Take Control of Sharing Files in Leopard (1.0)

Web Extras:
Help | Catalog | Feedback | Print | Check for Updates
Take Control
of
Sharing Files in Leopard
by Glenn Fleishman
Table of Contents (1.0)
Read Me First ..........................................2
Introduction ............................................4
Sharing Files Quick Start ..........................5
Share Files on the Same Mac ....................6
What Is File Sharing? ...............................8
Reasons for File Sharing ......................... 11
What You Need to Serve Files.................. 13
Decide on a File-Sharing Method.............. 19
Avoid File-Sharing Risks ......................... 32
Share Files............................................ 41
Share Digital Media Files......................... 59
Access Shared Files................................ 69
Dismount a Server ................................. 81
Appendix A: Sleep and Sharing Files ........ 83
About This Book .................................... 85
10
$
READ ME FIRST
Welcome to Take Control of Sharing Files in Leopard, version 1.0.
This book helps you share documents among computers and over the
Internet safely, using the file-sharing options available in Mac OS X
10.5 Leopard. This book was written by Glenn Fleishman, edited by
Tonya Engst, and published by TidBITS Publishing Inc.
Copyright © 2007, Glenn Fleishman. All rights reserved.
The price of this ebook is $10.If you want to share it with a friend,
please do so as you would a physical book. Click here to give your
friend a discount coupon. Discounted classroom copies are also
available.
We may offer free minor updates to this book. To read new information or find out about any new versions of this book’s PDF, click
the Check for Updates link on the cover. On the resulting Web page,
you can also sign up to be notified about updates to the PDF via
email. If you own only the print version of the book, contact us at
tc-comments@tidbits.com to obtain the ebook.
In reading this book, you may get stuck if you don’t know certain
basic facts about Mac OS X or if you don’t understand Take Control
syntax for things like working with menus or finding items in the
Finder. Please note the following:
• Menus: When I describe choosing a command from a menu in
the menu bar, I use an abbreviated description. For example, the
abbreviated description for the menu command that creates a new
folder in the Finder is “File > New Folder.”
• Finding preference panes: I sometimes refer to Mac OS X
preferences that you may want to adjust. To change these systemwide settings, open System Preferences by clicking its icon in the
Dock or choosing System Preferences from the  menu. You
access a particular preference pane by way of its icon, or the View
menu. For example, to see “the Sharing preference pane,” you
would launch System Preferences and then click the Sharing icon
or choose View > Sharing.
Page 2
• Path syntax: I occasionally use a path to show the location of a file
or folder. Path text is formatted in bold type. For example, Leopard
stores most utilities, such as Terminal, in the Utilities folder. The
path to Terminal is: /Applications/Utilities/Terminal.
The slash at the start of the path tells you to start from the root
level of the disk. You will also encounter paths that begin with
~ (tilde), which is a shortcut for any user’s home directory. For
example, if a person with the user name glenn wants to install
fonts that only he can access, he would install them in his
~/Library/Fonts folder, which is just another way of writing
/Users/glenn/Library/Fonts.
What’s Really Different in This Edition
In updating this book from Tiger to Leopard, I thought that I would
make a number of changes along with new screen captures, and that
was the case. What I didn’t expect is that Apple would fundamentally
change and dramatically improve how it handled file sharing.
That led to a large decrease in the page count of this edition, as
workarounds to avoid roadblocks placed by Apple that took 1–10
pages in the Panther and Tiger editions, and often involved editing
text configuration files, could simply be removed. Even so, you’ll find
this edition just as useful as the previous one. All the utility is still in
the book—you should simply have less frustration in achieving the
desired results.
As one small example, in previous editions of the book, I had several
pages that explained how to enable and control guest (password-free)
access to AFP and Samba (Window style) file service. In this edition,
there’s a brief entry on turning on file sharing for the default Guest
account that’s new in Leopard and a look at how to enable or disable
broad access to particular folders.
Perversely, Apple did make it harder to modify settings manually for
file services. Mac OS X now rewrites underlying configuration files
based on settings you choose in the Leopard interface, overwriting
any changes you make. In Tiger and earlier releases, configuration
files were generally static, and you could edit those files to make
changes. With Leopard’s new dynamic files, your options are fewer.
As a result, this book focuses on changes you make through the Mac
OS X interface instead of in underlying text files.
Page 3
INTRODUCTION
In the late 1980s, when only a few million academics and governmental types had easy access to a very slow Internet and even most
business users couldn’t afford pricey Ethernet gear, we hoi polloi had
two ways to share files: sneakernet and snail mail. The algorithm for
sneakernet was to insert a floppy disk, copy files to the floppy, eject
the floppy, walk (in sneakers) across the room, insert the floppy, and
copy files from the floppy. A little tedious, but it got the job done.
For distances beyond the reach of sneakernet, the algorithm changed.
Instead of walking across the room, you inserted the floppy in a
padded envelope and walked it to the post office or called FedEx.
Even today, sneakernet and snail mail are useful for transferring huge
quantities of data—imagine the gigabits you can “transmit” when you
send a bunch of hard drives by overnight mail or walk a DVD-R
across a room—but most people share files through multiple accounts
on the same computer, over local area networks comprised of wired
Ethernet and wireless Wi-Fi links, or over the Internet using dial-up
modems, broadband connections, and high-speed dedicated lines.
In Take Control of Sharing Files in Leopard, I help you identify
the right computer setup for exchanging files among users in your
situation, with a particular emphasis on users working on networked
computers. I focus on Mac OS X 10.5 Leopard as the hub of these
activities, but the principles are the same on all platforms, and many
specifics are identical or quite similar in Mac OS X 10.4 Tiger.
I also explain how to connect to a Mac running Leopard from
Windows XP and Vista and from Mac OS X 10.2 through 10.4.
NOTE To keep this book focused on file sharing, we broke out two
related topics into full-length titles of their own:
• Take Control of Users & Accounts in Leopard examines setting
up and managing users on a Mac running Leopard.
• Take Control of Permissions in Leopard, expected to be
available in 2008, has a more technical focus.
Page 4
SHARING FILES QUICK START
This book contains many details, not all of which may be relevant
to your situation. You do not need to read every word before sharing
files, but you should be familiar with the overall process first.
Prepare to share files:
• Before you think about the big world of sharing files on a network,
you may wish to review techniques for sharing files among users
on a single Macintosh. See Share Files on the Same Mac (p. 6).
• Learn how file sharing is different from using disks to copy files
from computer to computer or using email attachments to move
files around. See What Is File Sharing? (p. 8).
• Review reasons to share files, and see which match your situation.
See Reasons for File Sharing (p. 11).
• Decide on the hardware or online service that you’ll use as your file
sharing server; see What You Need to Serve Files (p. 13).
• Determine which file sharing method makes sense for your goals,
budget, and expertise. Learn about Apple Filing Protocol, FTP,
Pando, and others. See Decide on a File-Sharing Method (p. 19).
• Take steps to manage security risks by becoming informed about
what you expose when you share files over the Internet. See Avoid
File-Sharing Risks (p. 32).
Start sharing files:
• Decide which folders and volumes to share, set up accounts for
users, and choose their access privileges for viewing, storing, and
modifying items. Learn about Apple Filing Protocol, Samba, FTP,
and Web particulars for sharing files. See Share Files (p. 41).
• Start sharing photos and music from iTunes and iPhoto; see Share
Digital Media Files (p. 59).
Access shared files:
• Access shared files from Mac OS 9, Mac OS X, Windows XP, and
Windows Vista. See Access Shared Files (p. 69).
Page 5
SHARE FILES ON THE SAME MAC
Although this book focuses on file sharing across a network, you can
share files among users of the same Mac. In Leopard, not all users
are created equally nor are all files meant to be equally accessible.
Leopard purposely and appropriately restricts one user from viewing
or modifying the contents of folders in another user’s directory.
Users can exchange files on the same machine in one of three ways:
• The Shared folder: Located in the Users folder on your startup
disk, the Shared folder is set up so that all users who have physical
access to the computer and an active account may read and write
any files in the Shared folder; this includes the Guest account user,
for whom all other files are deleted when they log out. Users can’t
overwrite a file created by another user unless the default permissions on the file are changed by either the file’s owner or an
administrator. Using the Shared folder is the easiest method when
you have just a few users, or all users need the same access.
• Public folders: For a little more control, use the Public folder
found in each user’s home directory. For instance, let’s say a
home iMac has two accounts for two roommates: one for Bob and
another for Stephanie. Of course, when Bob logs in to the machine,
Stephanie’s files aren’t accessible through the Finder; Bob sees a
locked icon on most folders within her home directory. Bob can,
however, copy files into Stephanie’s Public folder’s Drop Box
folder, and he can copy files out of her Public folder.
• Shared volume: To avoid issues with permissions that crop
up when using either the Shared folder or Public folders, you can
instead use a separate volume as the repository for shared files,
whether that volume is an internal or external fixed hard drive,
a removable cartridge, or a second or subsequent disk partition
on the boot drive. Starting in Leopard, volumes other than the
startup disk are automatically set for all users to have full read
and write access.
Page 6
However, you can still run into problems with permissions on a
shared volume, and Apple retained a setting in Leopard that lets
you bypass any difficulties by ignoring permissions:
1. Working in the Finder, select the volume you want to share and
choose File > Get Info (Command-I) to open the Info window
for the volume.
2. If the Sharing & Permissions section is closed, click its
expansion triangle to display the volume’s permissions.
3. If the lock icon (at the lower right) is closed, click it, and then
enter an administrative password.
4. Select the Ignore Ownership on This Volume checkbox.
Mac OS X now ignores permissions and ownership for all files
placed on the volume.
TIP For advice and steps relating to sharing iPhoto photos or iTunes
music among users on the same Macintosh, see Share Digital
Media Files, later in this book.
For a detailed explanation of how to set up Shared, Public, and Drop
Box folders, and other tips on sharing files among users on the same
machine, consult Kirk McElhearn’s Take Control of Users & Accounts
in Leopard.
Page 7
WHAT IS FILE SHARING?
File sharing means storing a set of files on a fileserver, which could
be a central computer or a network-attached storage device, and
making it possible for any number of people to retrieve those files
over any type of computer network, just as if those files were located
on their own hard disks (Figure 1).
FIGURE 1
Many different
machines can
access a file
server, whether
they’re
connected
directly via
Ethernet, over
wireless AirPort
(Wi-Fi), or via
the Internet.
File sharing differs from emailing a file to a person or a group. When
you email a document, the recipients are passive: they check their
email routinely, and the document arrives. The burden of distribution
falls on you.
File sharing eliminates the necessity of pushing a file to others. You
place the file on a server whenever you like, and all the people who
need to retrieve it can do so whenever they like without coordination.
The burden of distribution falls on the recipients, who choose the
time and method by which they retrieve the file.
Page 8
NOTE If the word server makes you think of large computers in
closets, think again. In fact, a server is just a program running
on a computer. A server allows other computers to connect to it
for a particular task. When I talk about a server, I always mean
a server program running on any computer. Leopard has literally
dozens of server programs available, and several relate to
sharing (or serving) files.
File sharing also solves the problem of coordinating a group of people
working together on a document. If you don’t use file sharing and
simply send a draft via email, each recipient must work on her own
copy; when you receive the files back, you must merge all the comments and changes. With appropriate coordination using file sharing,
the shared file can be a single master copy, eliminating the need for
manual incorporation of changes.
A few methods of file sharing go even further to enhance collaboration, either allowing people to check files out from a repository and
locking them against other users’ modifications, or storing multiple
older copies of a document, which lets you compare the current draft
against older ones or restore an older copy.
With file sharing set up, users gain access to files in two basic ways:
• Password-protected access: In this method, a user has a
named account that is secured with a password. The user logs
in through some interface to the server program, generally a dialog
with empty fields for those two details. After authenticating, or
providing a user name and password, the user has access to the
shared files. You can set up one account (one user name and password) for an entire group of users, or you can set up multiple
accounts with one assigned for each user or purpose.
Sharing Only account: Leopard lets you set up two kinds
of password-protected user accounts: a user account, which
provides access to log in to Mac OS X; and a Sharing Only
account, which is limited to logging in to share files. Previous
versions of Mac OS X required third-party software to create
sharing-only users.
Page 9
• Anonymous guest access: Users typically may log in without
providing a user name or password: no details are required, or, if
they are required, users may enter anything they want. Their identity is not confirmed. With guest access, anyone who can see your
server on the network and usually on the Internet can access the
server. In some situations, guest access may require the guest to
know just a special account name, like guest or anonymous, with
either no password, a password of guest, or an email address that
isn’t checked as to whether it’s legitimate or not.
Guest account: In Leopard, Apple added a password-free
Guest account. A user logged into the Guest account can use
the Mac and share files (separate options that can either or both
be turned on). With sharing turned on for the Guest account,
anyone can access files via AppleTalk or Samba without first
entering a password. The Guest account requires almost no
configuration, compared to the elaborate set of workarounds
needed in Tiger and earlier versions of Mac OS X.
Page 10
REASONS FOR FILE SHARING
Now that you know the basics of what file sharing is and the
advantages it offers, you can start taking control of sharing files by
considering what you want to accomplish by sharing files, and with
whom you need to exchanges files. In this section, I break out reasons
for file sharing into a few large categories.
NOTE Knowing what you want to accomplish may help you determine
what hardware or bandwidth you need, covered in What You
Need to Serve Files. Also, it may influence your choice of a filesharing technique, discussed in Decide on a File-Sharing
Method.
Coordinate Group Projects
When you and at least one other person need to collaborate on a
common set of files, you can set up a central location to store the files.
Optionally, this central location can track whether a file has been
checked out for use.
NOTE Almost always, a file server helps reduce the time, cost, and
effort needed for routine exchanges. For one-off exchanges,
you might be better served by sending or receiving files via
techniques not covered in this book, such as email, iChat file
transfer, writable DVD, or USB memory drive.
Create a Central Archive
Many groups have a common set of files that grows over time, but
these files are rarely changed once they are added. In this case, many
people may need to add to the archive without needing permission to
delete or re-organize files, while many of the same or an entirely different set of people may need access to read the archive.
Avoid Relying on Email
Even if you’re just trying to exchange one file with one other person,
a file server can help you step around the problems of Internet email
in the modern age. For instance, because of viruses and worms, many
companies and some ISPs ban all or certain kinds of attachments,
Page 11
even from or to Mac users who can’t be infected but can accidentally
transmit attacks by forwarding attachments.
In other cases, you or your recipient might not be able to receive
attachments larger than a certain size—typically 2 MB to 10 MB,
depending on the ISP—or might pay extra to store a mailbox with
a large attachment. And for people behind relatively slow Internet
connections, being able to choose when to start long downloads
rather than having them delay other email is a boon.
In any of these circumstances, a file server can help you and your
users bypass the hassle of email.
Distribute by Download
File sharing includes simple downloads: perhaps you need to distribute a software product, a book in electronic form, or other data to a
large group of people. That group could include users with accounts
and passwords on the file server, or anyone at all.
You have the greatest number of options for what method or service
you choose to share files when you have no restrictions on who may
obtain the file and you require no passwords.
Share Media Files
File sharing is useful even to consumers with a couple of Macs at
home. Many people want to share a collection of music or photos
among a few computers; all that’s necessary is to set up file sharing
and to configure iTunes and iPhoto properly, or—if appropriate—to
use the built-in sharing features in these programs. See Share Digital
Media Files to learn more.
Page 12
WHAT YOU NEED TO SERVE FILES
Once you have a clear idea of what you want to achieve with file
sharing, it’s time to think about the hardware or hosting components
necessary for file sharing. Any Mac running Jaguar through Leopard
(or even older operating systems) can act as a file server; along with
the server, you’ll need a network connection, and the faster the better.
But you may be better off putting your files on a file-sharing network
drive or on an Internet-based host.
In this section, I first make recommendations for the best ways to
set up a Macintosh or network drive as a file server. Then, I help you
consider the best ways to network those devices to help any remote
users access files via the Internet at a comfortable speed. After that,
I look at Internet-based hosts that offer file-sharing services, since
that option may be the best one for you.
Macintosh on Your Network
File sharing imposes little computational load on a computer: dozens
of people could be transferring files actively on a Power Mac G4 from
2002 or later that you’re simultaneously using as your primary work
machine and you would hardly notice the effect on your work,
assuming you had enough RAM.
Here are some suggestions for maximizing a Mac’s performance as a
file server:
• Add more RAM: In the olden days—as recently as 2 years ago—
Macs appropriate for file serving came with inadequate amounts
of RAM. Now, all desktop Macs come with 1 gigabyte (GB) of RAM.
For best performance from an older machine, I recommend at
least a gigabyte of RAM, or the Mac’s greatest possible amount
of RAM if it can’t take a gigabyte.
• Upgrade network switches and adapters: If you’re using a
Macintosh sold in the last few years, it’s likely that the computer
includes gigabit Ethernet (1,000 Mbps) support. You have at least
100 Mbps Ethernet in any Mac sold in the last decade. Gigabit
Ethernet switches, which create effectively a separate connection
between any two connected computers, cost as little as $30.
Upgrading an old 10/100 Mbps Ethernet hub to a 10/100/1,000
Mbps Ethernet switch will dramatically increase speeds.
Page 13
• Add faster drives: Once you’ve moved to 100 Mbps or gigabit
Ethernet, if you find that data transfers from the file server’s hard
drive to the network rather slowly, your weak link may be the hard
drive. Internal hard drives sold with computers may operate
at 5,400 revolutions per minute (rpm) or even slower; 7,200 is
now standard, and the speed matters when a lot of drive access is
at stake. If you’re using an external drive, you might move from
USB 2.0 or FireWire 400 up to a FireWire 800 drive; as its name
implies, it has 800 Mbps of raw transfer speed available. For
gigabit Ethernet networks, you may notice a real difference, but
other factors can intrude. Look for reviews or make sure you can
return a drive if it doesn’t improve performance.
Alternatively, you could simply buy a new Mac mini. A mini without
a monitor makes a great and cheap server, with gigabit Ethernet
thrown in for fast network access. For as little as $599 for a 1 GB
system with an 80 GB hard drive (at this writing), you have a network
powerhouse.
Hard Drive on Your Network (NAS)
In some cases, instead of using a Macintosh as a file server, you might
connect a NAS (network attached storage) device to your network via
Wi-Fi or Ethernet, so that it can handle file sharing and store files. A
NAS device has no monitor or keyboard connectors, and you configure it via special software or a Web interface.
Two examples of NAS setups are:
• As of the model released in February 2007, Apple’s AirPort
Extreme Base Station ($180) can accept one or more USB hard
drives and share them across a wireless and wired network, and
make them reachable over the Internet.
• Some NAS systems support Apple Filing Protocol (AFP), Apple’s
built-in file-sharing method (see AFP). This includes La Cie’s
Ethernet Disk Mini with gigabit Ethernet (http://www.lacie.com/,
$210 for 250 GB to $300 for 500 GB).
If you go the NAS route, I recommend that you read reviews and
check specifications first, since performance can vary significantly.
The Apple base station, for instance, can be incredibly slow when
copying hundreds or thousands of tiny files, like small HTML files
Page 14
and images for a Web site. For a smaller number of files or larger
files, it’s still about one-third USB 2.0 speed.
Higher Internet Throughput
For a local file server, speeds under several megabits per second
(Mbps) will seem glacial, and I recommend a minimum of 100 Mbps.
Over the Internet, where upload speeds—outbound speeds from a
file server to someone else—tend to range from just 256 kilobits per
second (Kbps) to 768 Kbps, a slow file server’s low local network
speed will be hidden by the much lower rate available over the
Internet.
If you want to increase data transfer speeds from a Macintosh or
drive on your local network to someone at a remote location on the
Internet, you have a few options:
• Get more bandwidth: Depending on your location, a connection with upstream speeds higher than 768 Kbps can cost
from $30–$200 per month—typically higher if your ISP requires
that you have a business account in order to run a server over
your connection. As noted above, most broadband connections
have very slow upstream speeds; you almost certainly need to get
a special business-grade account to get acceptable outbound data
transfer from the file server to the Internet, even if download
speeds are several Mbps with cheaper offerings.
See the sidebar Issues with Sharing Files Out to the Internet, next
page, for more details.
Warning! Most broadband providers specifically prohibit file
sharing and all other kinds of servers unless you pay for a higher
tier of service. Turning a server on could get you booted by your
provider.
• Use Pando to distribute files: If your task is to push out files
rather than have distributed access for a workgroup or storage for
yourself, consider Pando (http://www.pando.com/). Pando lets
you send an unlimited number of collections of files to other
people at no cost, as long as the total size of each collection is
under 1 GB. It uses a distributed, peer-to-peer method that
combines its own servers with your computer and the computers
Page 15
of anyone else receiving the files. This means you can have a lowspeed connection and still push files out to others at high data
rates. Larger collections and other options are available with paid
service. See Pando, ahead, for more details.
• Abandon the idea of running a local file server and instead store
files at an Internet-based host, as I discuss on the next page.
Issues with Sharing Files Out to the Internet
Many consumer ISPs restrict how their customers share files
over the Internet: first, by assigning you a dynamic IP address
that can change and thus prevent users from connecting to
your server; and second, by hiding your computer or
computers behind a network address translation (NAT)
gateway. NAT provides passive firewall protection, but it also
can prevent Internet users from accessing your server.
Typically, home accounts from DSL and cable services suffer
from one or both of these limitations. (You can have problems
with NAT even if your ISP doesn’t use it: wireless and wired
broadband gateways use NAT to share an incoming connection
among several computers.)
To serve files easily and effectively, you may have to upgrade
your Internet service or purchase a business-grade Internet
connection with public, static IP addresses. If you can’t avoid
a dynamic IP address, you can work around it with dynamic
DNS; find out more at http://www.dyndns.org/services/
dyndns/.
If you use a NAT gateway, you may have to configure it to allow
pass-through port-based access to your server (also called portmapping); see the manual for your gateway to learn how to set
up this feature. If you use an AirPort Extreme Base Station sold
in 2007 or later, see Take Control of Your 802.11n AirPort
Extreme Base Station.
Page 16
Internet-Based Host
If you find the rates for a high-speed upstream connection to be
too high, or you can’t get the bandwidth you need, consider using
a centrally hosted file repository on the Internet instead.
• .Mac: If you’re already a .Mac subscriber or want to pony up
$100 per year, you have access to an iDisk—nearly all of the 10 GB
allotted to each account—available on high-speed Internet lines
that you can use for sharing files via WebDAV or via the Web
(Web access is for download only). The iDisk servers can be slow
and wonky when used via WebDAV, though they’re usually fine
for downloading files via a Web browser.
For an extra $50 per year, you can increase your storage to 20 GB,
or 30 GB for $100 per year. Learn more in iDisk, ahead, or at
http://www.mac.com/.
• Amazon Simple Storage Solution: Amazon may be best
known for books, but they also operate massive worldwide data
centers (http://www.amazon.com/s3). They have made storage
available as one of several kinds of services, which currently also
includes an in-beta virtual computing cloud.
The company charges 15 cents per GB stored per month (prorated for portions of a month), 10 cents for each GB transferred
in, and 18 cents for each GB transferred out. (Rates drop at above
10 terabytes of data each month transferred out.) Although they
don’t have features designed for workgroups, it’s a relatively cheap
way to archive and pass around files while paying only for what
you use. S3 can expose files for download via a Web server, and
the Interarchy file transfer software can handle moving files in
and out of S3, too (http://nolobe.com/interarchy/).
Care who can share: Make sure that you and the people with
whom you’re sharing files have access to the right combination of
file-sharing clients and technical support for that software before
committing to a monthly service charge.
Page 17
NOTE PERSONAL CASE STUDY
In 2003, I released a free version of a book on Adobe GoLive 6
that Jeff Carlson and I co-authored and nearly ran up a bill of
$15,000 when 10,000 people downloaded the 20 MB PDF file
in a matter of hours. The fee was due to the hosting company’s
rate for sustained transfers: hit a certain mark, and the price
jumped from $2,000 per month to $15,000. Fortunately, I fell
just shy.
In contrast, in 2007, Adam Engst and I released a free version
of The Wireless Networking Starter Kit, 2nd edition, our 2004
take on Wi-Fi for the home and small office. I hosted the 14 MB
file on Amazon S3 for high availability and predictable pricing.
Within a few days, about 6,000 people had downloaded the
PDF—and the cost was just over $10. (You can read the full
account at TidBITS: http://db.tidbits.com/article/9226.)
• Web host: Most Web hosts offer 1 GB to 100 GB of combined
email storage and Web for rates as low as $10 per month. They
often provide multiple logins or email addresses with the same
account. If you’re working with a trusted group, you can provide
this login information to the other members and use your Web or
other storage allotment as your file service. (This probably limits
you to FTP and possibly WebDAV for file transfer.)
• Other hosts: There are other options, such as Xdrive (5 GB at no
cost), but none are tailored to Mac users. Mac.com has emerged as
the most reasonably priced Mac-oriented choice.
TIP AROUND THE CLOCK SUPPORT
Another reason why you might decide to go with an Internetbased host is that many hosts offer support around the clock,
seven days a week. If you don’t relish the idea of going to work
at strange hours because users can’t access a crashed server,
you may prefer to outsource that activity to a large firm that
specializes in keeping servers running day and night.
Page 18
DECIDE ON A FILE-SHARING METHOD
In this section I help you learn more about the file-sharing methods
and determine the one that is most appropriate for your needs. You
can divide networked file sharing into roughly four categories:
• File services built into major operating system platforms, such as
Mac OS and Windows. You can find more details abut file services
in AFP, SMB or Samba, and NFS.
• FTP (File Transfer Protocol), a universally supported method of
exchanging files that dates back to the Internet’s earliest days.
• Web downloads (and uploads!).
• Proprietary methods that require a subscription or special client
and server software not included with any operating system.
Methods noted in this book are iDisk, Timbuktu Pro, and Pando.
Table 1 presents a quick overview of these file-sharing methods.
Table 1: Pros and Cons of File-Sharing Methods for Leopard Users
Method
Pros
Cons
AFP
• Found on all Macs.
• No longer any support for Windows
access.
• Free.
• Works over Internet.
SMB or
Samba
• Found on all Windows systems. • Some file name limitations
• Supported under Mac OS X.
• Best common method.
• For security reasons, not well suited
for Internet-based file sharing.
• Free.
FTP
• Universally supported.
• Plain, simple options.
• Free.
• Tracking files accurately by date
modified and performing certain folder
organizations is tricky or impossible.
• Insecure in default setup of built-in
server; strange firewall problems can
occur.
(continues)
Page 19
Table 1: Pros and Cons of File-Sharing Methods for Leopard Users
Method
Pros
Cons
NFS
• Ideal for creating a shared
pool of network storage that’s
always available.
• Limited security options.
• Requires arcane knowledge to
set up.
• Free.
Web
• Easy access via standard Web
browsers.
• Can’t upload to directories without
extra server programming.
• Free.
• Requires effort to make a list of files
available.
• Requires complex editing of text
configuration files to add directories.
WebDAV
inside a
Web
server
• Check in/out option for
project management.
• WebDAV software sometimes slow and
funky.
• Firewalls don’t interfere.
• Making changes requires hand editing
arcane configuration files.
iDisk
• Internet-based storage with
high bandwidth.
• Mac OS X Finder, Windows 98
and later have built-in client
capabilities.
• Requires paid yearly .Mac membership
to store files.
• Highly integrated with the
Finder in Mac OS X.
Timbuktu • Offers file exchange, remote
Pro
control, encrypted transport,
intercom, and other advanced
features.
• Expensive per-user licenses.
Pando
• Simple way to distribute files
to one or more people that
are ephemeral in their need
for availability.
• No central storage.
• Free for sets of files up to
1 GB per distribution.
• Fees for longer persistence, large files.
• Setup baffling for new users.
• File exchange dialog reminiscent of
early bad Windows releases.
• Still in beta at this writing.
• Limits on data persistence.
• No organization for listing files.
• Requires separate, free program.
Page 20
File Services
The easiest way to share files is to use a file service such as AFP
or Samba. File services all require a pair of programs: a server that
makes the files available, and a client that transfers those files to and
from the server. File-service connections are persistent, usually
manifesting themselves as icons on users’ Desktops that look and
work like normal disks, as long as a user has the server mounted.
Putting a machine to sleep or switching network connections can
sever the server connection.
File services are primarily used to let people with accounts and passwords gain access to a specific set of files. However, file services can
also give access to guest users, users who haven’t been given an
account on the server machine. Typically, guest users have very little
leeway in which files they can access and where they can upload files
while registered users have many more options.
File-service types include Apple’s Apple Filing Protocol (AFP),
Microsoft’s SMB (commonly known as Samba in the wider world),
and the Unix NFS. Before 2001, each platform could mount only file
servers that used its own format, unless you used expensive or complicated add-on software. However, changes in standard versions of
Mac OS, Windows, and several Unix variants now make it much simpler for a client to mount a file server from a different platform
(Table 2).
TIP Each platform listed in Table 2 has a slightly different idea
of what characters in a filename are legal, or allowed, and how
long a name can be. Some servers will reject files that have
names they don’t like; some treat upper- and lower-case
letters in names differently; others rewrite the name, which
can break links among files.
Page 21
Table 2: File Sharing Compatibility at a Glance
Client
Platform
Connects to
Windows XP
File Server
Connects to
Mac OS 9 File
Server
Connects to
Mac OS X File
Server
Connects
to Unix File
Server*
Mac OS X
10.2–10.5
Yes
(Samba)
Yes (AFP)
Yes (AFP)
Yes
(NFS)
Windows XP,
Vista
Yes
No
Yes
(Samba)
Server needs
Samba installed and
activated.
Linux
Requires Samba
client.
Requires
netatalk.
Several methVarious
ods; see Access
Shared Files.
* Most modern Unix systems either come with Samba and the netatalk (AppleTalk/
AFP) software installed or support later installation. Both packages are free.
AFP
AFP (Apple Filing Protocol, but once known as AppleShare), was
Apple’s first method of sharing files, and it dates back to their earliest
operating systems. Until Mac OS 9.0, AFP required an AppleTalk
network, Apple’s not-quite-proprietary networking standard. In
Mac OS 9, Apple began supporting AppleShare-over-IP (Internet
Protocol), making it possible to connect to AFP file servers whether
they were on a local Ethernet, across a campus or corporate network
that didn’t support AppleTalk networking, or anywhere on the
Internet. Windows and Unix systems can support AFP through
software add-ons.
AFP servers are most appropriate for a group of Macs, and AFP is the
most common method by which Mac users exchange files. However,
if you need include a Windows computer in your file-sharing set up,
you should use Samba: because Samba is now so widely supported,
the only lingering method for connecting a Windows computer as an
AFP client to an AFP server—a commercial software package called
PC MacLAN—is no longer sold.
Page 22
NOTE What’s the difference between AppleTalk and AFP? AppleTalk is
the networking protocol that exchanges data. AFP is the method
by which servers are mounted and files are exchanged. Before
AppleShare-over-IP, all AFP servers worked only on AppleTalk
networks. Now AppleTalk is rare, and AFP works over any IP
network.
Starting in Tiger, Apple no longer uses AppleTalk for sharing AFP
volumes over local networks, but you can turn AppleTalk on to
make Tiger and Leopard volumes visible to older computers.
To set up AFP: skip ahead to Set Up File Sharing. Also note that
Share with AFP discusses how to turn on AppleTalk so that Macs
that running Mac OS 9 and Mac OS X up through 10.3 can connect
to your Leopard-based AFP service.
SMB or Samba
SMB (Server Message Block) is thought of as a Microsoft file-sharing
method because the company developed it and it’s still the primary
way to connect to file servers under Windows. But it’s now more
widespread: Apple built in support starting in Mac OS X 10.1, and
many Unix flavors handle Samba out of the box. SMB is called
“Samba” outside of Microsoft, and it is sometimes referred to as
CIFS (Common Internet File System), a more inclusive protocol.
Samba is the most sensible choice for a group of Windows users,
but it’s also become the lingua franca option for mixed workgroups
of Mac OS X, Windows, and Unix users since it’s the least expensive
option—free, usually—for the widest platform support.
TIP If you need a greater level of integration with a Windowsoriented network and servers than file sharing alone, turn to
Thursby Systems’ DAVE, designed to give Macs full parity with
Windows systems on such networks
(http://www.thursby.com/products/dave.html).
Page 23
To set up Samba: skip ahead to Set Up File Sharing. However,
you may wish to read Share with Samba, first, in order to have a
better overview of some configuration details.
FTP
FTP (File Transfer Protocol) is an old-fashioned, bare-bones method
of transferring files over the Internet. Typically, users connect to an
FTP server with special client software that allows them to browse
directories and upload or download files, as well as delete files and
folders. The advantage of FTP is its universality, and for many purposes, especially when you have a disparate group of people who need
to retrieve files, FTP may be the simplest way to handle it.
An FTP connection can persist across several file transfers or other
operations, but it can also open and close for a single file. However,
most FTP clients quietly reconnect using the user name and password
that a user previously entered or stored in the Keychain on Mac OS X,
or within a given FTP client under Windows or Unix, as long as the
user keeps a window open or the FTP server mounted. The opening
and closing of the FTP connection is kept transparent to users, even
when many sessions are involved.
FTP provides a lot of flexibility in who gets access to what. For
instance, here are a few common FTP setups:
• Write-only directories set up as in-boxes, such that files can only
be uploaded to them—remote users can’t view the contents of that
directory or download files from it.
• Read-only directories from which files may only be downloaded.
• Password-protected accounts that give particular individuals full
read/write access to an entire computer—or just to a folder above
which they can’t navigate.
• Anonymous FTP, in which anyone can access specified files or
folders without a user name and password.
Page 24
Using FTP securely
You can also enable secure access between an FTP client and server
with SFTP (Secure FTP), FTP over SSH, or FTPS (FTP over SSL/
TLS). All these methods encrypt FTP sessions so that the content
of the sessions is entirely protected from other users on the same
network, whether the content is at the client, server, or any point
in between.
The three encrypted methods work as follows:
• Secure FTP (SFTP): Using the Secure Shell (SSH) protocol,
SFTP requires an SFTP server on the other end to make a
connection from an SFTP client. Popular FTP client programs,
such as Interarchy or Fetch, can create an SFTP connection.
Although you turn on Apple’s version of SFTP in the Sharing
preference pane, you don’t use the File Sharing related controls—
the Shared Folders or Users lists in that pane—to control access.
Rather, Apple’s SFTP allows any user defined as a full account
in the Accounts preference pane to log in and access all files and
folders to which they have read access to on all mounted hard
drives. However, you can restrict remote access to a subset of
users.
• FTPS-over-SSL/TLS (FTP over Secure Sockets Layer/
Transport Layer Security): With FTP-over-SSL/TLS, you
use an FTP server that has an SSL/TLS certificate installed. This
certificate validates the server’s identity, and information from
the certificate is then used to create an encrypted tunnel directly
between the client and the server. The advantage of this method
is that, unlike SFTP, the user can verify the identity of the server
through its unique certificate. (This process is nearly identical to
how a browser makes a secure SSL/TLS connection for bank and
ecommerce sites.)
FTP-over-SSL/TLS is tricky to configure and isn’t supported
in every FTP client. To decide between SFTP and FTP-SSL/TLS,
you’ll need to consider simplicity. SFTP is much simpler to set up
and more widely supported in FTP software. FTP-over-SSL/TLS
has the advantage of providing more explicit security by allowing
a clearer confirmation of the identity of the remote server. That’s
an issue for very few people.
Page 25
You can’t set up this security method using the built-in options
in Leopard. However, PureFTPd Manager, described in Share with
FTP and SFTP, offers some very straightforward tools to enable
FTP-over-SSL/TLS.
• FTP over SSH: This older option uses an SSH connection to
send an FTP user name and password, but all FTP data is sent
separately in the clear. It often works when SFTP isn’t available,
and it’s better than not securing a connection at all. This method
is not available in Leopard without tweaky configuration, and I
don’t recommend using it.
Using FTP Securely with Leopard
In previous editions of the book, I suggested staying far, far away
from Apple’s built-in FTP service because it was implemented in
a weak fashion that was hard to fathom, hard to use, and hard to
configure. In Leopard, it’s much, much better.
I was more positive about Secure FTP (SFTP); SFTP is unchanged
from the previous release, and may be a better choice than FTP. FTP
and SFTP each has its own set of tradeoffs when used in Leopard.
See Table 3 for the rundown for why you might choose one or the
other to share files over FTP, or even use both for different purposes.
Page 26
Table 3: Tradeoffs between FTP and Secure FTP
Feature
Plain FTP
Secure FTP (SFTP)
Security
Unencrypted
Encrypted using SSH
Recommended Local, trusted network only;
connections
remote access safe only when
used in conjunction with a virtual
private network (VPN) connection
On any network, trusted or
untrusted, due to strong
encryption
Accounts
Only user accounts can access files
with SFTP
User accounts and Sharing Only
accounts can access files via FTP
What users
Only volumes defined in the
have access to Shared Folders list in Sharing
preferences pane that a user
account has been granted specific
access to.
All folders on all mounted drives to
which a user has at least read-only
access to, which is typically
everything but other users’ Home
folders and their contents
Set
permissions
Through the Shared Folders and
Users lists that you can configure
for File Sharing in the Sharing
preferences pane
Through the Finder’s Info window’s
Permissions area or via the
command line
Client limits
Any FTP client
Most FTP clients released or
updated since 2006
What to do next: Turn on FTP or SFTP by following the steps in
Set Up File Sharing, or learn more configuration details in Share
with FTP and SFTP.
NFS
The Unix way of sharing files is through NFS (Network File System).
Because Mac OS X is based on Unix, with a little prodding you can
make Leopard talk to and listen to its Unix siblings. NFS is a good
choice in very limited circumstances for sharing files persistently
among Unix systems.
NFS can also be used for stateless connections, in which the network
connection can disappear or change without the client computer
balking with an error message or an endless, spinning beach-ball
pointer.
Page 27
NFS is a highly insecure protocol in its nature, as it doesn’t require a
user name and password, but instead confirms the identity of the user
trying to access it by looking at the user’s IP address and the account
name on the machine the user is connecting from. Because of this
insecurity, it’s critical that you don’t share via NFS unless you think
it’s especially worthwhile for a particular purpose, you use a firewall
to control access, and you completely understand what you’re getting
into.
Often, you use NFS when you’re in a pinch, and the Unix box you
need to move files to doesn’t have shared directories or lacks a static
IP address and Samba or netatalk support (see Access Shared Files).
Or, you use NFS when you are treating part of a hard disk of one
machine as a shared resource that another machine always needs
access to. NFS is a more reliable way to have a distributed network
file system than mounting a server through the Finder.
Warning! Because of the low-level configuration needed to set up
NFS and its lack of inherent security, I don’t recommend you use it,
nor do I explain how to set it up. It’s just too risky unless you’re a
Unix system administrator.
Web
Many people don’t think of the Web as a way to share files. But every
time you visit a Web page, you’re downloading several files: an HTML
file that contains the page, image files that the page references, and
often audio or media files. You might use the Web to make files available to others as basic downloads, or you might use WebDAV (Webbased Distributed Authoring and Versioning) technology to handle
version control for a group of shared files.
Basic downloads
It’s usually quite simple to place a file on a Web server and allow
others to download that file directly instead of relying on an oftendifficult-to-configure FTP server. A Web download is most appropriate if you’re publishing files to an audience of one or more. The
Web is also a great way to share files with others without providing
them with a user account.
Page 28
Turn it on: Find out how to turn on Web sharing using Leopard’s
built-in Web server in Set Up File Sharing and get more information in Share Files over the Web.
WebDAV inside a Web server
You can also upload files to a Web server that has WebDAV enabled
(http://webdav.org/). WebDAV lets a normal Web server act as a
file server with user accounts. Apple offers built-in WebDAV client
support in the Mac OS X Finder, as does Microsoft in Windows 98
through XP through its Web Folders feature, and in Windows Vista
using Add Network Location (found in the Network dialog box).
With the proper client software, WebDAV lets you lock a file on a Web
server when a user retrieves it so that, for instance, everyone working
on a single set of live files knows who has the live version and—most
importantly—two users cannot accidentally work on the same file at
the same time.
Unfortunately, locking isn’t a readily accessible feature. You can
lock and unlock files with Adobe GoLive’s WebDAV synchronization
window for Web site file management, but locks can’t be managed
in the Finder or any FTP program I’m aware of.
Mac OS X Server 10.2 through 10.5 includes WebDAV as an option
you can turn on with a checkbox.
Because many companies lock down access to Internet services on
unusual ports, WebDAV also has the advantage (and disadvantage)
of being a back door: you can often use WebDAV—which works over
the standard port 80 for Web servers—where other file services would
be unavailable. (Some companies use very smart firewalls that can
restrict the kinds of traffic allowed over a given port, which removes
this as an option.)
WebDAV is transaction-based, so users needn’t worry about entering
a password repeatedly to use WebDAV over a period of hours or days.
As long as a user leaves a server window open in a client or leaves a
WebDAV server mounted in the Finder, the reconnection happens
silently.
Page 29
Proprietary and Unusual File Sharing Tools
Although the three common categories already covered—file services,
FTP, and Web—handle the main ways by which you may offer files to
others or retrieve them from servers, other techniques might be superior, depending on your circumstances.
iDisk
Apple’s iDisk, part of the .Mac service (http://www.mac.com/, $100
per year) is a hybrid offering. iDisk offers 10 GB (included) to 30 GB
(at extra cost) of Internet file storage and 100 GB to 300 GB of
monthly data transfer—inbound and outbound—that can be accessed
in three ways:
• In the Finder, choose Go > iDisk > My iDisk (Command-Shift-I)
• On the Desktop, as a WebDAV server (Mac OS X and Windows)
• Over the Web itself using a .Mac Web site
On an iDisk, you have only a single Public folder, which can be password protected and to which others with WebDAV or iDisk software
can copy files if you enable read/write access. For the purposes of file
sharing, you can think of an iDisk as a WebDAV server.
Timbuktu Pro
This software package from Motorola’s Netopia division not only
lets you exchange files among Windows and Mac OS systems, but
also allows screen sharing for remote control, dial-in access, and a
host of other tools. As I finish this manuscript in October 2007, the
latest version, Timbuktu Pro 8, includes encrypted connections and
compression using SSH, and it supports remote connections behind
network gateways using technology from Skype.
Some organizations have standardized on Timbuktu. My experience
with Timbuktu is that it does very well with exchanging large files,
but less well with exchanging large numbers of small files
(http://www.netopia.com/).
Although I am sure Netopia will release a software upgrade to
Timbuktu Pro to make it fully Leopard compatible, I experienced only
minor cosmetic problems when I tested Timbuktu Pro 8.6 with a beta
version of Leopard.
Page 30
Pando
Pando is a simple way to distribute files to many people without
maintaining central storage yourself. To use Pando, you download
their program (also called Pando), which is available at no cost for
Mac OS X and Windows, so long as you want to transfer file packages
under 1 GB in size (for a fee, you can send file packages as large as
50 GB).
You can use the Pando program to upload file packages to Pando’s
central servers. You distribute an uploaded file package by having
Pando send each recipient an email message containing a link to the
package, or you copy a link provided by Pando and send the link to
each recipient.
The unique part of Pando’s system is that both you and each person
who downloads the package become part of a peer-to-peer file-server
network for that package (as long as your and their copies of Pando
are running).
Pando doesn’t let you create a directory and upload files to such a
directory, and in Pando it can be complicated to distribute or pass
around many files. Still, for large downloads, Pando could be ideal
for many users.
In collaborating on this book, I used Pando to send and receive files—
typically around 5 MB in size—from my editor and we found it
convenient, but we also found it best in some time-sensitive
situations to send an extra copy via different means, because
occasionally Pando wouldn’t work properly.
Pando will almost certainly need to be updated for Leopard.
Page 31
AVOID FILE-SHARING RISKS
Before you dig into the details of how to share your files, you should
consider the risks of file sharing and possibly take action to avoid
them. And, no, I’m not talking about storm troopers of the Recording
Industry Association of America bursting into your bedroom—that’s
only a concern if you’re using peer-to-peer file-sharing networks to
share works that aren’t licensed for that kind of sharing.
Rather, you risk having unintended others accessing your files or
abusing your storage space. This can happen even if you share files
only over your local network; unless you set up a firewall or other
protection, you may unintentionally leave your files available to outsiders. It can also happen if you don’t carefully protect your passwords
while you work on insecure networks: your file servers could be
hijacked using your own accounts.
TIP The RIAA would like you to believe that sharing any music is
illegal. Not so. Some music is licensed under broad terms that
encourage sharing, such as forms of the Creative Commons
license, a standard set of copyright terms designed to make it
easy to retain rights while allowing reuse and distribution of any
creative work. Some bands also explicitly allow trading of music
recorded at live shows, or certain tracks they release online.
See http://creativecommons.org/audio/ for more details.
Problems with Open Servers
Our Windows brethren have long been aware of the problem of
accidentally running an open file server, because before Windows XP,
Microsoft’s default configuration made it easy to turn on file sharing
without any protection. On the first cable-modem networks, which
work essentially like large Ethernet networks, people could troll
through their neighbors’ unprotected files with abandon. Whoops.
The Internet is so large and so fast, and full of so many jokers, that
it has become something like a large local network. If you purposely
or accidentally expose more than you intended, it’s likely that some
automated evil—a scanning program that looks for open fileserver
connections—will suck down your data. Less maliciously, however,
because search engines like Google follow all links from public Web
Page 32
pages, many Word, PDF, and other files have entered Google’s maw
unintentionally from an obscure but linked location of a Web site.
Worse, if your computer is hijacked (taken over) by crackers, it could
become a depository for warez, which is the slang name for pirated
software. A number of years ago, I ran an FTP site with a few files
in it, but I misconfigured it to allow both read and write access to
anyone. A huge spike in bandwidth led me to discover hundreds of
megabytes of pirated materials uploaded by others. Even though you
probably wouldn’t face legal action for your negligence (though that’s
not a guarantee these days), you could lose time and money cleaning
up the problem, and your ISP might sever your Internet connection
for violation of their acceptable use policies.
If you think unintentionally hosting pirated software is bad, it
could be worse. Your server could also become a repository of child
pornography. Some countries, including the United States, have
presumptive guilt. Mere possession can get you thrown in jail, fined,
or otherwise sanctioned, and require a long process to clear your
name. Many reports over the last couple of years have revealed that
a large percentage of spam and pornography is served from hijacked
computers.
There’s one more scenario that stinks: if anyone can write files to
a drop box on your server (even if no one can read those files once
uploaded), a malicious jerk could upload hundreds of megabytes of
crud, saturating your available bandwidth and filling your server’s
hard disk, and making the machine unreachable until you clean up
the unwanted files. This sort of vandalism may sound unlikely, but
with all the hijacked computers in the world, it’s all too easy, and it
does happen.
Warning! Even running peer-to-peer software for legitimate
purposes distributing legal files could cause you difficulty. For
instance, a few years ago, Take Control publisher Adam Engst
downloaded legally distributed audio files of musicians performing
at the South by Southwest (SXSW) music festival via BitTorrent,
the festival’s preferred distribution method. Unfortunately, he left
BitTorrent running, became a seed node, overloaded his longrange wireless link, and was temporarily shut down by his ISP.
Page 33
Recommendations for Avoiding Risks
I recommend that before you turn any type of file sharing on, you
think carefully about who needs access, and what kind of access they
need. Here are some specific recommendations:
• Set up specific accounts for users who need access: Most
of the time, you should set up an individual account for each user
or you should set up a single account to be shared by a group of
users who need access to files.
If you are sharing files from a Mac running Leopard, you can
set up a Sharing Only account that provides limited access, and a
Sharing Only account may be most appropriate for limiting users’
access to only the files they need. (Sharing Only accounts are
described thoroughly in Define users; see Take Control of Users
& Accounts in Leopard for additional details on setting up user
accounts.)
You should also restrict users’ ability to write files to the file server,
using techniques such as these:
◊
Allow write access only to those who absolutely need it. For
instance, if you are sharing files from a Mac running Leopard,
you can set the permissions for other users to Read Only. (In
the Sharing preference pane, select File Sharing, and then
choose each shared folder in turn to set the permissions in the
Users list for each user or group that has access.)
◊
Choose read-only file-sharing methods to offer up files (like
Web download).
◊
Allow read-only access through configuration options that I
describe later for each kind of file service.
TIP If you’ve never configured a file server before, you might not
know that you can control the extent to which other users (or
even yourself, when logged in as a user) can work with files
stored on the server. For instance, you can let users just read
files and browse folders; or just upload files without then seeing
that they uploaded; or read, write, delete, and otherwise totally
control a volume.
Page 34
• Limit where guests or anonymous users can upload files:
You can quickly get in trouble if users who don’t need an account
to gain access to your server can write files. Generally, don’t let
guests write files. If there’s a reason for it, set up a write-only or
drop-box folder into which they can copy or upload files but cannot read the contents or copy files out.
• Make sure that iDisk HomePage users assign a password
to the HomePage area: iDisk has several ways to share files
that are risky if you don’t read Apple’s well-written instructions.
For instance, you can assign a password to your Public Folder
on iDisk that allows others to access it via WebDAV. However,
if you enable Web-based sharing through HomePage, you must
assign another password in the HomePage area. (For an existing
site, click Protect This Site at the top of the page, or select a site
and click Edit to the right below the listing.) If you don’t assign
a password, anyone can gain access to those files over the Web
if they know the URL.
• Test your setup: I typically test any file-sharing setup by using
another computer with no login privileges to see what I can get to
without a user name. Can I read and write files when I shouldn’t?
Am I gaining anonymous access when I should be asked for a password? I tweak until I get it exactly right. Have a friend test it from
outside your network, too.
• Add a firewall: If you’re even slightly concerned about who
might access files you are sharing from your network, you can
turn on a firewall. The firewall that’s part of Leopard is woefully
restrictive, however, focusing on applications and their capability
to receive data. Instead, I suggest that you install a full-featured
firewall that lets you control which IP addresses can access a
precise set of servers on your machine.
Some Wi-Fi and broadband routers include full-featured firewall
software that can protect an entire network, including networkattached storage; Apple’s AirPort Extreme does not.
Page 35
For an individual Mac, four firewall packages for Mac OS X that
accomplish advanced protection tasks are:
◊
Flying Buttress: http://personalpages.tds.net/~brian_hill/
flyingbuttress.html (shareware, $25)
◊
Intego NetBarrier X3:
http://www.intego.com/netbarrier/ ($70)
◊
Open Door’s DoorStop X:
http://www.opendoor.com/doorstop/ ($50)
◊
Sustainable Softworks IPNetSentryX:
http://www.sustworks.com/site/prod_sentryx_overview.html
($60)
(When you read this, Leopard updates for the above-listed
programs may not yet be released.)
Look on the next page more information, in Set Your Firewall for
Sharing Files.
TIP There’s such a thing as being too observant. One of my editor
friends at a publishing house was convinced her Panther system
was the victim of viruses and attacks. It wasn’t, as far as I could
determine. Instead, her discovery of a Windows-focused worm
probing her networked computers—a typical automated cracking
behavior—led her to set her firewall settings for so much logging
and rejection that it bogged down her system to an almost
unusable level.
Currently, neither I nor any of my colleagues know of any way that
someone can connect to a Leopard system that’s sharing files and
gain access to control the computer or install and execute programs
on it. This doesn’t mean it can never happen.
Page 36
Set Your Firewall for Sharing Files
A firewall creates a virtual barricade between one part of a network
and another, preventing all kinds of data from passing in and out,
depending on how the firewall is configured. A firewall can protect an
entire network, but more typically, you install a firewall on a single
computer to prevent other computers on a local network or the Internet from accessing any services that you haven’t specifically allowed.
To turn on Leopard’s built-in firewall service, open the Firewall view
of the Security system preference pane. You have three distinct
options to choose among:
• Allow All Incoming Connections: This default option blocks
no traffic. The firewall is off.
• Block All Incoming Connections: An extreme option, this
prevents any traffic from the outside world from initiating an
unsolicited connection to any service on your computer, but allows
you to connect out as much as you want.
• Limit Incoming Connections to Specific Services and
Applications: This option lets you pick and choose what gets in
to which programs.
If you have any Sharing services enabled, they appear at the top of the
list below Limit Incoming Connections. If you have chosen to control
incoming access for specific applications—including Apple programs
like iPhoto or iTunes that add themselves to the list with your permission when you enable sharing within those programs—they appear
in this list, too. When both services and applications are shown in the
list, they’re separated by a line with services on top and applications
on the bottom.
Whenever you turn on or off any service, it is added or removed from
this list to create or remove an exception to the firewall. If you launch
a program that needs access from the outside world, Mac OS X
prompts you for permission to allow such access; if you agree, the
application is automatically added.
You can also click the
button to add an application to the list. Or,
to remove an application from the firewall settings, select it from the
list and click the
button.
Page 37
Each application can be set to Block Incoming Connections or Allow
Incoming Connections, but the setting applies only if you chose Limit
Incoming Connections as your overall approach (Figure 2).
FIGURE 2
The Firewall view
lets you control
how the outside
world reaches
your computer’s
services and
applications.
The firewall for Leopard lacks the fine-grained ability that Tiger
offered to control access based on ports (see the note Ports, next
page). Port-based access control is a typical feature of a firewall, and
it’s odd that Apple changed its philosophy here.
Apple’s firewall has never offered control over which IP addresses or
ranges were allowed or banned. Most firewalls can monitor for abuse
and lock out specific addresses or networks, or make sure only
authorized parties have access by allowing access to a services from
only a few addresses.
If you need this level of control or need to control access to services
that aren’t supplied with Mac OS X, you need a third-party firewall—
such as one of those listed a few pages earlier, or a router with firewall
functions built in. These firewalls allow more elaborate rules to
permit—among other purposes—file-sharing traffic to pass if you’re
trying (wisely) to restrict who connects to your computer. See
Table 4 (next page) for the ports you must enable for each service.
Page 38
NOTE PORTS
A port is to an IP address like an apartment number is to an
apartment building: ports are used to offer services, like file
sharing or a Web server, and Internet-enabled software knows
at which ports services are typically found.
Ports can handle one of two forms of IP data: TCP and UDP. You
may be familiar with the name TCP from TCP/IP, the area in the
Network preference pane for each adapter in which you set up
connectivity. But TCP is one form of wrapping up data; UDP is
the other. TCP is typically used for communications in which
ever bit of data is important; UDP is often used for streaming
media where losing some data doesn’t affect overall reception.
Table 4: Ports to Enable for Different File Sharing Services
Service
Ports
Notes
FTP
Incoming 20 and 21, both UDP
and TCP, and incoming ports
1024 through 65535 only when
queried from another machine’s
ports 20 and 21
FTP clients send requests from
ports 20 and 21, but if passive FTP
is enabled on the client—an option
required for some firewalls—the
client connects from a highnumbered port.
Web
80, 443
80 is regular Web, 443 is the
secure version
Samba
136–139, 445
Apple opens just port 139 for
Samba, but other ports might be
required for various Windows
networking services.
Timbuktu
407
AFP
548, 427
iPhoto
8770
iTunes
3689
You can configure Leopard’s firewall with one special feature for
greater security—Stealth Mode. To access it, from the Firewall view,
click the Advanced button.
Page 39
Check Enable Stealth Mode (Figure 3) to make your Macintosh
appear essentially invisible to the outside world. Your computer won’t
respond in any way to queries from the outside world that try to see if
any port has a service behind it. This is a recommended approach for
keeping a low profile. All outbound connections that your Mac
originates will still work.
FIGURE 3
The Stealth Mode
option in the
Firewall view lets
you lock down
Leopard tight as
a sealed drum.
Protect Your Passwords
The last part of protecting your file-serving system is to make sure
that neither you nor any of your remote users inadvertently let slip
the passwords that are used to access it. Should a password fall into
the hands of an unauthorized person, the contents of your read-only
repositories will suddenly be available that person. And, a read/write
server could be compromised with stolen software, as I noted in
Problems with Open Servers, earlier.
Standard AFP, Web, Samba, and FTP services that use passwords
don’t protect those passwords, nor do they scramble the data that
passes back and forth from a client to a server. So, if users connect
to your file services over a Wi-Fi hotspot in a public location such as
a coffee shop or airport—they should use either a virtual private network (VPN) that encrypts all network traffic or an encrypted version
of FTP. They should avoid Samba and non-SSL–based WebDAV.
TIP If you don’t have access to a VPN server, and most of us don’t,
you can “rent” this encrypted service from WiTopia for $40 per
year (http://witopia.net/) or publicVPN for $6 per month or $60
per year (http://publicvpn.com/). Both firms provide a simple
way to start or stop a VPN connection. (WiTopia uses a separate
application; publicVPN uses built-in Mac OS X support.)
Page 40
SHARE FILES
Turning on file sharing in Leopard requires only a few clicks in the
Sharing preference pane. Although this section explains how to use
the Sharing pane, you may wish to review the details about the service
you are about to turn on first, either by flipping back to more general
information in AFP, SMB or Samba, FTP, or Web, or by skipping
ahead to more specific configuration details in Share with AFP, Share
with Samba, Share with FTP and SFTP, and Share Files over the Web.
Set Up File Sharing
Leopard has streamlined file sharing by consolidating most of the
services, and by improving its explanations. Three items in the
Sharing pane’s Service list control the major file services:
• File Sharing incorporates all three major forms of network file
serving: AFP, FTP, and SMB.
• Web Sharing turns on the local Web server.
• Remote Login enables Secure FTP (SFTP) access, as well as its
main function of remote Terminal sessions.
Other sharing options: Other options in the Service list aren’t
related to file sharing, but rather refer to sharing computing power
(Xgrid), remote management and operation, and handing out
Internet access.
An option not listed above, NFS (Network File System), requires
additional configuration, but I find the method too dangerous
to recommend to anyone who is not already an experienced system
administrator.
Turn on services
Leopard makes it a snap to set up file sharing. It’s far easier in
Leopard than in any version of Mac OS since, quite honestly, Mac
OS 9! Leopard has more options and is more sophisticated, but the
simplicity of sharing took 7 years to cycle back around.
Page 41
Here’s how to turn on a service:
1. Working in the Sharing preferences pane (Figure 4), and
referring to the bulleted list on the previous page if needed, check
the box to the left of the service name that you want to turn on.
FIGURE 4
To turn a
service on, click
the checkbox
to the left of
the service. To
turn the service
off, uncheck the
checkbox. File
Sharing has
further options
when you click
Options.
2. Now:
• In the case of File Sharing, click the Options button to enable or
disable a specific file sharing service (Figure 5).
• In the case of Web Sharing, after checking the box, skip ahead
to Share Files over the Web.
• In the case of Remote Login, which you’d be checking in order
to enable SFTP, skip ahead to Using SFTP.
Page 42
FIGURE 5
Check any one,
two, or all three
of the filesharing types to
start them
running.
The options are:
◊
AFP file sharing, listed as Share Files and Folders using AFP.
◊
FTP, a stripped-down form of transferring files, listed as Share
Files and Folders using FTP (see Share with FTP and SFTP to
learn important configuration information).
◊
SMB, also known a Windows file sharing, listed as Share Files
and Folders using SMB. (If you’re wondering about the Account
list below the SMB option, see Share with Samba. Or, keep
reading along and I’ll cover it when I reach that point in the
procedure.)
3. Click Done.
You have now turned on at least one file-sharing service. In the
procedures ahead, I’ll explain how to set which items are shared,
who can access them, and what they can do with them.
Page 43
NOTE Apple’s explanation in the Services pane and Options dialog
of what each service does and how to access a service as a
network resource after you’ve turned it on is terse but cogent,
and I expand on it in Access Shared Files.
Add shared folders for file sharing
Once you’ve turned on a file sharing service, it’s time to set which
folders on your Mac can be accessed by which users through the three
File Sharing options in the Sharing preference pane, AFP, Samba and
FTP. Apple labels Mac OS X’s list of shared items Shared Folders, but
you can add the top level of anything mounted on the Desktop—hard
drives, CDs and DVDs, flash drives, and even disk images—as well as
individual folders. It’s really “Shared Folders and Volumes.”
To add a folder or mounted drive, follow these steps:
1. In the Sharing preference pane, under the Shared Folders list, click
the
button.
2. Select the folder or drive that you want to share. For folders,
navigate to the item, and make sure it’s selected. For volumes,
choose the volume under the Devices list in the left sidebar.
3. Click Add.
There’s no additional “apply” button; the folder or drive is now
available for sharing, and it appears in the Shared Folders list.
NOTE In Leopard, Apple has dramatically improved the granularity
of items you can share and who may access them. Apple has
restored folder sharing, lost since Mac OS 9 days; and they’ve
added per-volume access control. Apple turns file sharing on
for Guest accounts in a clean Leopard installation, but they
provide a single checkbox to disable this access. For more about
guest access, see Define users, a page or so ahead.
Page 44
Sharing terminology: While volume is a synonym for any
partition on a disk, in the context of sharing a folder or drive, it’s
also used to mean any shared item that appears as a volume when
mounted as a server.
So, what you might think of as a folder turns out to be a volume
from the perspective of those accessing the folder via file sharing.
I use the term volume often ahead to describe items in the Shared
Folders list.
You can also add folders and disks from the Desktop by dragging
their icons into the Shared Folders list; or, by selecting a folder,
choosing File > Get Info, and checking the Shared Folder box under
General. The volume immediately shows up in the Shared Folders list
in both cases, where you can set access to it.
By default, Leopard shares the volume with the users and group for a
given item, as I explain next.
Warning! The Public folder in every user account is automatically
shared by default. Turning off Public folder sharing—even when
there were no contents—was a chore in Mac OS X before Leopard.
In Leopard, you use the Get Info method noted above for a given
Public folder and uncheck the Shared Folder box. That particular
change allowed me to cut about ten pages from this edition of the
book.
Page 45
How to Tell if a Folder Is Shared
If you don’t want to open the Sharing preference pane, you can
tell if a folder is shared with a glance in a Finder window: With
the contents of a shared item visible, you’ll see a dark gray box
near the top of the window reading Shared Folder (Figure 6).
A sharing badge on the folder would have been nice, too.
FIGURE 6
A gray bar with Shared Folder indicates that the
folder is, indeed, shared.
Define users
Leopard adds a unique category of user account: Sharing Only.
This lets you set up an account to be used solely for transferring files
through File Sharing options, with no access to other services on the
system, or to a regular login. If you already have other users on the
system who need remote access for SFTP or more full access, you
can use their accounts for access as described two pages ahead, in
Assign users for files sharing.
Safe Samba set up: Before you set up users for Samba file
sharing, skip ahead and read about special security concerns for
Samba in Extra step due to weak passwords.
Here’s how to set up a Sharing Only account:
1. Open System Preferences.
2. Click Accounts.
Page 46
3. Click the lock icon at the bottom left, and enter an administrator
password. (That’s the password for any account set to Allow This
User to Administer This Computer.)
4. Click the
button below the list of accounts at left.
5. From the New Account pop-up menu, choose Sharing Only.
6. Enter a long name (a full descriptive name that AFP can use), a
short name (the login account name used by SMB and FTP, and
an option for AFP), the password, and a hint (Figure 7).
7. Click Create Account.
This account can now be assigned as a valid user for a shared folder.
FIGURE 7
A Sharing Only user
can only access files,
not log in to the Mac
to use applications.
You can also disable the Guest account user in the Accounts
preference pane. To disable the Guest account, follow Steps 1–3 in the
previous procedure; then select Guest Account at the left of the
Accounts preference pane and uncheck Allow Guests to Connect to
Shared Folders. (To re-enable guest access, check that box.)
Guests can connect via SMB and AFP, but not via FTP; I describe a
workaround for this in Share with FTP and SFTP.
Page 47
Warning! The Guest account isn’t revocable; that is, if you decide
you don’t want someone to have guest access, you can’t turn the
account off and have a way of letting other people still access the
same files through a Guest-account method. To avoid this problem,
I suggest you not use the Guest account for file sharing, but instead
create a Sharing Only account with a name that you use for guest
access, like guest1, with a simple password like guest. You can
turn that account off, changes its password, or rename it to drop
people from having access.
Assign users for file sharing
For each volume shared via the File Sharing service, you must specify
a set of users who may gain access, and their level of access. Mac OS X
does have default user-access settings, and you can see them in a folder or disk’s Info window or when you select an item in the Shared
Folder list in the Sharing preference pane. (The Users list comprises
both users and groups, I’ll explain that shortly.)
Mac OS X picks up these defaults from the underlying Unix directory
permissions. These permission settings control general system and
user access to files outside of file sharing, controlling which users on
the computer can read, modify, or execute (launch) files, programs,
and folders. (See Take Control of Permissions in Leopard, by Brian
Tanaka, for more details.)
For a shared volume, you can assign permissions to three different
kinds of users (Figure 8):
• Owner: The owner is the user who created the item. For a folder
that’s within a user’s home folder, the user is typically the owner.
For a system-level folder or a startup volume, the owner is often
the special System Administrator user if it’s a system-level folder,
or the volume that’s your Mac OS X startup disk.
The Owner entry is listed as a single head and chest with the full
account name following.
• Group: Folders and volumes can also have a group assigned
that allows a separate setting for permissions. This is how several
people can modify files within a volume, or have read-only access.
Many folders lack group settings. (To set up a group, open the
Accounts preference pane, and authenticate if needed using the
Page 48
lock at the lower left. Click the
button, choose Group and enter
a group name, and click Create Group. Then, with the new group
selected at the left, select the checkboxes for the accounts that you
want in the group.)
The Group entry shows two heads and torso with the group name
following.
• Everyone: Everyone includes all other accounts on the computer,
including the Guest account and Sharing Only users. This setting
makes it easy to allow everyone access to certain folders without
having to muck about when new users are created. The Everyone
entry shows the top of three people overlapped and the name
Everyone following.
FIGURE 8
The three kinds of users
that can be assigned
to a shared folder:
an owner (top), group
(middle), and Everyone.
Warning! The Guest account can access any folder with Everyone
set to anything but No Access over AFP and Samba, but not via
FTP. Apple put some special under-the-hood “wiring” in Leopard
that prevents this kind of guest access.
The File Sharing service lets you choose users to assign to a folder
from one of two sources: Users & Groups and Address Book.
• Users & Groups: This includes all defined users on the computer
you’re working on, including regular accounts, groups of users
(defined in the Accounts preference pane), and Sharing Only
users. Any accounts or groups already added to the Users list for
a particular shared item are grayed out. (The Guest account user
isn’t listed, as that account’s ability to access files is constrained;
see Warning, above.)
• Address Book: You can select any user in your Address Book,
and create a Sharing Only account for them on the fly by assigning
them a password when prompted. If you’ve already done this step
for a user, their Sharing Only account appears in Users & Groups.
Page 49
Groups of contacts created in Address Book show up below the
Address Book icon. You can select a group, and then choose one or
more of its members to add. For any member that doesn’t already
have a Sharing Only account, you’re prompted to create that
account.
To assign users to a shared item, carry out these actions:
1. In the Sharing preference pane, select an item under Shared
Folders.
2. Under the Users list, click the
button.
3. Pick a user type at the left—Users & Groups is selected by default
(Figure 9)—and then select users or groups from the right
(groups appear with a two-heads-and-torsos icon). You can select
multiple items as you would for any multiple selection: Press
Command for noncontiguous additions or removals, and press
Shift to extend a selection.
FIGURE 9
You can select users
from local accounts,
network accounts, and
the Address Book.
4. Click Select. If you chose users from the Address Book, you are
now prompted to enter a password for each user to create their
Sharing Only account entry.
Any users or groups that you set up now appear in the Users list for
that shared volume.
Removing a user or group is as simple as selecting one entry at a time
in the Users list and clicking the
button beneath the list.
Page 50
Now that you’ve set which accounts can access a shared item, your
next task is to control the access.
Control access via file sharing
One of the best new features in Leopard for controlling AFP, FTP, and
Samba access is per-volume, per-user/group sharing. This allows you
to set separately who may access a given shared item and in what
fashion.
Warning! Because Leopard ties together AFP, Samba, and FTP,
you cannot restrict access by any of those methods to a given
volume for a user that has permission to access that volume. That
means that any valid user can access any permitted volume through
all enabled file-sharing methods. This shouldn’t be a problem, but
it’s worth noting.
To the right of each entry in the Users list, an access pop-up menu
lets you set one of four choices (Figure 10):
FIGURE 10
The four options for access give you highly
granular control over what users have
permission to do. No access appears only
for the special Everyone user.
• Read & Write: This allows unlimited access to the shared item.
• Read Only: For items that you want to provide access to but
not allow modifications, additions, or deletions, Read Only is the
option of choice. Read Only is also a good mode if you want to
share a folder or volume in such a way that you can’t accidentally
write over any of its contents.
• Write Only (Drop Box): This last choice turns a folder into a
drop box. Connected users have permission only to “drop” a file
into the volume. They can’t view the contents of the folder or
access anything inside it. The Drop Box option helps when you’re
trying to collect documents but not share them.
• No Access: Use this option to disable access for users or groups
by choosing No Access, rather than deleting their entry altogether.
This option is available only for the Everyone entry.
Page 51
What to do next: Now that you’ve set up users who can access
a shared volume, assigned those users to the volume, and set how
they may access the volume, it’s time to learn a little more about
your specific method of sharing files, and possibly to further configure your set up.
In the following subsections, I cover special configuration
considerations that you may wish to be aware of as you finish
setting up file sharing. As appropriate, skip ahead to Share with
AFP (below), Share with Samba, Share with FTP and SFTP, and
Share Files over the Web.
Share with AFP
AFP has just one proviso when it comes to file sharing: because it’s
the longest-established method of moving documents around under
any version of the Macintosh operating system, even before it was
called Mac OS, Macs running Mac OS 9 through Mac OS X 10.3
(Panther) can’t access Leopard and Tiger AFP servers without a
setting change.
Macs running Tiger and Leopard don’t use the old AppleTalk protocol
for AFP, relying instead on IP networking. If you need to access a
Tiger or Leopard AFP server from Mac OS 9 or Mac OS X 10.3 or
earlier, you must enable AppleTalk.
On a particular file-sharing Macintosh, running any version of Mac
OS X, AppleTalk can be active on only a single network connection
at a time—you can’t turn it on for both an Ethernet and a Wi-Fi
connection, and it’s important to turn it on for the correct connection.
(Note that Leopard Server can offer AppleTalk over all connections at
once.)
To enable AppleTalk, follow these steps:
1. Launch System Preferences and click Network.
2. Select your connection in the list at left, such as Ethernet or
AirPort.
Page 52
3. Click the Advanced button.
4. Click AppleTalk.
5. Check Make AppleTalk Active. (If AppleTalk is active on another
connection, Mac OS X will warn you.)
6. Click OK.
7. Click Apply.
Warning! Apple dropped from Leopard several security-related
options, accessible from a special gear-icon Action menu, that
related to mounting AFP volumes. I’m not sure why Apple removed
these options, and it may be an oversight. First among them is the
ability to use AFP over SSH, a secure option supported by Mac
OS X Server.
NOTE To find out about connecting to your AFP server from other
computers, skip ahead to Access Shared Files.
Share with Samba
As you may recall from SMB or Samba, earlier, Samba is how
Windows shares files, and Leopard’s version works in a way that
Windows and other Samba clients are quite happy with.
There are just two issues to be concerned about: turning on Samba
accounts, and dealing with odd characters.
Extra step due to weak passwords
Leopard (and Tiger before it) likes to remind you that SMB passwords
are stored in a less-secure manner than other network and system
passwords. Both versions of Mac OS X have you go through an
additional step to enable accounts to share via Samba because if the
password is cracked for Samba, that’s the same password that could
be used for remote access to your computer or allow someone with
physical access full privileges to use your machine.
Page 53
Because of this weakness, you might consider enabling Samba access
through only one Sharing Only user account that you set up especially
for Samba users. This account’s password, if cracked, would reveal
only files stored that the account was given access to.
TIP Samba is best used on a local network, not over the Internet,
because of its password weakness. Samba ports are often
blocked by network administrators and ISPs, and they are
typically disabled in default firewall configurations. If you have
another option for sharing files to remote users, try it.
In the Sharing preference pane, click Options. Now, beneath the
Samba checkbox, you need to check a box next to each account you
want to allow access to over Samba (Figure 11). Enter that account’s
password when prompted. When you finish, click Done.
FIGURE 11
Check the boxes next to
accounts that are allowed
to access this machine via
Samba. Enter the account
passwords when
prompted.
Avoid file naming problems
Certain versions of Samba are more restrictive than others about
which characters they can handle. I’d like to generalize, but the documentation about various Samba servers doesn’t make it crystal clear
whether older or newer servers are more or less restrictive, or just
Page 54
configured to be more or less restrictive. Let’s just say that your mileage may vary. Many characters that you can use to name a file or folder under Mac OS X will make certain versions or configurations of
Samba barf.
I can’t find a definitive list of characters that Samba clients (and
servers) don’t like, but it appears to include \/:*?"<>|[]. At one
time, the list was more restrictive; over time, Apple has improved
how Mac OS X handles mapping characters that Macs understand
and Windows doesn’t like.
If you try to copy a file that includes any or all of these characters to
a Samba file server, Leopard encodes them in a way that Samba likes.
In Vista, for instance, the unsupported characters show up as bullets
(•) in the Desktop file lists, but Vista preserves the underlying special
character codes. You can copy and paste the file names in Vista without ruining the name. This is a neat trick, and a big improvement over
even Tiger’s improved support.
Share with FTP and SFTP
Let me address just two issues worth considering: guest access in FTP
and the particulars of turning on and using SFTP.
Guest access in FTP
With Leopard, FTP access is controlled identically to AFP and Samba.
The one exception is that—at this writing—guest access does not work
with the Guest account.
To work around that, create a special Sharing Only account called
guest_ftp (or whatever you choose), give it a password like guest,
and assign it to any shared items you want to enable guest FTP access
to. Then, to provide a link to the file repository, tell your users about
the account or even publish the account name and password on any
Web page you need to provide a link to for the file repository.
In a future edition of this book, I hope to provide a simpler step. For
security reasons, Apple may have chosen to hardwire their system to
not allow anonymous, password-free access at all, reserving that for
Mac OS X Server.
Page 55
TIP MORE OPTIONS IN PUREFTPD MANAGER
If after you read this “Share with FTP and SFTP” subsection,
you want still more configuration options or tighter security for
your FTP-based file sharing, you should look into PureFTPd, a
donationware FTP server that should be available at some point
after Leopard’s release (http://jeanmatthieu.free.fr/pureftpd/).
PureFTPd Manager packages well-written FTP server software
that handles all forms of FTP encryption and, to boot, can enable
a more flexibly defined guest user and offers a host of subtle
options like restricting inbound bandwidth or access by time of
day. Click the Check for Updates link on the cover of this book to
look for more details.
Using SFTP
SFTP isn’t tied into File Sharing; it’s essentially a separate method
that happens to work in a similar manner, and to which none of the
File Sharing tools for managing access apply as noted above.
To enable SFTP on the server end, turn on the Remote Login service
in the Shared preference pane. (You don’t need to turn on FTP Access
by selecting the File Sharing checkbox and clicking Options if you’re
offering only SFTP on your server: Remote Access enables SSH,
which in turn hands off SFTP traffic to a special program called sftpserver.)
As noted earlier, Apple’s SFTP relies on users defined in the Accounts
preference pane, and on the permissions attached to those users.
Access controls that you see if you select File Sharing in the Sharing
preferences pane—the Shared Folder and Users lists—don’t limit
access for users via SFTP; all users or selected users—depending on
your setup in the Remote Login service—can access anything they
have Unix-set read permissions to retrieve.
From the perspective of using SFTP in an FTP client, any FTP software that supports SFTP—and all major Mac clients do—doesn’t treat
SFTP any differently than FTP. It’s seamless via the client, and just
handled differently by the server.
TIP Read FTP, earlier, to review common FTP setups.
Page 56
Share Files over the Web
Leopard’s built-in Web server is a slightly modified version of
Apache 2.2 (http://httpd.apache.org/). As I discussed in Web,
by default, you can use Leopard’s Web server as a read-only method
of providing Web pages and file downloads.
Turn on Web Sharing as described in Turn on services, earlier, and
then check out the default index.html.en page that you’ve made
available. (There are many index.html files, all of which have a dotplus-two-letter extension to define the language they are written in;
the language set in the browser tells the server which index.html
file to feed to the browser.) You can start serving Web pages or
downloadable files using the default directories. See “What’s shared
over the Web” (just ahead) and Share files and folders.
What’s shared over the Web
The first time you turn on Web Sharing, Leopard shares /Library/
WebServer/Documents as the main URL for your machine, as well
as the ~/Sites folders for all users as paths under the main URL.
Apple also makes the Apache manual available at http://localhost/
manual. The Sharing preferences pane shows the default URL at
which the Web server can be reached, and the document directory the
server is sharing.
TIP Localhost is the default name for your local machine, equivalent to the Internet loopback (or point-to-self) address of
127.0.0.1.
The Sites folders in all user directories are shared, so you may want to
configure Apache to share folders from only specific user directories.
TIP Placing aliases in the Finder for files or folders located in a folder
above Apache-shared folders doesn’t share those files or
directories. However, creating Unix symbolic links in Terminal
will work.
To view the default page (index.html.en, located in /Library/
WebServer/Documents) that comes up for your enabled Web
Page 57
server at its root level, enter any one of the following in a Web
browser’s Location or URL field:
• Your machine’s IP address (e.g., http://192.168.1.10)
• Your machine’s exact domain (e.g., http://foo.example.com)
• http://localhost
• http://bonjour.name
TIP FINDING AND SHORTENING THE BONJOUR NAME
The Bonjour name, such as http://glenndual.local, is shown
in the Sharing preference pane beneath the Computer Name
field. You can change it to something shorter—the default is
rather long, like “glenn-fleishmans-power-mac-g4” in my case—
by clicking Edit, entering a new name, and then clicking OK.
If you’re wondering what the Use Dynamic Global Hostname
checkbox offers in that same Edit dialog, move along—nothing
to see here. Apple has enabled what it calls wide-area Bonjour,
but it requires support by Internet service providers and
domain-name service hosts, which isn’t yet in place. When it
is, you would be able to access services through Bonjour names
outside your local network.
If you want to see the home page for a user on your system (the
index.html file in the ~/Sites folder for that user), enter any
of the previous four options plus /~username. For example, to see
the home page found in /Users/glenn/Sites/ for a user with
the short name glenn, view http://localhost/~glenn or
http://bonjour.name/~glenn.
Share files and folders
It’s easy enough to share files via the Web. You can place files directly
in your Sites folder, preferably inside a folder you create to hold files
for download, and provide people with the exact path, like
http://foo.example.com/~glenn/files/arch.zip.
If you provide people with the precise path, you avoid the necessity of
making HTML pages. However, you can create Web pages in software
such as Bares Bones Software’s BBEdit or Macromedia Dreamweaver
that point to files to download through hyperlinks.
Page 58
SHARE DIGITAL MEDIA FILES
Most of this book discusses sharing any type of files using file-sharing
services. However, no book about sharing files on a Mac would be
complete without explaining how to share iPhoto and iTunes
libraries.
Decide How to Share an iTunes Library
The first step in sharing an iTunes Library is to decide whether to
use the built-in iTunes Sharing feature or to use file sharing. I explain
each option, next.
Built-in iTunes Sharing feature
iTunes has a built-in Sharing feature, which is easy to set up. You
can use iTunes Sharing to share one iTunes Library among users on
the same Mac or with users on a network. Unfortunately, the feature
is limited in a number of ways:
• Because Apple is playing nice with the recording industry, if
another user connects to your shared library, all that user can
do with shared media is play it from within iTunes. He can’t add
a song or video or album to his own playlists, set ratings, or edit
the tags that identify each MP3 file. That’s appropriate in some
situations, but in cases where you’re sharing your own iTunes
Library among your own Macs, such as on a home network, it’s
needlessly limiting and technologically overrules U.S. law and
court decisions on fair use.
• Apple allows just five other users to connect to your iTunes Library
within a 24-hour period. Boo, Apple, boo. This restriction prevents
you from infringing on a song’s copyright, but in so doing eliminates rights that you would have with physical media, like a CD,
DVD, or VHS tape. If you have a large family or a number of computers at work and home that you use to listen to an iTunes library,
you aren’t violating anyone’s copyright and yet you could run into
problems with this restriction. Listening to music isn’t the same as
stealing music.
Page 59
• When you share an iTunes Library among users on the same Mac,
the library is available to others only when Fast User Switching is
turned on. It works like this: first one user logs in and launches
iTunes. Then, if another users logs in via Fast User Switching, that
second user can listen to the first user’s music.
You’ll encounter a few additional limits when sharing over a network:
• The shared iTunes Library is available only when iTunes is running
on the machine that is sharing the library. If you turn that machine
off, it crashes, or someone needs all its processing power for
Photoshop or other tasks, you can’t access the media in the library.
• iTunes sharing relies on Bonjour, a technology for automatically
announcing network resources over a local network. But unlike
Apple’s general use of Bonjour in which any resource is available
to any other on the same physical network, iTunes restricts its
sharing to machines on the same range of IP addresses. Even
simple home networks could have two or more ranges of private
or translated addresses, which eliminates iTunes Sharing among
users of them. (A typical scenario: a wired gateway and a wireless
gateway feed out two different private network ranges.) A generalpurpose file server, as I describe next, has no such limitation,
and might be appropriate for more complicated networks.
I cover how to Set Up iTunes Sharing on the next page.
Shared iTunes Music folder
This approach involves storing your iTunes Library in a central
location. File sharing is harder to set up than iTunes Sharing, but
it is the best way to go if you want to share an iTunes Library across
a network or the Internet. In this case, you don’t actually share
an iTunes Library file; instead you share the iTunes Music folder
associated with a particular library, which you’ll use as a starting
point for what media is initially shared.
Relying on a shared iTunes Music folder has the advantage of letting
people share the same media while still creating and maintaining
their own playlists, since the playlist information stays with each
user. On the downside, every time someone adds new media by, for
instance ripping a new CD, downloading a new podcast episode, or
purchasing something from the iTunes Store, each user must import
Page 60
the files manually by dragging them into iTunes. The silver lining in
that cloud is that each user can pick and choose which of the shared
files to import.
Flip to the next page to learn how to Share an iTunes Music Folder.
TIP Sharing music over a network requires just a few hundred Kbps
of bandwidth per user, so it should work fine even on the
slowest Wi-Fi or Ethernet network.
Set Up iTunes Sharing
If you decide that the built-in iTunes Sharing feature is the way to
go, you can start sharing your iTunes Library by choosing Preferences
from the iTunes menu (Command-,), clicking the Sharing button, and
selecting Share My Library on My Local Network. As you can see in
Figure 12, you may limit the shared music to specific playlists and
set a password.
FIGURE 12
To share
your iTunes
Library,
simply turn
on Share My
Library on
the Local
Network in
the iTunes
Preferences
window.
Page 61
To set the name that appears in other people’s copies of iTunes when
the library is shared, enter a name in the General pane’s Shared Name
field. The name that iTunes then uses is your account’s name plus
’s Library. (There’s no good reason the Shared Name field isn’t in
the Shared pane, as far as I can tell!)
If your firewall is enabled, Leopard asks you if you want to allow
incoming access to iTunes, and admonishes you that sharing music is
for personal use only (thanks, Nanny RIAA!). If you click OK, iTunes
is added as an application to the Firewall view of the Security preference pane, set to Allow Incoming Connections.
On the playing side, there’s nothing new to do: If another user on
your Mac logs in via Fast User Switching, or for users on your network, shared music appears automatically in iTunes in the Shared
category at the left; they play music by double-clicking a song just
as they would normally in iTunes.
Share an iTunes Music Folder
If you’ve decided to use the shared folder approach, you’ll be happy
to know that accessing shared media in iTunes is easy because iTunes
is happy to load its files from any location. Follow these steps:
1. On the Mac that will hold the shared iTunes Music folder, in the
account for the user who will be in charge of the folder, open the
~/Music/iTunes/ folder.
2. From inside that folder, select the iTunes Music folder.
3. Choose File > Get Info.
4. In the General section, check Shared Folder. (If Leopard pops up
an alert telling you to enable File Sharing, click Enable.)
If you’re using that user account to log in over AFP from other
computers on the network, you can skip these next steps; otherwise,
set up a user and permissions for that folder:
1. Open System Preferences and click Accounts.
2. Create a new Sharing Only user named whatever you like by
clicking the
button, choosing Sharing Only as the user type, and
Page 62
filling out the user name and password information. (You may
need to click the lock icon at the lower left and authenticate, before
you can click the
button.)
3. Switch to the Sharing preferences pane.
4. Select File Sharing.
5. Select the shared folder, called iTunes Music, in the Shared
Folders list.
6. Under Users, click the
button, and add the Sharing Only user
you just created, and if you don’t want other computers to modify
the contents of the folder remotely, set that user’s permission to
Read Only.
You’ve now successfully set up folder as the shared folder. Now, it’s
time to set up iTunes for everyone else who will share the folder.
Perform these steps for each user on each Mac:
1. Launch iTunes, choose Preferences from the iTunes menu
(Command-,), and click the Advanced button.
2. In the Finder, from the Shared region of the sidebar, select the
server that contains the iTunes Music volume (use Go > Connect to
Server if you can’t see the server in the sidebar). Log in as whatever
user you chose or created just previously, and mount the iTunes
Music volume
3. In iTunes, in the Advanced pane, next to the iTunes Music Folder
Location field, click the Change button and then navigate to and
choose the shared iTunes Music folder within the shared volume
you just mounted.
4. The user that has the original copy of the iTunes Music Folder
should be the one that handles ripping CDs and downloading
iTunes Store items. For all other users, make sure the two
checkboxes for keeping the iTunes Music Folder organized and
copying files to it are unchecked, or iTunes will try to manipulate
files unnecessarily and quite slowly.
5. Click OK to save your changes.
Page 63
6. In the Finder, where you should see the iTunes Music volume
mounted, open the iTunes Music volume, select its contents, and
drag them into the iTunes window to import them.
TIP To find new items in the iTunes Music folder, open it in the
Finder, switch to List View, and sort by date so you can see the
most recently added folders. This can fail to work if music was
ripped a while ago and copied over much later, of course.
Share Photos in iPhoto
Sharing photos in iPhoto is more complex than sharing music in
iTunes because iPhoto is more particular about where its files live,
and because all users need read-and-write access for importing and
editing purposes.
You must choose between two approaches to sharing photos in
iPhoto: what I term the “shared iPhoto Library” approach, or the
iPhoto Sharing approach:
• Use the shared iPhoto Library approach to share photos when you
need to ensure that all networked users can import, view, organize,
and output the same set of photos. The shared iPhoto Library
method is best for people who want to mix all their photos and
work on them together. For info on setting up this approach, see
Share an iPhoto Library, next page.
• Use the iPhoto Sharing approach if you want multiple users on the
same Mac (with Fast User Switching enabled) or across a network
to be able to view each other’s photos and perform limited output.
In this case, the user who stores the photos in his iPhoto Library
can use the photos normally, but others who share the photos are
limited to options that don’t modify the photos. They can print
shared photos, view them in a slideshow, send them to others in
email, order prints of them from Apple, upload them to make .Mac
Web galleries, and use them as .Mac slides. However, they can’t
add a shared photo to an album, edit it in any way, use it in iPhoto
books, use it as a Desktop picture or for a screensaver, create an
iDVD slideshow with it, or burn it to CD. To accomplish any of
those tasks, the shared photo must first be copied to the secondary
Page 64
user’s account (which is easy to do in iPhoto; just drag it to the
Library album), after which it’s just like any other photo in that
account.
iPhoto Sharing is ideal for situations where each person in a family
might have his or her own camera but wants to make some
pictures available to the others, without allowing the others to edit
them or mix them up.
I describe how to configure iPhoto Sharing in Share photos via
iPhoto Sharing, ahead.
TIP To use the shared iPhoto Library folder technique over a
network, you’ll want at least at 100 Mbps Ethernet network or
an AirPort Extreme with 802.11g (25 Mbps of real throughput)
or 802.11n (30–90 Mbps).
The iPhoto Sharing method of sharing photos over a network
works better over relatively slow network connections, but even
still, the faster your network, the easier it will be to work with
shared photos.
Share an iPhoto Library
The iPhoto Library package—a special kind of folder—can’t be
accessed by other users of the same computer due to permissions
issues. That means that if you have multiple people who want to edit
and share the same iPhoto Library package, that package must be
placed in a folder on a file server that all the users on the network can
access. (If multiple users want to work with the same iPhoto Library
on the same machine, you should set up a special account that has the
iPhoto images; this special account will help you to avoid complexity
and other problems.)
Warning! Mac OS X will not let you mount your computer’s AFP
file server to itself; I’m sure that struck you as a clever workaround,
but Apple doesn’t want to create nasty infinite loops, despite its
street address in Cupertino.
Page 65
Follow these steps to enable full iPhoto capabilities for other users
over the network:
1. On the Mac that will host the iPhoto Library, open System
Preferences and click Accounts.
2. Create a new Sharing Only user named iphoto by clicking the
button, choosing Sharing Only as the user type, and filling out the
user name and password information. Set the short name to
iphoto. (You may need to click the lock icon at the lower left and
authenticate, before you can click the
button.)
3. Switch to the Sharing preference pane, and select File Sharing.
4. In the Finder, open the Pictures folder from the previous step and
select the iPhoto Library.
5. Choose File > Get Info.
6. In the General section, check Shared Folder. (If Leopard pops up
an alert telling you to enable File Sharing, click Enable.)
7. From the Sharing & Permissions section at the bottom, set the
owner to iphoto: click the
button to add the iphoto user to
the Name list, and then choose Read & Write from the Privilege
pop-up menu.
8. For each remote user in turn, mount the Pictures volumes using
the iphoto user login, select the shared iPhoto Library folder
within it, press Command-Option, and drag it to that user’s
Pictures folder. When you drop the icon in the Pictures folder,
the Finder creates an alias of the shared iPhoto Library folder.
By default, iPhoto always looks for a package called “iPhoto
Library” in the Pictures folder, and it accepts an alias happily.
(Alternatively, press Option and launch iPhoto from the Dock,
click Choose Library from the dialog that appears, and navigate
to and select the shared iPhoto Library package.)
9. Verify that each user can import a photo and edit existing photos,
and that every other user can see the results of those changes.
After that, all users can use iPhoto with the shared iPhoto Library
just as they would normally.
Page 66
TIP When you share an iPhoto Library over a network, multiple
copies of iPhoto can’t access the shared library at once; iPhoto
prevents access when the files are in use by another copy.
Share photos via iPhoto Sharing
You can use Bonjour network sharing with photos, just as you can
share media with iTunes. Unlike with certain types of media (like
music) in iTunes, though, everyone sharing photos presumably has
legal permission to do so, so Apple lets various users copy shared
photos to their own Photo libraries and use them in any way desired.
To start sharing photos, choose iPhoto > Preferences (Command-,),
click Sharing, and select Share My Photos. You may limit the shared
photos to specific albums, change the name that appears in the album
pane for others on your network, and set a password (Figure 13).
Warning! One password controls access to everything you share.
FIGURE 13
To share your
photos in iPhoto,
turn on Share
My Photos in the
iPhoto Preferences
window.
If you have the firewall enabled to restrict access to all or limited
programs, Leopard prompts you to agree to open a hole for iPhoto
sharing (Figure 14). iPhoto is then added to the list of applications
in the Security preference pane’s Firewall view.
Page 67
FIGURE 14
To let iPhoto Sharing function on the network, click Always Allow.
Shared photos appear in iPhoto as just another album, and you can
view and output them in many of the ways you’re accustomed to with
your own photos. However, if you want to edit a photo or use it in a
way that iPhoto doesn’t allow with shared photos, you must first copy
the photo by dragging it from the shared album to your Library or one
of your albums.
Page 68
ACCESS SHARED FILES
Now that you’ve had the chance to read about every conceivable way
to share files, you can learn about the complementary action: accessing those shared files. Let’s walk through mounting volumes or
browsing for files on each of the major operating system versions,
starting with Mac OS X.
Access Shared Volumes with a Mac
To mount a server from the Finder in Leopard, you can simply select
it from the sidebar’s Shared list. New in Leopard, the Shared section
of the sidebar shows all discoverable servers on the local network—
file servers that use Bonjour (all services shared by Macs) and
NetBIOS (Samba on any platform) to announce their existence.
After you select one of these servers, you can connect to it by clicking
Connect As. Once mounted, connected servers are also shown in that
list. See Mount by browsing for more details.
TIP You can prevent shared and discoverable servers from appearing
in the list: in the Finder choose Finder > Preferences, click the
Sidebar button, and uncheck Connected Servers or Bonjour
Computers.
Tiger & Panther: The following instructions for Leopard are
nearly identical for Tiger (any version) and Panther (10.3.3 and
later) except for the improvements in the network browser and the
Sidebar listing.
Alternately, to mount a server’s volumes, you can choose Go >
Connect to Server (Command-K) to bring up the Connect to Server
dialog. From that dialog, to access a server, you can:
• Choose a recently mounted server: Click the top right button
to pop up a menu to choose from.
• Select a favorite server: Select a server from the list.
• Browse for an AFP or Samba volume: Click the Browse
button, and see Mount by browsing, a few pages later for more
info.
Page 69
• Enter an exact server address: Enter a scheme, (ftp://
for FTP, http:// for WebDAV, and so on) followed by a server
name or IP number. You enter the server’s address just as you
would in a Web URL. See Table 5 for examples.
• Enter a Samba name: For Samba volumes, you may enter
the Samba scheme and the Samba name of the volume, such as
smb://SHAREDPC.
You can even build a password into the URL in the form:
scheme://user:password@alpha.example.com/path.
Passwords with special characters, like an @, break this method,
however.
After you click Connect, Leopard prompts you for a password as
needed, depending on the protocol.
TIP If you stored your server password in the Keychain, you can
enter just scheme://user@alpha.example.com to mount the
server; Mac OS X will prompt you to use the Keychain password
if you haven’t opened the Keychain earlier in the current session.
Table 5: Schemes for Mounting Servers
Protocol Type
Scheme Name
Example
AFP
afp://
afp://officeserver.local or
afp://afp.example.com
FTP
ftp://
ftp://ftp.example.com/
WebDAV
http://
http://rwgl.foo.com/pages/
Samba
smb://
smb://192.168.1.4/SharedDocs or
smb://UNPUNDPC/ShareDocs
NFS
nfs://
nfs://63.211.215.7/usr/www
Page 70
TIP If you type a host name, Bonjour name, or IP address into the
Server Address field without a scheme and click Connect, Mac
OS X automatically tries to mount via AFP.
TIP Mac OS X has the interesting option of mounting an FTP server in
the Finder, after which you can treat it just like another mounted
volume. In contrast, most FTP client software presents you with a
list of files in a custom window. Use a real FTP program like
Interarchy (http://www.interarchy.com/) or Fetch
(http://fetchsoftworks.com/) instead of Leopard’s built-in
support. Interarchy and Fetch have the added benefit of handling
SFTP (Secure FTP), too.
NOTE Because we’re in the Unix world, once you mount a file server in
Leopard, it has a local path: /Volumes/servername. That path is
available via Terminal and Unix programs. In the Finder, choose
Go > Go to Folder (Command-Shift-G) and enter /Volumes.
Find and use a mounted server
After you mount a volume, you would expect an icon to show up
on the Desktop to represent the volume. But Leopard confounds
our expectations by shipping in its clean installation version without
showing servers on the Desktop! In the Finder, choose Finder >
Preferences, click General, and select the Connected Servers
checkbox.
By default, mounted servers do appear in the Shared list in any
Finder window’s Sidebar. An eject icon appears next to each server
in that list.
Page 71
Like any other item in the Finder, you can select either the volume
or any folder within it and copy files to and from them, and you can
navigate to items within mounted volumes through any Open or
Save dialog.
(For advice on dismounting a server, see Dismount a Server.)
Make it easy to remount
To make a server volume easily accessible in the future, drag the
server volume, or any folder inside it, to the Finder’s Sidebar under
the Devices section, into the Toolbar, or to the Dock’s right-hand
(if you view the Dock horizontally) or lower (if you view the Dock
vertically) division.
More interestingly, you can also make an alias that points to the
shared volume or a nested folder on the volume, and use the alias to
later remount the volume without re-entering any user information
(assuming you’ve stored your password in the Keychain). To make
the alias, select the volume or a folder within it, and press CommandOption while dragging the item onto the Desktop or into a local folder. (You can also choose File > Make Alias [Command-L], but that
creates the alias at the same level as the item instead of in a new
location you choose.)
TIP You can add aliases of server volumes to the Login Items
pane in the Accounts system preferences to mount servers
automatically at startup.
If you change your network settings or move to another network, the
alias may fail, prompting an error and giving you a chance to cancel
or delete the alias. (The third option, to fix the alias, doesn’t work
without mounting the original volume again.)
TIP Reader Hans M. Aus discovered that having an identically named
AppleTalk zone and a Samba workgroup prevented him from
seeing AFP volumes reliably. The zones would come and go for
no reason, rendering the server volumes intermittently
accessible. The problem disappeared when his system
administrator gave the zones unique names—they had
previously been identical except for capitalization.
Page 72
Mount by browsing
The network browser in Leopard is enormously improved, now
appearing as the Shared list in the Sidebar. The new browser offers
a much better view into which servers are available on the network,
identifying them more clearly as Samba or AFP, and showing each
available volume. In many cases, the Tiger network browser (a
separate Network icon) showed no results, even when servers were
available on the network; in the same situation, in my testing,
Leopard displays the details correctly using the Shared list.
To see a server’s volumes, click the server’s name in the Shared list.
The publicly accessible volumes, if any, appear in the main Finder
window. To see volumes that require a password, click the Connect
As button in the window; it appears in various places depending on
the view you’ve chosen. For the column view, it’s below an icon in the
rightmost pane. In icon view, it’s in the upper right of the window.
When you choose Connect As, you’re presented with a normal login
window for that server type, and after you enter your details, you can
choose the volume from a list just as when you connect to a server via
Go > Connect to Server in the Finder (covered earlier in this section).
Stored password skips a step: When you store your password
in the Keychain for accessing a given server, the Connect As button
doesn’t appear; instead, you see a label showing your user name, a
Disconnect button, and a list of available volumes (Figure 15).
FIGURE 15
A connected file server in Leopard shows you the login name, a way
to disconnect, and the available volumes.
Page 73
After you choose the volume, your Mac mounts it. (See Find and use a
mounted server.)
Connect via Terminal
Terminal offers a host of ways to connect to file servers. If you’re
a Terminal demon (or daemon), try entering man and a command
from Table 6 to read about precisely how the command works.
Table 6: Command-Line Mounting Programs
Command
Volume Type
mount_afp
AFP
mount_ftp
FTP
mount_nfs
NFS
mount_smbfs
SMB
mount_webdav WebDAV
None of these command-line options make sense unless you spend all
your time in Terminal or are writing scripts that call file services.
If you’re desperate to have AFP volumes on your Desktop that are soft
mounted—that gracefully appear as needed and don’t cause Mac OS X
to complain when they’re not available—you can use the mount_afp
command in the Terminal with the -o automount flag, as in:
mount_afp -o automount
"afp://;AUTH=No%20User%20Authent@myserver/guestVolume" /Volumes/guest
Manage passwords with Keychain Access
Any time you check the box for Remember This Password in My Keychain as you mount a file server, Mac OS X stores the password along
with the file server’s location and other attributes in a Keychain entry.
The Keychain is a secure method for keeping account information,
such as a user name and password. For instance, the Keychain can
store a password for a Web site or an AFP file server.
Keychain management takes place in Keychain Access, which you
can find in the Applications/Utilities folder. Apple organizes
the Keychain Access interface by sorting passwords into categories
by server type and allowing you to easily search for any part of a password’s associated data (Figure 16).
Page 74
FIGURE 16
Keychain helps you find account information by organizing items
into categories. A Search field at the upper right lets you filter when
you have many entries.
Keychain Access provides several key types of information for managing file sharing and related passwords. You can retrieve these kinds of
information within the program:
• View basic info about a server: From the Category list, under
Passwords, select the server type, such as AFP. Then, at the right,
select the server.
• View detailed info about a server, including your password: From the Category list, under Passwords, select the server
type, such as AFP. Then, at the right, double-click the server to
open an info window (Figure 17). To view the password, check
the Show Password box. Leopard prompts you for your account
password or the Keychain password—these are identical unless
you’ve set up a separate Keychain—and then allows you to choose
to avoid entering the password again while in the program. You
can also change the password while you’re editing that field.
Page 75
FIGURE 17
The Attributes
pane of
a Keychain
Access info
window shows
basic information, like the
account or user
name, and any
comments
associated with
the entry, which
you can modify.
• View still more detailed info and control Keychain password prompting: From the Category list, under Passwords, select
the server type, such as Application. Then, at the right double-click
an entry, such as .Mac. Click the Access Control button and select
a radio button to set whether or not you are prompted for the Keychain password when you need to access that item from the listed
applications (Figure 18). In the figure, you can see that the many
different programs want access to a .Mac password!
FIGURE 18
The Access
Control pane sets
which programs
are allowed to
use this Keychain
item, and how a
user is prompted
for an access
password when
a legitimate
program tries to
use the item.
• Delete a stored password: Select it in the Keychain Access
main view and press Delete or choose Edit > Delete.
Page 76
NOTE You can maintain multiple Keychains, which is an interesting
feature when more than one user of the same machine may
need to access the same servers. You could create a Keychain
to which all users had access and thus avoid having to distribute
passwords.
Access Shared Volumes with Windows
Windows XP and Vista can both connect to Samba, FTP, and
WebDAV servers out of the box. All these servers show up as icons in
the My Network Places dialog. They are not mounted on the Desktop
per se, because Windows doesn’t work that way, but they are available
like any other folder or disk.
Connect via Samba
To connect to a Leopard server via Samba:
1. In any window in Windows, enter the IP address or Samba shared
name of your Leopard server preceded by backslashes, such as
\\foo.example.com\, and press Enter.
2. When prompted, enter a user name and password.
Windows presents the shared folders for that user in a window
(Figure 19).
Page 77
FIGURE 19
A Leopard server
shared via Samba,
mounted under
Windows XP (top)
and Vista
(bottom), and
showing available
shared folders and
printers.
Page 78
Connect via WebDAV or FTP
To connect to a Leopard volume using WebDAV (Leopard Server
only) or FTP (any version of Leopard) from Windows:
1. If you are using…
• Windows XP: From the Start menu, click My Network Places.
In the My Network Places dialog, click the Add a Network Place
link at the top left.
• Windows Vista: Right-click the Network icon on the Desktop
and select Map Network Drive, and then click Connect to a Web
site.
The Add Network Location wizard launches.
3. Click Next.
4. Click Choose a Custom Network Location, and click Next.
5. Enter the FTP or WebDAV address (Figure 20; the screen is
essentially the same in XP and Vista). Click Next.
FIGURE 20
Enter a WebDAV
server address to
mount the server
in Windows.
6. Uncheck Log On Anonymously, enter the login name in the User
Name field, and click Next.
7. Create a shortcut name, click Next, and click Finish.
Page 79
8. You should now be prompted to enter a password in the Log On As
screen; enter that password. You can choose to store the password.
Click Log On.
The contents of the volume now appear in a window.
Warning! This is an unsecured connection when used for FTP. If
the WebDAV address starts https://, it’s secured.
If you need help dismounting a server, see the sidebar Dismounting
From Other Operating Systems, a few pages ahead.
Page 80
DISMOUNT A SERVER
Now that I’ve discussed mounting servers, it’s time to discuss dismounting them. At some point, you will want to remove the server
or servers sitting on your Desktop. Servers can slow your system if
the network is slow or becomes unavailable. You may notice this on a
Mac when a server window’s list of files tries to refresh and produces
a spinning rainbow pointer.
If you dismount servers before putting your computer to sleep,
you can reduce delays at wake-up time when Mac OS X might try
to search for those servers. However, when you shut down your computer, Mac OS X automatically dismounts servers before powering
off. You can also dismount a server from Leopard or Tiger by carrying
out one of the following actions:
• Drag the volume icon in the Desktop, and notice that the Trash
icon on the Dock temporarily changes to an Eject button while you
drag. Then, drop the icon on the Eject button.
• Control-click the volume on the Desktop and choose Eject “Volume
Name” from the contextual menu.
• Select the volume and press Command-E.
• Select the volume and choose File > Eject “Volume Name”.
• In the sidebar, click the Eject button next to the server’s name to
unmount all volumes associated with a server (Leopard only; the
behavior of the Eject button and the sidebar is slightly different in
Tiger).
• Select the volume in any Finder window, and from the pop-up
Action menu (it has a gear icon) at the top of the Finder window,
choose Eject “Volume Name”.
TIP If you don’t change your Finder preferences to display connected
servers on the Desktop, you cannot dismount them using any
method that requires selecting the volume on the Desktop.
Page 81
Dismounting From Other Operating Systems
Here’s how to dismount servers in a few other common
operating systems:
• Panther: Use all the methods described for Tiger and
Leopard.
• Jaguar: Use all the methods described for Tiger and
Leopard, except those that work exclusively in the sidebar.
• Mac OS 9: Dismount a server by dragging it to the Trash,
selecting it on the Desktop and pressing Command-E, or
Control-clicking it and choosing Eject from the contextual
menu.
• Windows XP: Choose Tools > Disconnect Network Drive
from any window on the Desktop. From the Disconnect
Network Drives dialog box, you can select volumes
to dismount.
• Vista: Unless you have explicitly mounted a drive using
Map Network Drive (right-click Network icon on Desktop),
you cannot unmount it! You have to reboot.
Page 82
APPENDIX A: SLEEP AND SHARING FILES
In order to be reachable, any computer acting as a file server must
be turned on and not in sleep mode. Although this seems obvious
when stated this plainly, it can cause consternation if you use
ordinary machines on your network as servers, as most of us do.
Several readers of previous editions of this book wrote in with
mysterious problems about servers disappearing, and reappearing
later, which we tracked down to sleep options on the Energy Saver
preference pane.
In sleep mode on a Mac, the processor cycles down and the monitor
switches to a low-power mode. When it’s asleep, the computer will
respond to a key press or mouse click, but network access doesn’t
automatically wake the machine.
NOTE Macs can be woken out of sleep if they receive a “magic packet”
over the network—like a sleeping prince receiving the kiss from
the brave princess that wakes him. But this magic kiss has two
parts:
• First, you must open the Energy Saver preference pane, click
the Options button, and check Wake for Ethernet Network
Administrator Access.
• Second, you need a way to send the magic packet from
another Mac. Unfortunately, Apple doesn’t offer a way to
have one Mac automatically wake another by trying to
connect over the network to a shared volume. But you can
do it manually—use the free Wake550 to wake up a sleeping
remote server from another Mac (http://www.tc.umn.edu/
~olve0003/wake550.html).
Follow these steps to turn off automatic sleep in Jaguar through
Leopard:
1. Open the Energy Saver preference pane, which displays the Sleep
view.
2. If you are using a laptop, choose Power Adapter from the Settings
For pop-up menu. (In Mac OS X versions prior to Leopard, you
may need to click Show Details first.)
Page 83
3. Drag the slider under the text “Put the computer to sleep when it
is inactive for” all the way to the right to Never. (Selecting “Put the
hard disk(s) to sleep whenever possible” is fine but will cause an
annoying delay for infrequently used file servers, which must spin
up sleeping drives when you access them.)
NOTE Leopard is the first version of Mac OS X to make the logical leap
and warn you when you enable File Sharing in the Sharing
preference that you might want to change Energy Saver settings
(Figure 21). Nice addition.
FIGURE 21
Nice
warning,
Apple!
If you want to put your Mac to sleep in the future, choose Sleep from
the  menu, or press Control-Eject and either click the Sleep button
or press S. Remember to wake it before using it on the network as a
server again.
Page 84
ABOUT THIS BOOK
Thank you for purchasing this Take Control book. We hope you find
it both useful and enjoyable to read. We welcome your comments at
tc-comments@tidbits.com. Keep reading in this section to learn more
about the author, the Take Control series, and the publisher.
About the Author
Glenn Fleishman has written for hire
since 1994, starting with Aldus
Magazine. He contributes regularly
to Macworld, the Economist,
Popular Science, the New York
Times, and the Seattle Times. He’s
the Macintosh columnist for the
Seattle Times, and a contributing
editor at TidBITS.
Glenn spends much of his time
writing about wireless networking.
He edits the daily Web log Wi-Fi
Networking News
(http://www.wifinetnews.com/) and
five related wireless blogs.
Glenn lives in Seattle, Washington, with his wife and two sons. His
older boy’s first work was “book,” not “Mac.”
Author’s Acknowledgements
This book has gone through several revisions and three editions,
and I thank many contributors, readers, and colleagues. I would like
to add thanks to Tonya Engst for her almost literal tireless work in
churning through these editions and the details involved. Thanks to
Adam Engst, also, for his help with the media chapter of the book.
The virtual thinness of this edition could not have been accomplished
without Apple having listened to its customers, and fixed numerous
bugs, while filling gaping holes in sharing services. Thanks, Apple!
Page 85
About the Publisher
Publishers Adam and Tonya Engst have
been publishing Mac-related content
since they first created their online
newsletter, TidBITS, about Macintoshand Internet-related topics in 1990. TidBITS has been in continuous,
weekly production since then. At the TidBITS Web site you can read
the latest Macintosh news, check out software reviews, find out what’s
fun and interesting in the world of the Mac, and much more
(http://www.tidbits.com/).
Adam and Tonya are known in the
Macintosh world as writers, editors, and
speakers. They are also parents to Tristan,
who thinks ebooks about clipper ships and
castles would be cool.
Production Credits
Link-making AppleScript: Matt Neuburg
List macros: Sharon Zardetto
Take Control logo: Jeff Tolbert
Cover: Adam Engst, Tonya Engst, Sharon Zardetto
Editor in Chief: Tonya Engst
Publisher: Adam Engst
Credit here goes to Adam, for being patient, and to Tristan, for
running the vacuum cleaner. Thank you to Glenn for being easy
to work with, and a big thank you to Chris and Elaine for Friday
October 26th child care. Finally, thanks to Oliver and Amelia for
the promise of pumpkins.
Page 86
Take Control of Sharing Files in Leopard
ISBN: 1-933671-33-5
October 2007, Version 1.0
Copyright © 2007 Glenn Fleishman. All rights reserved.
TidBITS Publishing Inc.
50 Hickory Road
Ithaca, NY 14850 USA
http://www.takecontrolbooks.com/
TAKE CONTROL books help readers regain a measure of control in an oftentimes out-ofcontrol universe. Take Control books also streamline the publication process so that
information about quickly changing technical topics can be published while it’s still
relevant and accurate.
The electronic version of this book does not use copy protection because copy protection
makes life harder for everyone. So we ask a favor of our readers. If you want to share
your copy of this ebook with a friend, please do so as you would a physical book,
meaning that if your friend uses it regularly, he or she should buy a copy. Your support
makes it possible for future Take Control ebooks to hit the Internet long before you’d
find the same info in a printed book. Plus, if you buy the ebook, you’re entitled to any
free updates that become available.
Although the author and TidBITS Publishing Inc. have made a reasonable effort to
ensure the accuracy of the information herein, they assume no responsibility for errors
or omissions. The information in this book is distributed “As Is,” without warranty of
any kind. Neither TidBITS Publishing Inc. nor the author shall be liable to any person or
entity for any special, indirect, incidental, or consequential damages, including without
limitation lost revenues or lost profits, that may result (or that are alleged to result)
from the use of these materials. In other words, use this information at your own risk.
Many of the designations used to distinguish products and services are claimed as
trademarks or service marks. Any trademarks, service marks, product names, or named
features that appear in this title are assumed to be the property of their respective
owners. All product names and services are used in an editorial fashion only, with no
intention of infringement of the trademark. No such use, or the use of any trade name, is
meant to convey endorsement or other affiliation with this title.
This title is an independent publication, and it has not been authorized, sponsored,
or in any way otherwise approved by Apple Inc. Because of the nature of this title, it
uses terms that are trademarks or registered trademarks of Apple Inc.; to view a
complete list of the trademarks and of the registered trademarks of Apple Inc., visit
http://www.apple.com/legal/trademark/appletmlist.html.
FEATURED TITLES
Now that you’ve seen this book, you know that Take Control books have a great
layout and real-world info that puts you in control. Click any book image below or
visit our Web catalog to add to your book collection!
Take Control
of Your
Domain Names
by Glenn Fleishman
Take Control
of Your 802.11n
AirPort Extreme
Network
Take Control
of Your
Wi-Fi Security
by Engst & Fleishman
by Glenn Fleishman
Register, configure, and
manage your domain
names like a pro, plus
learn how to solve
problems.
$10
Make your 802.11n
AirPort network fly and
learn real-world set up
and troubleshooting
techniques.
Take Control
of Mac OS X
Backups
Take Control
of Users & Accounts
in Leopard
by Joe Kissell
by Kirk McElhearn
Learn how to keep
intruders out of your
wireless network and
protect your sensitive
communications!
$10
$10
Create a rock-solid backup
strategy so you can
restore quickly and
completely, no matter
what the catastrophe.
Get the most out of
Leopard with real-world
strategies for creating
and managing user
accounts!
$10
$10
More Titles!
Delve into even
more topics, including:
• Running your Mac—
upgrading, accounts, fonts,
permissions, syncing, and
customizing.
• Buying gear—Macs,
cameras, and digital TVs.
• More topics—.Mac, email,
spam, podcasting, iPhone,
iWeb, troubleshooting,
GarageBand, Microsoft
Office, much more!
Exclusive coupon for
Take Control readers!
$5 off any Web order from
Small Dog Electronics!
Small Dog Electronics offers over 4000 Mac-compatible products, great prices,
and famously superior customer service. We’re also a 100% Mac-based company.
Every employee is a certified Apple Product Professional, who uses Macs at home
as well as on the job. Small Dog Electronics has been part of the Mac community for
more than 12 years. We’ve grown into one of the top Apple Specialists in the United
States - and had great time doing it.
Visit Smalldog.com and save $5 on any web order with this coupon!
Small Dog
Electronics
Always by your side.
www.smalldog.com 800-511-MACS
Redeem your coupon on-line at
www.smalldog.com. Limited to
one use per customer. Enter coupon
# bone12676716 at check out.
Download PDF
Similar pages