13.4 Built-in Services: The Sharing Panel

Mac OS X includes many built-in services that are based on common open source servers such as Samba, Apache, and OpenSSH. Although you can enable and disable these using the Sharing preference panel (System Preferences Sharing), there's not much configuration you can do there. This section describes each of these services and what you can do to customize them to your liking.

13.4.1 Personal File Sharing

This option controls the AppleTalk Filing Profile (AFP) service, and corresponds to the AFPSERVER entry in /etc/hostconfig (see Chapter 2 for more information on hostconfig ). When you enable Personal File Sharing, your Mac shares your Home directory and any mounted volumes (including external drives ) with the connected machine.

13.4.2 Windows File Sharing

This option turns on the Samba service, and toggles the disable entry in /etc/xinetd.d/nmbd (NetBIOS name server for resolving Windows server names ) and /etc/xinetd.d/smbd (the server that handles Windows file sharing).

On Mac OS X, Samba hooks into Open Directory for user authentication. Because of this, you don't need to use smbpasswd to set the password for someone logging into your Mac from a Windows machine; users can authenticate themselves by using their login username and password.

You can add a new share by editing /etc/smb.conf , and adding an entry. For example, you could share your Applications directory with this entry:

 [Applications] path = /Applications read only = yes 

Next, use the command sudo killall -HUP smbd nmbd to restart Samba networking with the new configuration file, and without closing any existing connections. Stopping and restarting Windows File Sharing terminates any existing connections. Although Windows clients will usually reconnect to shared resources without complaining, they will get an error if a file transfer is in progress when you interrupt the connection.

13.4.3 Personal Web Sharing

The Apache server is activated when you enable Personal Web Sharing in the Sharing preferences panel (it is disabled by default). This corresponds to the WEBSERVER entry in /etc/hostconfig . Apache's main configuration file is /etc/httpd/httpd.conf . Individual users' sites are configured with the files that you can find in /etc/httpd/users . Apache keeps its log files in /var/log/httpd .

The Apache server that comes with Mac OS X Panther is based on Apache 1.3.28, and includes several optional modules, which you can enable or disable by uncommenting/commenting the corresponding LoadModule and AddModule directives in /etc/httpd/httpd.conf . These modules are described in the following sections.

After you've made any changes to these modules, you should test the changes to the configuration with the command sudo apachectl configtest , and then have Apache reload its configuration files with sudo apachectl graceful .

You can browse the source code to Apple's version of Apache, as well as the optional modules, by visiting http://www.opensource.apple.com/darwinsource/. dav_module (mod_dav)

This is the WebDAV (Web-based Distributed Authoring and Versioning) module, which lets you export a web site as a filesystem (this is how Apple's iDisk is exported, for example).

If you enable this module, you can turn on WebDAV sharing by including the directive DAV on within a <Directory> or <Location> element in httpd.conf or one of the user configuration files in /etc/httpd/users . You will also need to specify the lockfile that mod_dav will use. For example, you can enable WebDAV for your web server root by changing httpd.conf as shown in bold :

  DAVLockDB /tmp/DAVLock  <Directory />     Options FollowSymLinks  DAV on  AllowOverride None </Directory> 

After you make this change and restart Apache, you'll be able to mount your web site with the following command:

 mount_webdav /mnt 

See http://www.webdav.org/mod_dav/install.html for complete information on configuring this module. perl_module (mod_perl)

This module embeds the Perl interpreter in each Apache process, letting you run Perl web applications without the overhead of launching a CGI script. mod_perl also lets you develop Perl applications that can hook into Apache's responses at various stages. Panther ships with mod_perl 1.26.

After you've enabled mod_perl on your server, you can get up and running quickly by using the Apache::Registry module, which runs most well-behaved Perl CGI scripts under mod_perl . You can set up a virtual directory for Perl scripts by adding the following to httpd.conf and restarting Apache:

 Alias /perl/ /Library/WebServer/Perl/ PerlModule Apache::Registry <Location /perl>   SetHandler perl-script   PerlHandler Apache::Registry   Options ExecCGI </Location> 

Next, create the directory /Library/WebServer/Perl , save the following program into that directory in a file called HelloWorld , and set that file as executable with chmod :

 #!/usr/bin/perl -w use strict;  # workaround for a bug in Mac OS X 10.3 tie *STDOUT, 'Apache'; # run 'perldoc CGI' for more information use CGI qw(:standard); print STDOUT header( ); print STDOUT start_html("Sample Script"); print "hello, world"; print end_html( ); 

If you point your browser at http://localhost/perl/HelloWorld , you should see a friendly greeting. If not, check /var/log/httpd/error_log for error messages. You can find complete documentation for mod_perl at http://perl.apache.org/docs/1.0/index.html. ssl_module (mod_ssl)

This module allows you to serve documents securely using the HTTPS ( TLS/SSL) protocol. To configure this properly, you should obtain a server certificate signed by a Certifying Authority (CA). However, you can whip something up pretty quickly for testing using the following steps, after you've enabled mod_ssl in httpd.conf :

  1. Create and change to a working directory for creating and signing your certificates:

     $  mkdir ~/tmp  $  cd ~/tmp  
  2. Create a new CA. This will be an untrusted CA. You'll be able to sign things, but browsers will not implicitly trust you:

     $  /System/Library/OpenSSL/misc/CA.sh -newca  CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key .......................................++++++ ..++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase:  ********  Verifying - Enter PEM pass phrase:  ********  ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:  US  State or Province Name (full name) [Some-State]:  Rhode Island  Locality Name (eg, city) []:  Providence  Organization Name (eg, company) [Internet Widgits Pty Ltd]:  Gold and Appel Transfers  Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:  Hagbard Celine  Email Address []:  hagbard@jepstone.net  Next, create a certificate request; this will generate an unsigned  certificate that you'll have to sign as the CA you just created: $  /System/Library/OpenSSL/misc/CA.sh -newreq  Generating a 1024 bit RSA private key ................++++++ ................................................................++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase:  ********  Verifying - Enter PEM pass phrase:  ********  ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:  US  State or Province Name (full name) [Some-State]:  Rhode Island  Locality Name (eg, city) []:  Kingston  Organization Name (eg, company) [Internet Widgits Pty Ltd]:  Jepstone  Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:  Brian Jepson  Email Address []:  bjepson@jepstone.net  Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request (and private key) is in newreq.pem 
  3. Now, you must sign the key. The passphrase you must enter in this step should be the passphrase you used when you created the CA:

     $  /System/Library/OpenSSL/misc/CA.sh -sign  Using configuration from /System/Library/OpenSSL/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem:  ********  Check that the request matches the signature Signature ok Certificate Details:         Serial Number: 1 (0x1)         Validity             Not Before: Nov 11 19:34:22 2003 GMT             Not After : Nov 10 19:34:22 2004 GMT         Subject:             countryName               = US             stateOrProvinceName       = Rhode Island             localityName              = Kingston             organizationName          = Jepstone             commonName                = Brian Jepson             emailAddress              = bjepson@jepstone.net         X509v3 extensions:             X509v3 Basic Constraints:              CA:FALSE             Netscape Comment:              OpenSSL Generated Certificate             X509v3 Subject Key Identifier:              1C:AA:2E:32:15:28:83:4B:F4:54:F1:97:87:12:11:45:7C:33:47:96             X509v3 Authority Key Identifier:              keyid:DC:C0:D7:A5:69:CA:EE:2B:1C:FA:1C:7A:8A:B2:90:F1:EE:             1E:49:0C             DirName:/C=US/ST=Rhode Island/L=Providence/O=Gold and Appel             Transfers/CN=Hagbard Celine/emailAddress=hagbard@jepstone.net             serial:00 Certificate is to be certified until Nov 10 19:34:22 2004 GMT (365 days) Sign the certificate? [y/n]:  y  1 out of 1 certificate requests certified, commit? [y/n]  y  [... output truncated ...] Signed certificate is in newcert.pem 

At this point, you have two files for use: the signed certificate ( ~/tmp/newcert.pem ) and the request file, which also contains the server's private key ( ~/tmp/newreq.pem ). The private key is protected by the passphrase you supplied when you generated the request. To configure your server for HTTPS support:

  1. Convert the server key so that it doesn't need a passphrase to unlock it (you'll need to supply the passphrase you used when you generated the request). This removes the protection of the passphrase, but is fine for testing. If you don't do this, you'll need to supply a passphrase each time Apache starts up (this means you'd need to start your computer in verbose mode each time you boot up, or start Apache manually after you boot):

     $  sudo openssl rsa -in newreq.pem -out serverkey.pem  Enter pass phrase for newreq.pem:  ********  writing RSA key  ********  
  2. Copy these files to a location on your filesystem that's outside of the web server's document tree:

     $  mkdir /Library/WebServer/SSL  $  cp ~/tmp/serverkey.pem /Library/WebServer/SSL/  $  cp ~/tmp/newcert.pem /Library/WebServer/SSL/  
  3. Add the following lines to httpd.conf :

     <IfModule mod_ssl.c>   SSLCertificateFile    /Library/WebServer/SSL/newcert.pem   SSLCertificateKeyFile /Library/WebServer/SSL/serverkey.pem   SSLEngine on   Listen 443 </IfModule> 
  4. Stop and restart the web server (it is not enough to use apachectl graceful when you install a new certificate):

     $  sudo apachectl stop  /usr/sbin/apachectl stop: httpd stopped $  sudo apachectl start  Processing config directory: /private/etc/httpd/users/*.conf  Processing config file: /private/etc/httpd/users/bjepson.conf /usr/sbin/apachectl start: httpd started 

Now, try visiting https://localhost in a web browser. You should get a warning that an unknown authority signed the server certificate. It's OK to continue past this point.

For more information about configuring mod_ssl for Mac OS X, see Using mod_ssl at http://developer.apple.com/internet/macosx/modssl.html. The mod_ssl FAQ includes information on getting a server certificate that's been signed by a trusted CA: http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real. php4_module (mod_php4)

Enable this module to start serving PHP 4 documents from your Macintosh. After you turn on this module and restart Apache, you can install PHP scripts ending with .php into your document directories. For example, save the following script as hello.php in /Library/WebServer/Documents :

 <html> <head><title>PHP Demo</title></head> <body> <?   foreach (array("#FF0000", "#00FF00", "#0000FF") as $color) {     echo "<font color=\"$color\">Hello, World<br /></font>";   } ?> </body> </html> 

Next, open http://localhost/hello.php in a web browser; the phrase "Hello, World" should appear in three different colors. If it does not, consult /var/log/httpd/error_log for messages that might help diagnose what went wrong.

For information on using PHP with MySQL, see Chapter 14. hfs_apple_module (mod_hfs_apple)

This module is enabled by default, and provides compatibility with the HFS+ filesystem's case insensitivity. For more information, see http://docs. info .apple.com/article.html?artnum=107310. rendezvous_apple_module (mod_rendezvous_apple)

This module is enabled by default. In Jaguar, it advertised the document root (files contained in /Library/WebServer/Documents ) and individual user sites (files contained in ~/Sites ) over Rendezvous (http://developer.apple.com/macosx/rendezvous/). As of Mac OS X Panther, mod_rendezvous does not automatically advertise these files. Instead, it only advertises user sites whose index.html has been modified.

If you are using PHP as the index document ( ~/Sites/index.php ), Apache may not register your site as changed, and thus will not advertise it over Rendezvous. For mod_rendezvous to notice that a file has changed, you must restart Apache ( sudo apachectl restart ) after a page is modified for the first time.

If you want to override the default mod_rendezvous settings and advertise all user sites on your server, change the relevant section of httpd.conf . Here is the default configuration for the mod_rendezvous section:

 <IfModule mod_rendezvous_apple.c>     # Only the pages of users who have edited their     # default home pages will be advertised on Rendezvous.     RegisterUserSite customized-users     #RegisterUserSite all-users     # Rendezvous advertising for the primary site is off by default.     #RegisterDefaultSite </IfModule> 

To advertise all user sites, comment out the existing RegisterUserSite directive, and uncomment the one that specifies the all-users options, as shown here:

 <IfModule mod_rendezvous_apple.c>     # Only the pages of users who have edited their     # default home pages will be advertised on Rendezvous.  #RegisterUserSite customized-users   RegisterUserSite all-users  # Rendezvous advertising for the primary site is off by default.     #RegisterDefaultSite </IfModule> 

You can also enable Rendezvous advertising of the primary site by specifying the RegisterDefaultSite directive. Sites that are advertised on Rendezvous will appear automatically in Safari's Rendezvous bookmarks (Safari Preferences Bookmarks Include Rendezvous).

13.4.4 Remote Login

When you turn on Remote Login, the OpenSSH server is enabled. This option toggles the disable entry in /etc/xinetd.d/ssh . You can configure the OpenSSH server by editing /etc/sshd_config . For example, you can configure OpenSSH to allow remote users to request X11 forwarding by uncommenting the line:

 #X11Forwarding yes 


 X11Forwarding yes 

After you make a change to sshd_config , restart xinetd with sudo killall -HUP xinetd .

13.4.5 FTP Access

When you turn on FTP Access in the Sharing preferences panel, the disable entry in /etc/xinetd.d/ ftpd is toggled on to enable the FTP server. Although Mac OS X comes with an FTP server, its capabilities are limited. We suggest bypassing the FTP server that's included with Mac OS X, and installing ProFTPd via Fink (see Chapter 11).

To install ProFTP, issue the command fink install proftpd . You will be prompted to choose which proftpd to use; we suggest selecting the default ( proftpd-pam ), since it integrates with Linux-PAM (see Chapter 3):

 $  fink install proftpd  sudo /sw/bin/fink  install proftpd Password:  ********  Information about 1593 packages read in 2 seconds. fink needs help picking an alternative to satisfy a virtual dependency. The candidates: (1)      proftpd-pam: Incredibly configurable and secure FTP daemon (Default) (2)      proftpd-tls: Incredibly configurable and secure FTP daemon (TLS) (3)      proftpd-ldap: Incredibly configurable and secure FTP daemon (LDAP) (4)      proftpd-mysql: Incredibly configurable and secure FTP daemon (MySQL) (5)      proftpd-pgsql: Incredibly configurable and secure FTP daemon (PostgreSQL) Pick one: [1]  1  The following package will be installed or updated:  proftpd The following 5 additional packages will be installed:  anacron daemonic ftpfiles libxml2 proftpd-pam Do you want to continue? [Y/n]  Y  

If you haven't already installed it, you will be asked if you want to enable anacron . We suggest doing so, since it will take care of running cron jobs that your system misses. However, anacron will run only cron jobs defined in Fink's /sw/etc directory, not the Mac OS X cron jobs described in Section 2.3 of Chapter 2.

 Setting up anacron (2.3-4) ... This script allows you to decide whether you would like for anacron to run at startup, then to periodically check for system tasks that need to be run. Alternatively you could run anacron by hand once a day (by typing `anacron -s' ), though this sort of defeats the purpose of installing a command scheduler in the first place... If you wish to make changes to your anacron settings in the  future, you can run this script again with the command: update-anacron Anacron is not currently set up to be run periodically by cron. Would you like for anacron to be run automatically? In most cases, you probably want to say yes to this option. [Y/n]  Y  Added anacron to task schedule, and will run at startup 

To switch Mac OS X over to ProFTPd, follow these steps:

  1. Backup your existing /etc/xinetd.d/ftp file (be sure to set the disable option to yes if you decide to back it up to a file in the /etc/xinetd.d directory; otherwise , xinetd will activate both FTP servers) and replace its contents with the following:

     service ftp {         disable = no         socket_type     = stream         instances       = 50         wait            = no         user            = root         server          = /sw/sbin/proftpd         server_args     = -d9         groups          = yes         flags           = REUSE IPv6 } 
  2. The default configuration for Fink's ProFTPd assumes a standalone server. Edit the file /sw/etc/proftpd.conf and change the line ServerType standalone to ServerType inetd .

  3. Next, you must use NetInfo to create an ftp user and group. Follow the instructions in Chapter 3 to add a group named ftp , and a user named ftp that is a member of that group. Do not create a password for this user and be sure to use a gid and uid that are not already in use. For example:

     $  sudo dscl . create /groups/ftp gid 599  $  sudo dscl . create /groups/ftp passwd '*'  $  sudo dscl . create /users/ftp uid 599  $  sudo dscl . create /users/ftp gid 599  $  sudo dscl . create /users/ftp shell /usr/bin/false  $  sudo dscl . create /users/ftp home /Users/ftp  $  sudo dscl . create /users/ftp realname "Anonymous FTP"  $  sudo dscl . create /users/ftp passwd \*  
  4. Create a home directory for the ftp user ( sudo mkdir /Users/ftp ), and set its owner and group to ftp:ftp ( sudo chown ftp:ftp /Users/ftp ).

  5. Finally, restart xinetd with sudo killall -HUP xinetd . You can also use System Preferences Sharing to stop and restart it.

To configure ProFTPd as an anonymous-only server, add the following line to /sw/etc/proftpd.conf at the top-level (that is, not nested in the <Directory> or <Anonymous> elements):

 <Limit LOGIN>   DenyAll </Limit> 

and finally, add the following to the <Anonymous> element:

 <Limit LOGIN>   AllowAll </Limit> 

This configuration won't prevent uninformed users from trying to log in and typing their username and password, though, and both will go across the network in plain text. As a security precaution, you should inform users that only anonymous login is allowed ( ideally , an anonymous FTP server would have no remote users aside from its administrators, and they'd log in using SSH).

13.4.6 Printer Sharing

When you turn on Printer Sharing, the cups-lpd server is enabled. This option toggles the disable entry in /etc/xinetd.d/printer . For more information, see Section 4.1.4 in Chapter 4.

13.4.7 Internet Sharing and the Firewall

On Mac OS X, the default packet filter rules allow all traffic from any location to come into your computer, using the following ipfw rule (65535 is the priority level of the rule, the lowest priority possible):

 65535 allow ip from any to any 

When you turn on Internet Sharing (System Preferences Sharing Internet), Mac OS X starts the Network Address Translation daemon ( natd ). Mac OS X also adds an additional rule, which has a high priority (00010), and diverts any traffic coming in via the interface en1 (wired Ethernet) to port 8668, which natd listens on:

 00010 divert 8668 ip from any to any via en1 

When you enable the firewall (System Preferences Sharing Firewall), Mac OS X sets up the following rules to keep traffic from getting into your computer:

 02000 allow ip from any to any via lo* 02010 deny ip from to any in 02020 deny ip from any to in 02030 deny ip from to any in 02040 deny tcp from any to in 02050 allow tcp from any to any out 02060 allow tcp from any to any established 12190 deny tcp from any to any 

In addition, the firewall sets up rules for any services you have enabled in the Sharing tab, such as this one, which allows SSH connections:

 02070 allow tcp from any to any 22 in 

You can add your own packet filter rules by clicking the New button on the Firewall tab. You can also add your own firewall rules using the ipfw utility, but the Firewall tab will remain disabled until you reboot or clear the rules with sudo ipfw flush . You may also need to quit and restart the System Preferences application before it notices that you've reset the firewall to the default rules. For more information on the packet filter mechanism that Mac OS X uses, see the ipfw manpage .

Mac OS X Panther for Unix Geeks
Mac OS X Panther for Unix Geeks
ISBN: 0596006071
EAN: 2147483647
Year: 2003
Pages: 212

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net