n] Y If you haven't already installed it, you will be asked if you want to enable anacron . We suggest doing so, since it will take care of running cron jobs that your system misses. However, anacron will run only cron jobs defined in Fink's /sw/etc directory, not the Mac OS X cron jobs described in Section 2.3 of Chapter 2. Setting up anacron (2.3-4) ... This script allows you to decide whether you would like for anacron to run at startup, then to periodically check for system tasks that need to be run. Alternatively you could run anacron by hand once a day (by typing `anacron -s' ), though this sort of defeats the purpose of installing a command scheduler in the first place... If you wish to make changes to your anacron settings in the future, you can run this script again with the command: update-anacron Anacron is not currently set up to be run periodically by cron. Would you like for anacron to be run automatically? In most cases, you probably want to say yes to this option. [Y/n] Y Added anacron to task schedule, and will run at startup To switch Mac OS X over to ProFTPd, follow these steps:
To configure ProFTPd as an anonymous-only server, add the following line to /sw/etc/proftpd.conf at the top-level (that is, not nested in the <Directory> or <Anonymous> elements): <Limit LOGIN> DenyAll </Limit> and finally, add the following to the <Anonymous> element: <Limit LOGIN> AllowAll </Limit> This configuration won't prevent uninformed users from trying to log in and typing their username and password, though, and both will go across the network in plain text. As a security precaution, you should inform users that only anonymous login is allowed ( ideally , an anonymous FTP server would have no remote users aside from its administrators, and they'd log in using SSH). 13.4.6 Printer SharingWhen you turn on Printer Sharing, the cups-lpd server is enabled. This option toggles the disable entry in /etc/xinetd.d/printer . For more information, see Section 4.1.4 in Chapter 4. 13.4.7 Internet Sharing and the FirewallOn Mac OS X, the default packet filter rules allow all traffic from any location to come into your computer, using the following ipfw rule (65535 is the priority level of the rule, the lowest priority possible): 65535 allow ip from any to any When you turn on Internet Sharing (System Preferences Sharing Internet), Mac OS X starts the Network Address Translation daemon ( natd ). Mac OS X also adds an additional rule, which has a high priority (00010), and diverts any traffic coming in via the interface en1 (wired Ethernet) to port 8668, which natd listens on: 00010 divert 8668 ip from any to any via en1 When you enable the firewall (System Preferences Sharing Firewall), Mac OS X sets up the following rules to keep traffic from getting into your computer: 02000 allow ip from any to any via lo* 02010 deny ip from 127.0.0.0/8 to any in 02020 deny ip from any to 127.0.0.0/8 in 02030 deny ip from 224.0.0.0/3 to any in 02040 deny tcp from any to 224.0.0.0/3 in 02050 allow tcp from any to any out 02060 allow tcp from any to any established 12190 deny tcp from any to any In addition, the firewall sets up rules for any services you have enabled in the Sharing tab, such as this one, which allows SSH connections: 02070 allow tcp from any to any 22 in You can add your own packet filter rules by clicking the New button on the Firewall tab. You can also add your own firewall rules using the ipfw utility, but the Firewall tab will remain disabled until you reboot or clear the rules with sudo ipfw flush . You may also need to quit and restart the System Preferences application before it notices that you've reset the firewall to the default rules. For more information on the packet filter mechanism that Mac OS X uses, see the ipfw manpage . |