Web Extras: Help | Catalog | Feedback | Print | Check for Updates Take Control of Sharing Files in Leopard by Glenn Fleishman Table of Contents (1.0) Read Me First ..........................................2 Introduction ............................................4 Sharing Files Quick Start ..........................5 Share Files on the Same Mac ....................6 What Is File Sharing? ...............................8 Reasons for File Sharing ......................... 11 What You Need to Serve Files.................. 13 Decide on a File-Sharing Method.............. 19 Avoid File-Sharing Risks ......................... 32 Share Files............................................ 41 Share Digital Media Files......................... 59 Access Shared Files................................ 69 Dismount a Server ................................. 81 Appendix A: Sleep and Sharing Files ........ 83 About This Book .................................... 85 10 $ READ ME FIRST Welcome to Take Control of Sharing Files in Leopard, version 1.0. This book helps you share documents among computers and over the Internet safely, using the file-sharing options available in Mac OS X 10.5 Leopard. This book was written by Glenn Fleishman, edited by Tonya Engst, and published by TidBITS Publishing Inc. Copyright © 2007, Glenn Fleishman. All rights reserved. The price of this ebook is $10.If you want to share it with a friend, please do so as you would a physical book. Click here to give your friend a discount coupon. Discounted classroom copies are also available. We may offer free minor updates to this book. To read new information or find out about any new versions of this book’s PDF, click the Check for Updates link on the cover. On the resulting Web page, you can also sign up to be notified about updates to the PDF via email. If you own only the print version of the book, contact us at email@example.com to obtain the ebook. In reading this book, you may get stuck if you don’t know certain basic facts about Mac OS X or if you don’t understand Take Control syntax for things like working with menus or finding items in the Finder. Please note the following: • Menus: When I describe choosing a command from a menu in the menu bar, I use an abbreviated description. For example, the abbreviated description for the menu command that creates a new folder in the Finder is “File > New Folder.” • Finding preference panes: I sometimes refer to Mac OS X preferences that you may want to adjust. To change these systemwide settings, open System Preferences by clicking its icon in the Dock or choosing System Preferences from the menu. You access a particular preference pane by way of its icon, or the View menu. For example, to see “the Sharing preference pane,” you would launch System Preferences and then click the Sharing icon or choose View > Sharing. Page 2 • Path syntax: I occasionally use a path to show the location of a file or folder. Path text is formatted in bold type. For example, Leopard stores most utilities, such as Terminal, in the Utilities folder. The path to Terminal is: /Applications/Utilities/Terminal. The slash at the start of the path tells you to start from the root level of the disk. You will also encounter paths that begin with ~ (tilde), which is a shortcut for any user’s home directory. For example, if a person with the user name glenn wants to install fonts that only he can access, he would install them in his ~/Library/Fonts folder, which is just another way of writing /Users/glenn/Library/Fonts. What’s Really Different in This Edition In updating this book from Tiger to Leopard, I thought that I would make a number of changes along with new screen captures, and that was the case. What I didn’t expect is that Apple would fundamentally change and dramatically improve how it handled file sharing. That led to a large decrease in the page count of this edition, as workarounds to avoid roadblocks placed by Apple that took 1–10 pages in the Panther and Tiger editions, and often involved editing text configuration files, could simply be removed. Even so, you’ll find this edition just as useful as the previous one. All the utility is still in the book—you should simply have less frustration in achieving the desired results. As one small example, in previous editions of the book, I had several pages that explained how to enable and control guest (password-free) access to AFP and Samba (Window style) file service. In this edition, there’s a brief entry on turning on file sharing for the default Guest account that’s new in Leopard and a look at how to enable or disable broad access to particular folders. Perversely, Apple did make it harder to modify settings manually for file services. Mac OS X now rewrites underlying configuration files based on settings you choose in the Leopard interface, overwriting any changes you make. In Tiger and earlier releases, configuration files were generally static, and you could edit those files to make changes. With Leopard’s new dynamic files, your options are fewer. As a result, this book focuses on changes you make through the Mac OS X interface instead of in underlying text files. Page 3 INTRODUCTION In the late 1980s, when only a few million academics and governmental types had easy access to a very slow Internet and even most business users couldn’t afford pricey Ethernet gear, we hoi polloi had two ways to share files: sneakernet and snail mail. The algorithm for sneakernet was to insert a floppy disk, copy files to the floppy, eject the floppy, walk (in sneakers) across the room, insert the floppy, and copy files from the floppy. A little tedious, but it got the job done. For distances beyond the reach of sneakernet, the algorithm changed. Instead of walking across the room, you inserted the floppy in a padded envelope and walked it to the post office or called FedEx. Even today, sneakernet and snail mail are useful for transferring huge quantities of data—imagine the gigabits you can “transmit” when you send a bunch of hard drives by overnight mail or walk a DVD-R across a room—but most people share files through multiple accounts on the same computer, over local area networks comprised of wired Ethernet and wireless Wi-Fi links, or over the Internet using dial-up modems, broadband connections, and high-speed dedicated lines. In Take Control of Sharing Files in Leopard, I help you identify the right computer setup for exchanging files among users in your situation, with a particular emphasis on users working on networked computers. I focus on Mac OS X 10.5 Leopard as the hub of these activities, but the principles are the same on all platforms, and many specifics are identical or quite similar in Mac OS X 10.4 Tiger. I also explain how to connect to a Mac running Leopard from Windows XP and Vista and from Mac OS X 10.2 through 10.4. NOTE To keep this book focused on file sharing, we broke out two related topics into full-length titles of their own: • Take Control of Users & Accounts in Leopard examines setting up and managing users on a Mac running Leopard. • Take Control of Permissions in Leopard, expected to be available in 2008, has a more technical focus. Page 4 SHARING FILES QUICK START This book contains many details, not all of which may be relevant to your situation. You do not need to read every word before sharing files, but you should be familiar with the overall process first. Prepare to share files: • Before you think about the big world of sharing files on a network, you may wish to review techniques for sharing files among users on a single Macintosh. See Share Files on the Same Mac (p. 6). • Learn how file sharing is different from using disks to copy files from computer to computer or using email attachments to move files around. See What Is File Sharing? (p. 8). • Review reasons to share files, and see which match your situation. See Reasons for File Sharing (p. 11). • Decide on the hardware or online service that you’ll use as your file sharing server; see What You Need to Serve Files (p. 13). • Determine which file sharing method makes sense for your goals, budget, and expertise. Learn about Apple Filing Protocol, FTP, Pando, and others. See Decide on a File-Sharing Method (p. 19). • Take steps to manage security risks by becoming informed about what you expose when you share files over the Internet. See Avoid File-Sharing Risks (p. 32). Start sharing files: • Decide which folders and volumes to share, set up accounts for users, and choose their access privileges for viewing, storing, and modifying items. Learn about Apple Filing Protocol, Samba, FTP, and Web particulars for sharing files. See Share Files (p. 41). • Start sharing photos and music from iTunes and iPhoto; see Share Digital Media Files (p. 59). Access shared files: • Access shared files from Mac OS 9, Mac OS X, Windows XP, and Windows Vista. See Access Shared Files (p. 69). Page 5 SHARE FILES ON THE SAME MAC Although this book focuses on file sharing across a network, you can share files among users of the same Mac. In Leopard, not all users are created equally nor are all files meant to be equally accessible. Leopard purposely and appropriately restricts one user from viewing or modifying the contents of folders in another user’s directory. Users can exchange files on the same machine in one of three ways: • The Shared folder: Located in the Users folder on your startup disk, the Shared folder is set up so that all users who have physical access to the computer and an active account may read and write any files in the Shared folder; this includes the Guest account user, for whom all other files are deleted when they log out. Users can’t overwrite a file created by another user unless the default permissions on the file are changed by either the file’s owner or an administrator. Using the Shared folder is the easiest method when you have just a few users, or all users need the same access. • Public folders: For a little more control, use the Public folder found in each user’s home directory. For instance, let’s say a home iMac has two accounts for two roommates: one for Bob and another for Stephanie. Of course, when Bob logs in to the machine, Stephanie’s files aren’t accessible through the Finder; Bob sees a locked icon on most folders within her home directory. Bob can, however, copy files into Stephanie’s Public folder’s Drop Box folder, and he can copy files out of her Public folder. • Shared volume: To avoid issues with permissions that crop up when using either the Shared folder or Public folders, you can instead use a separate volume as the repository for shared files, whether that volume is an internal or external fixed hard drive, a removable cartridge, or a second or subsequent disk partition on the boot drive. Starting in Leopard, volumes other than the startup disk are automatically set for all users to have full read and write access. Page 6 However, you can still run into problems with permissions on a shared volume, and Apple retained a setting in Leopard that lets you bypass any difficulties by ignoring permissions: 1. Working in the Finder, select the volume you want to share and choose File > Get Info (Command-I) to open the Info window for the volume. 2. If the Sharing & Permissions section is closed, click its expansion triangle to display the volume’s permissions. 3. If the lock icon (at the lower right) is closed, click it, and then enter an administrative password. 4. Select the Ignore Ownership on This Volume checkbox. Mac OS X now ignores permissions and ownership for all files placed on the volume. TIP For advice and steps relating to sharing iPhoto photos or iTunes music among users on the same Macintosh, see Share Digital Media Files, later in this book. For a detailed explanation of how to set up Shared, Public, and Drop Box folders, and other tips on sharing files among users on the same machine, consult Kirk McElhearn’s Take Control of Users & Accounts in Leopard. Page 7 WHAT IS FILE SHARING? File sharing means storing a set of files on a fileserver, which could be a central computer or a network-attached storage device, and making it possible for any number of people to retrieve those files over any type of computer network, just as if those files were located on their own hard disks (Figure 1). FIGURE 1 Many different machines can access a file server, whether they’re connected directly via Ethernet, over wireless AirPort (Wi-Fi), or via the Internet. File sharing differs from emailing a file to a person or a group. When you email a document, the recipients are passive: they check their email routinely, and the document arrives. The burden of distribution falls on you. File sharing eliminates the necessity of pushing a file to others. You place the file on a server whenever you like, and all the people who need to retrieve it can do so whenever they like without coordination. The burden of distribution falls on the recipients, who choose the time and method by which they retrieve the file. Page 8 NOTE If the word server makes you think of large computers in closets, think again. In fact, a server is just a program running on a computer. A server allows other computers to connect to it for a particular task. When I talk about a server, I always mean a server program running on any computer. Leopard has literally dozens of server programs available, and several relate to sharing (or serving) files. File sharing also solves the problem of coordinating a group of people working together on a document. If you don’t use file sharing and simply send a draft via email, each recipient must work on her own copy; when you receive the files back, you must merge all the comments and changes. With appropriate coordination using file sharing, the shared file can be a single master copy, eliminating the need for manual incorporation of changes. A few methods of file sharing go even further to enhance collaboration, either allowing people to check files out from a repository and locking them against other users’ modifications, or storing multiple older copies of a document, which lets you compare the current draft against older ones or restore an older copy. With file sharing set up, users gain access to files in two basic ways: • Password-protected access: In this method, a user has a named account that is secured with a password. The user logs in through some interface to the server program, generally a dialog with empty fields for those two details. After authenticating, or providing a user name and password, the user has access to the shared files. You can set up one account (one user name and password) for an entire group of users, or you can set up multiple accounts with one assigned for each user or purpose. Sharing Only account: Leopard lets you set up two kinds of password-protected user accounts: a user account, which provides access to log in to Mac OS X; and a Sharing Only account, which is limited to logging in to share files. Previous versions of Mac OS X required third-party software to create sharing-only users. Page 9 • Anonymous guest access: Users typically may log in without providing a user name or password: no details are required, or, if they are required, users may enter anything they want. Their identity is not confirmed. With guest access, anyone who can see your server on the network and usually on the Internet can access the server. In some situations, guest access may require the guest to know just a special account name, like guest or anonymous, with either no password, a password of guest, or an email address that isn’t checked as to whether it’s legitimate or not. Guest account: In Leopard, Apple added a password-free Guest account. A user logged into the Guest account can use the Mac and share files (separate options that can either or both be turned on). With sharing turned on for the Guest account, anyone can access files via AppleTalk or Samba without first entering a password. The Guest account requires almost no configuration, compared to the elaborate set of workarounds needed in Tiger and earlier versions of Mac OS X. Page 10 REASONS FOR FILE SHARING Now that you know the basics of what file sharing is and the advantages it offers, you can start taking control of sharing files by considering what you want to accomplish by sharing files, and with whom you need to exchanges files. In this section, I break out reasons for file sharing into a few large categories. NOTE Knowing what you want to accomplish may help you determine what hardware or bandwidth you need, covered in What You Need to Serve Files. Also, it may influence your choice of a filesharing technique, discussed in Decide on a File-Sharing Method. Coordinate Group Projects When you and at least one other person need to collaborate on a common set of files, you can set up a central location to store the files. Optionally, this central location can track whether a file has been checked out for use. NOTE Almost always, a file server helps reduce the time, cost, and effort needed for routine exchanges. For one-off exchanges, you might be better served by sending or receiving files via techniques not covered in this book, such as email, iChat file transfer, writable DVD, or USB memory drive. Create a Central Archive Many groups have a common set of files that grows over time, but these files are rarely changed once they are added. In this case, many people may need to add to the archive without needing permission to delete or re-organize files, while many of the same or an entirely different set of people may need access to read the archive. Avoid Relying on Email Even if you’re just trying to exchange one file with one other person, a file server can help you step around the problems of Internet email in the modern age. For instance, because of viruses and worms, many companies and some ISPs ban all or certain kinds of attachments, Page 11 even from or to Mac users who can’t be infected but can accidentally transmit attacks by forwarding attachments. In other cases, you or your recipient might not be able to receive attachments larger than a certain size—typically 2 MB to 10 MB, depending on the ISP—or might pay extra to store a mailbox with a large attachment. And for people behind relatively slow Internet connections, being able to choose when to start long downloads rather than having them delay other email is a boon. In any of these circumstances, a file server can help you and your users bypass the hassle of email. Distribute by Download File sharing includes simple downloads: perhaps you need to distribute a software product, a book in electronic form, or other data to a large group of people. That group could include users with accounts and passwords on the file server, or anyone at all. You have the greatest number of options for what method or service you choose to share files when you have no restrictions on who may obtain the file and you require no passwords. Share Media Files File sharing is useful even to consumers with a couple of Macs at home. Many people want to share a collection of music or photos among a few computers; all that’s necessary is to set up file sharing and to configure iTunes and iPhoto properly, or—if appropriate—to use the built-in sharing features in these programs. See Share Digital Media Files to learn more. Page 12 WHAT YOU NEED TO SERVE FILES Once you have a clear idea of what you want to achieve with file sharing, it’s time to think about the hardware or hosting components necessary for file sharing. Any Mac running Jaguar through Leopard (or even older operating systems) can act as a file server; along with the server, you’ll need a network connection, and the faster the better. But you may be better off putting your files on a file-sharing network drive or on an Internet-based host. In this section, I first make recommendations for the best ways to set up a Macintosh or network drive as a file server. Then, I help you consider the best ways to network those devices to help any remote users access files via the Internet at a comfortable speed. After that, I look at Internet-based hosts that offer file-sharing services, since that option may be the best one for you. Macintosh on Your Network File sharing imposes little computational load on a computer: dozens of people could be transferring files actively on a Power Mac G4 from 2002 or later that you’re simultaneously using as your primary work machine and you would hardly notice the effect on your work, assuming you had enough RAM. Here are some suggestions for maximizing a Mac’s performance as a file server: • Add more RAM: In the olden days—as recently as 2 years ago— Macs appropriate for file serving came with inadequate amounts of RAM. Now, all desktop Macs come with 1 gigabyte (GB) of RAM. For best performance from an older machine, I recommend at least a gigabyte of RAM, or the Mac’s greatest possible amount of RAM if it can’t take a gigabyte. • Upgrade network switches and adapters: If you’re using a Macintosh sold in the last few years, it’s likely that the computer includes gigabit Ethernet (1,000 Mbps) support. You have at least 100 Mbps Ethernet in any Mac sold in the last decade. Gigabit Ethernet switches, which create effectively a separate connection between any two connected computers, cost as little as $30. Upgrading an old 10/100 Mbps Ethernet hub to a 10/100/1,000 Mbps Ethernet switch will dramatically increase speeds. Page 13 • Add faster drives: Once you’ve moved to 100 Mbps or gigabit Ethernet, if you find that data transfers from the file server’s hard drive to the network rather slowly, your weak link may be the hard drive. Internal hard drives sold with computers may operate at 5,400 revolutions per minute (rpm) or even slower; 7,200 is now standard, and the speed matters when a lot of drive access is at stake. If you’re using an external drive, you might move from USB 2.0 or FireWire 400 up to a FireWire 800 drive; as its name implies, it has 800 Mbps of raw transfer speed available. For gigabit Ethernet networks, you may notice a real difference, but other factors can intrude. Look for reviews or make sure you can return a drive if it doesn’t improve performance. Alternatively, you could simply buy a new Mac mini. A mini without a monitor makes a great and cheap server, with gigabit Ethernet thrown in for fast network access. For as little as $599 for a 1 GB system with an 80 GB hard drive (at this writing), you have a network powerhouse. Hard Drive on Your Network (NAS) In some cases, instead of using a Macintosh as a file server, you might connect a NAS (network attached storage) device to your network via Wi-Fi or Ethernet, so that it can handle file sharing and store files. A NAS device has no monitor or keyboard connectors, and you configure it via special software or a Web interface. Two examples of NAS setups are: • As of the model released in February 2007, Apple’s AirPort Extreme Base Station ($180) can accept one or more USB hard drives and share them across a wireless and wired network, and make them reachable over the Internet. • Some NAS systems support Apple Filing Protocol (AFP), Apple’s built-in file-sharing method (see AFP). This includes La Cie’s Ethernet Disk Mini with gigabit Ethernet (http://www.lacie.com/, $210 for 250 GB to $300 for 500 GB). If you go the NAS route, I recommend that you read reviews and check specifications first, since performance can vary significantly. The Apple base station, for instance, can be incredibly slow when copying hundreds or thousands of tiny files, like small HTML files Page 14 and images for a Web site. For a smaller number of files or larger files, it’s still about one-third USB 2.0 speed. Higher Internet Throughput For a local file server, speeds under several megabits per second (Mbps) will seem glacial, and I recommend a minimum of 100 Mbps. Over the Internet, where upload speeds—outbound speeds from a file server to someone else—tend to range from just 256 kilobits per second (Kbps) to 768 Kbps, a slow file server’s low local network speed will be hidden by the much lower rate available over the Internet. If you want to increase data transfer speeds from a Macintosh or drive on your local network to someone at a remote location on the Internet, you have a few options: • Get more bandwidth: Depending on your location, a connection with upstream speeds higher than 768 Kbps can cost from $30–$200 per month—typically higher if your ISP requires that you have a business account in order to run a server over your connection. As noted above, most broadband connections have very slow upstream speeds; you almost certainly need to get a special business-grade account to get acceptable outbound data transfer from the file server to the Internet, even if download speeds are several Mbps with cheaper offerings. See the sidebar Issues with Sharing Files Out to the Internet, next page, for more details. Warning! Most broadband providers specifically prohibit file sharing and all other kinds of servers unless you pay for a higher tier of service. Turning a server on could get you booted by your provider. • Use Pando to distribute files: If your task is to push out files rather than have distributed access for a workgroup or storage for yourself, consider Pando (http://www.pando.com/). Pando lets you send an unlimited number of collections of files to other people at no cost, as long as the total size of each collection is under 1 GB. It uses a distributed, peer-to-peer method that combines its own servers with your computer and the computers Page 15 of anyone else receiving the files. This means you can have a lowspeed connection and still push files out to others at high data rates. Larger collections and other options are available with paid service. See Pando, ahead, for more details. • Abandon the idea of running a local file server and instead store files at an Internet-based host, as I discuss on the next page. Issues with Sharing Files Out to the Internet Many consumer ISPs restrict how their customers share files over the Internet: first, by assigning you a dynamic IP address that can change and thus prevent users from connecting to your server; and second, by hiding your computer or computers behind a network address translation (NAT) gateway. NAT provides passive firewall protection, but it also can prevent Internet users from accessing your server. Typically, home accounts from DSL and cable services suffer from one or both of these limitations. (You can have problems with NAT even if your ISP doesn’t use it: wireless and wired broadband gateways use NAT to share an incoming connection among several computers.) To serve files easily and effectively, you may have to upgrade your Internet service or purchase a business-grade Internet connection with public, static IP addresses. If you can’t avoid a dynamic IP address, you can work around it with dynamic DNS; find out more at http://www.dyndns.org/services/ dyndns/. If you use a NAT gateway, you may have to configure it to allow pass-through port-based access to your server (also called portmapping); see the manual for your gateway to learn how to set up this feature. If you use an AirPort Extreme Base Station sold in 2007 or later, see Take Control of Your 802.11n AirPort Extreme Base Station. Page 16 Internet-Based Host If you find the rates for a high-speed upstream connection to be too high, or you can’t get the bandwidth you need, consider using a centrally hosted file repository on the Internet instead. • .Mac: If you’re already a .Mac subscriber or want to pony up $100 per year, you have access to an iDisk—nearly all of the 10 GB allotted to each account—available on high-speed Internet lines that you can use for sharing files via WebDAV or via the Web (Web access is for download only). The iDisk servers can be slow and wonky when used via WebDAV, though they’re usually fine for downloading files via a Web browser. For an extra $50 per year, you can increase your storage to 20 GB, or 30 GB for $100 per year. Learn more in iDisk, ahead, or at http://www.mac.com/. • Amazon Simple Storage Solution: Amazon may be best known for books, but they also operate massive worldwide data centers (http://www.amazon.com/s3). They have made storage available as one of several kinds of services, which currently also includes an in-beta virtual computing cloud. The company charges 15 cents per GB stored per month (prorated for portions of a month), 10 cents for each GB transferred in, and 18 cents for each GB transferred out. (Rates drop at above 10 terabytes of data each month transferred out.) Although they don’t have features designed for workgroups, it’s a relatively cheap way to archive and pass around files while paying only for what you use. S3 can expose files for download via a Web server, and the Interarchy file transfer software can handle moving files in and out of S3, too (http://nolobe.com/interarchy/). Care who can share: Make sure that you and the people with whom you’re sharing files have access to the right combination of file-sharing clients and technical support for that software before committing to a monthly service charge. Page 17 NOTE PERSONAL CASE STUDY In 2003, I released a free version of a book on Adobe GoLive 6 that Jeff Carlson and I co-authored and nearly ran up a bill of $15,000 when 10,000 people downloaded the 20 MB PDF file in a matter of hours. The fee was due to the hosting company’s rate for sustained transfers: hit a certain mark, and the price jumped from $2,000 per month to $15,000. Fortunately, I fell just shy. In contrast, in 2007, Adam Engst and I released a free version of The Wireless Networking Starter Kit, 2nd edition, our 2004 take on Wi-Fi for the home and small office. I hosted the 14 MB file on Amazon S3 for high availability and predictable pricing. Within a few days, about 6,000 people had downloaded the PDF—and the cost was just over $10. (You can read the full account at TidBITS: http://db.tidbits.com/article/9226.) • Web host: Most Web hosts offer 1 GB to 100 GB of combined email storage and Web for rates as low as $10 per month. They often provide multiple logins or email addresses with the same account. If you’re working with a trusted group, you can provide this login information to the other members and use your Web or other storage allotment as your file service. (This probably limits you to FTP and possibly WebDAV for file transfer.) • Other hosts: There are other options, such as Xdrive (5 GB at no cost), but none are tailored to Mac users. Mac.com has emerged as the most reasonably priced Mac-oriented choice. TIP AROUND THE CLOCK SUPPORT Another reason why you might decide to go with an Internetbased host is that many hosts offer support around the clock, seven days a week. If you don’t relish the idea of going to work at strange hours because users can’t access a crashed server, you may prefer to outsource that activity to a large firm that specializes in keeping servers running day and night. Page 18 DECIDE ON A FILE-SHARING METHOD In this section I help you learn more about the file-sharing methods and determine the one that is most appropriate for your needs. You can divide networked file sharing into roughly four categories: • File services built into major operating system platforms, such as Mac OS and Windows. You can find more details abut file services in AFP, SMB or Samba, and NFS. • FTP (File Transfer Protocol), a universally supported method of exchanging files that dates back to the Internet’s earliest days. • Web downloads (and uploads!). • Proprietary methods that require a subscription or special client and server software not included with any operating system. Methods noted in this book are iDisk, Timbuktu Pro, and Pando. Table 1 presents a quick overview of these file-sharing methods. Table 1: Pros and Cons of File-Sharing Methods for Leopard Users Method Pros Cons AFP • Found on all Macs. • No longer any support for Windows access. • Free. • Works over Internet. SMB or Samba • Found on all Windows systems. • Some file name limitations • Supported under Mac OS X. • Best common method. • For security reasons, not well suited for Internet-based file sharing. • Free. FTP • Universally supported. • Plain, simple options. • Free. • Tracking files accurately by date modified and performing certain folder organizations is tricky or impossible. • Insecure in default setup of built-in server; strange firewall problems can occur. (continues) Page 19 Table 1: Pros and Cons of File-Sharing Methods for Leopard Users Method Pros Cons NFS • Ideal for creating a shared pool of network storage that’s always available. • Limited security options. • Requires arcane knowledge to set up. • Free. Web • Easy access via standard Web browsers. • Can’t upload to directories without extra server programming. • Free. • Requires effort to make a list of files available. • Requires complex editing of text configuration files to add directories. WebDAV inside a Web server • Check in/out option for project management. • WebDAV software sometimes slow and funky. • Firewalls don’t interfere. • Making changes requires hand editing arcane configuration files. iDisk • Internet-based storage with high bandwidth. • Mac OS X Finder, Windows 98 and later have built-in client capabilities. • Requires paid yearly .Mac membership to store files. • Highly integrated with the Finder in Mac OS X. Timbuktu • Offers file exchange, remote Pro control, encrypted transport, intercom, and other advanced features. • Expensive per-user licenses. Pando • Simple way to distribute files to one or more people that are ephemeral in their need for availability. • No central storage. • Free for sets of files up to 1 GB per distribution. • Fees for longer persistence, large files. • Setup baffling for new users. • File exchange dialog reminiscent of early bad Windows releases. • Still in beta at this writing. • Limits on data persistence. • No organization for listing files. • Requires separate, free program. Page 20 File Services The easiest way to share files is to use a file service such as AFP or Samba. File services all require a pair of programs: a server that makes the files available, and a client that transfers those files to and from the server. File-service connections are persistent, usually manifesting themselves as icons on users’ Desktops that look and work like normal disks, as long as a user has the server mounted. Putting a machine to sleep or switching network connections can sever the server connection. File services are primarily used to let people with accounts and passwords gain access to a specific set of files. However, file services can also give access to guest users, users who haven’t been given an account on the server machine. Typically, guest users have very little leeway in which files they can access and where they can upload files while registered users have many more options. File-service types include Apple’s Apple Filing Protocol (AFP), Microsoft’s SMB (commonly known as Samba in the wider world), and the Unix NFS. Before 2001, each platform could mount only file servers that used its own format, unless you used expensive or complicated add-on software. However, changes in standard versions of Mac OS, Windows, and several Unix variants now make it much simpler for a client to mount a file server from a different platform (Table 2). TIP Each platform listed in Table 2 has a slightly different idea of what characters in a filename are legal, or allowed, and how long a name can be. Some servers will reject files that have names they don’t like; some treat upper- and lower-case letters in names differently; others rewrite the name, which can break links among files. Page 21 Table 2: File Sharing Compatibility at a Glance Client Platform Connects to Windows XP File Server Connects to Mac OS 9 File Server Connects to Mac OS X File Server Connects to Unix File Server* Mac OS X 10.2–10.5 Yes (Samba) Yes (AFP) Yes (AFP) Yes (NFS) Windows XP, Vista Yes No Yes (Samba) Server needs Samba installed and activated. Linux Requires Samba client. Requires netatalk. Several methVarious ods; see Access Shared Files. * Most modern Unix systems either come with Samba and the netatalk (AppleTalk/ AFP) software installed or support later installation. Both packages are free. AFP AFP (Apple Filing Protocol, but once known as AppleShare), was Apple’s first method of sharing files, and it dates back to their earliest operating systems. Until Mac OS 9.0, AFP required an AppleTalk network, Apple’s not-quite-proprietary networking standard. In Mac OS 9, Apple began supporting AppleShare-over-IP (Internet Protocol), making it possible to connect to AFP file servers whether they were on a local Ethernet, across a campus or corporate network that didn’t support AppleTalk networking, or anywhere on the Internet. Windows and Unix systems can support AFP through software add-ons. AFP servers are most appropriate for a group of Macs, and AFP is the most common method by which Mac users exchange files. However, if you need include a Windows computer in your file-sharing set up, you should use Samba: because Samba is now so widely supported, the only lingering method for connecting a Windows computer as an AFP client to an AFP server—a commercial software package called PC MacLAN—is no longer sold. Page 22 NOTE What’s the difference between AppleTalk and AFP? AppleTalk is the networking protocol that exchanges data. AFP is the method by which servers are mounted and files are exchanged. Before AppleShare-over-IP, all AFP servers worked only on AppleTalk networks. Now AppleTalk is rare, and AFP works over any IP network. Starting in Tiger, Apple no longer uses AppleTalk for sharing AFP volumes over local networks, but you can turn AppleTalk on to make Tiger and Leopard volumes visible to older computers. To set up AFP: skip ahead to Set Up File Sharing. Also note that Share with AFP discusses how to turn on AppleTalk so that Macs that running Mac OS 9 and Mac OS X up through 10.3 can connect to your Leopard-based AFP service. SMB or Samba SMB (Server Message Block) is thought of as a Microsoft file-sharing method because the company developed it and it’s still the primary way to connect to file servers under Windows. But it’s now more widespread: Apple built in support starting in Mac OS X 10.1, and many Unix flavors handle Samba out of the box. SMB is called “Samba” outside of Microsoft, and it is sometimes referred to as CIFS (Common Internet File System), a more inclusive protocol. Samba is the most sensible choice for a group of Windows users, but it’s also become the lingua franca option for mixed workgroups of Mac OS X, Windows, and Unix users since it’s the least expensive option—free, usually—for the widest platform support. TIP If you need a greater level of integration with a Windowsoriented network and servers than file sharing alone, turn to Thursby Systems’ DAVE, designed to give Macs full parity with Windows systems on such networks (http://www.thursby.com/products/dave.html). Page 23 To set up Samba: skip ahead to Set Up File Sharing. However, you may wish to read Share with Samba, first, in order to have a better overview of some configuration details. FTP FTP (File Transfer Protocol) is an old-fashioned, bare-bones method of transferring files over the Internet. Typically, users connect to an FTP server with special client software that allows them to browse directories and upload or download files, as well as delete files and folders. The advantage of FTP is its universality, and for many purposes, especially when you have a disparate group of people who need to retrieve files, FTP may be the simplest way to handle it. An FTP connection can persist across several file transfers or other operations, but it can also open and close for a single file. However, most FTP clients quietly reconnect using the user name and password that a user previously entered or stored in the Keychain on Mac OS X, or within a given FTP client under Windows or Unix, as long as the user keeps a window open or the FTP server mounted. The opening and closing of the FTP connection is kept transparent to users, even when many sessions are involved. FTP provides a lot of flexibility in who gets access to what. For instance, here are a few common FTP setups: • Write-only directories set up as in-boxes, such that files can only be uploaded to them—remote users can’t view the contents of that directory or download files from it. • Read-only directories from which files may only be downloaded. • Password-protected accounts that give particular individuals full read/write access to an entire computer—or just to a folder above which they can’t navigate. • Anonymous FTP, in which anyone can access specified files or folders without a user name and password. Page 24 Using FTP securely You can also enable secure access between an FTP client and server with SFTP (Secure FTP), FTP over SSH, or FTPS (FTP over SSL/ TLS). All these methods encrypt FTP sessions so that the content of the sessions is entirely protected from other users on the same network, whether the content is at the client, server, or any point in between. The three encrypted methods work as follows: • Secure FTP (SFTP): Using the Secure Shell (SSH) protocol, SFTP requires an SFTP server on the other end to make a connection from an SFTP client. Popular FTP client programs, such as Interarchy or Fetch, can create an SFTP connection. Although you turn on Apple’s version of SFTP in the Sharing preference pane, you don’t use the File Sharing related controls— the Shared Folders or Users lists in that pane—to control access. Rather, Apple’s SFTP allows any user defined as a full account in the Accounts preference pane to log in and access all files and folders to which they have read access to on all mounted hard drives. However, you can restrict remote access to a subset of users. • FTPS-over-SSL/TLS (FTP over Secure Sockets Layer/ Transport Layer Security): With FTP-over-SSL/TLS, you use an FTP server that has an SSL/TLS certificate installed. This certificate validates the server’s identity, and information from the certificate is then used to create an encrypted tunnel directly between the client and the server. The advantage of this method is that, unlike SFTP, the user can verify the identity of the server through its unique certificate. (This process is nearly identical to how a browser makes a secure SSL/TLS connection for bank and ecommerce sites.) FTP-over-SSL/TLS is tricky to configure and isn’t supported in every FTP client. To decide between SFTP and FTP-SSL/TLS, you’ll need to consider simplicity. SFTP is much simpler to set up and more widely supported in FTP software. FTP-over-SSL/TLS has the advantage of providing more explicit security by allowing a clearer confirmation of the identity of the remote server. That’s an issue for very few people. Page 25 You can’t set up this security method using the built-in options in Leopard. However, PureFTPd Manager, described in Share with FTP and SFTP, offers some very straightforward tools to enable FTP-over-SSL/TLS. • FTP over SSH: This older option uses an SSH connection to send an FTP user name and password, but all FTP data is sent separately in the clear. It often works when SFTP isn’t available, and it’s better than not securing a connection at all. This method is not available in Leopard without tweaky configuration, and I don’t recommend using it. Using FTP Securely with Leopard In previous editions of the book, I suggested staying far, far away from Apple’s built-in FTP service because it was implemented in a weak fashion that was hard to fathom, hard to use, and hard to configure. In Leopard, it’s much, much better. I was more positive about Secure FTP (SFTP); SFTP is unchanged from the previous release, and may be a better choice than FTP. FTP and SFTP each has its own set of tradeoffs when used in Leopard. See Table 3 for the rundown for why you might choose one or the other to share files over FTP, or even use both for different purposes. Page 26 Table 3: Tradeoffs between FTP and Secure FTP Feature Plain FTP Secure FTP (SFTP) Security Unencrypted Encrypted using SSH Recommended Local, trusted network only; connections remote access safe only when used in conjunction with a virtual private network (VPN) connection On any network, trusted or untrusted, due to strong encryption Accounts Only user accounts can access files with SFTP User accounts and Sharing Only accounts can access files via FTP What users Only volumes defined in the have access to Shared Folders list in Sharing preferences pane that a user account has been granted specific access to. All folders on all mounted drives to which a user has at least read-only access to, which is typically everything but other users’ Home folders and their contents Set permissions Through the Shared Folders and Users lists that you can configure for File Sharing in the Sharing preferences pane Through the Finder’s Info window’s Permissions area or via the command line Client limits Any FTP client Most FTP clients released or updated since 2006 What to do next: Turn on FTP or SFTP by following the steps in Set Up File Sharing, or learn more configuration details in Share with FTP and SFTP. NFS The Unix way of sharing files is through NFS (Network File System). Because Mac OS X is based on Unix, with a little prodding you can make Leopard talk to and listen to its Unix siblings. NFS is a good choice in very limited circumstances for sharing files persistently among Unix systems. NFS can also be used for stateless connections, in which the network connection can disappear or change without the client computer balking with an error message or an endless, spinning beach-ball pointer. Page 27 NFS is a highly insecure protocol in its nature, as it doesn’t require a user name and password, but instead confirms the identity of the user trying to access it by looking at the user’s IP address and the account name on the machine the user is connecting from. Because of this insecurity, it’s critical that you don’t share via NFS unless you think it’s especially worthwhile for a particular purpose, you use a firewall to control access, and you completely understand what you’re getting into. Often, you use NFS when you’re in a pinch, and the Unix box you need to move files to doesn’t have shared directories or lacks a static IP address and Samba or netatalk support (see Access Shared Files). Or, you use NFS when you are treating part of a hard disk of one machine as a shared resource that another machine always needs access to. NFS is a more reliable way to have a distributed network file system than mounting a server through the Finder. Warning! Because of the low-level configuration needed to set up NFS and its lack of inherent security, I don’t recommend you use it, nor do I explain how to set it up. It’s just too risky unless you’re a Unix system administrator. Web Many people don’t think of the Web as a way to share files. But every time you visit a Web page, you’re downloading several files: an HTML file that contains the page, image files that the page references, and often audio or media files. You might use the Web to make files available to others as basic downloads, or you might use WebDAV (Webbased Distributed Authoring and Versioning) technology to handle version control for a group of shared files. Basic downloads It’s usually quite simple to place a file on a Web server and allow others to download that file directly instead of relying on an oftendifficult-to-configure FTP server. A Web download is most appropriate if you’re publishing files to an audience of one or more. The Web is also a great way to share files with others without providing them with a user account. Page 28 Turn it on: Find out how to turn on Web sharing using Leopard’s built-in Web server in Set Up File Sharing and get more information in Share Files over the Web. WebDAV inside a Web server You can also upload files to a Web server that has WebDAV enabled (http://webdav.org/). WebDAV lets a normal Web server act as a file server with user accounts. Apple offers built-in WebDAV client support in the Mac OS X Finder, as does Microsoft in Windows 98 through XP through its Web Folders feature, and in Windows Vista using Add Network Location (found in the Network dialog box). With the proper client software, WebDAV lets you lock a file on a Web server when a user retrieves it so that, for instance, everyone working on a single set of live files knows who has the live version and—most importantly—two users cannot accidentally work on the same file at the same time. Unfortunately, locking isn’t a readily accessible feature. You can lock and unlock files with Adobe GoLive’s WebDAV synchronization window for Web site file management, but locks can’t be managed in the Finder or any FTP program I’m aware of. Mac OS X Server 10.2 through 10.5 includes WebDAV as an option you can turn on with a checkbox. Because many companies lock down access to Internet services on unusual ports, WebDAV also has the advantage (and disadvantage) of being a back door: you can often use WebDAV—which works over the standard port 80 for Web servers—where other file services would be unavailable. (Some companies use very smart firewalls that can restrict the kinds of traffic allowed over a given port, which removes this as an option.) WebDAV is transaction-based, so users needn’t worry about entering a password repeatedly to use WebDAV over a period of hours or days. As long as a user leaves a server window open in a client or leaves a WebDAV server mounted in the Finder, the reconnection happens silently. Page 29 Proprietary and Unusual File Sharing Tools Although the three common categories already covered—file services, FTP, and Web—handle the main ways by which you may offer files to others or retrieve them from servers, other techniques might be superior, depending on your circumstances. iDisk Apple’s iDisk, part of the .Mac service (http://www.mac.com/, $100 per year) is a hybrid offering. iDisk offers 10 GB (included) to 30 GB (at extra cost) of Internet file storage and 100 GB to 300 GB of monthly data transfer—inbound and outbound—that can be accessed in three ways: • In the Finder, choose Go > iDisk > My iDisk (Command-Shift-I) • On the Desktop, as a WebDAV server (Mac OS X and Windows) • Over the Web itself using a .Mac Web site On an iDisk, you have only a single Public folder, which can be password protected and to which others with WebDAV or iDisk software can copy files if you enable read/write access. For the purposes of file sharing, you can think of an iDisk as a WebDAV server. Timbuktu Pro This software package from Motorola’s Netopia division not only lets you exchange files among Windows and Mac OS systems, but also allows screen sharing for remote control, dial-in access, and a host of other tools. As I finish this manuscript in October 2007, the latest version, Timbuktu Pro 8, includes encrypted connections and compression using SSH, and it supports remote connections behind network gateways using technology from Skype. Some organizations have standardized on Timbuktu. My experience with Timbuktu is that it does very well with exchanging large files, but less well with exchanging large numbers of small files (http://www.netopia.com/). Although I am sure Netopia will release a software upgrade to Timbuktu Pro to make it fully Leopard compatible, I experienced only minor cosmetic problems when I tested Timbuktu Pro 8.6 with a beta version of Leopard. Page 30 Pando Pando is a simple way to distribute files to many people without maintaining central storage yourself. To use Pando, you download their program (also called Pando), which is available at no cost for Mac OS X and Windows, so long as you want to transfer file packages under 1 GB in size (for a fee, you can send file packages as large as 50 GB). You can use the Pando program to upload file packages to Pando’s central servers. You distribute an uploaded file package by having Pando send each recipient an email message containing a link to the package, or you copy a link provided by Pando and send the link to each recipient. The unique part of Pando’s system is that both you and each person who downloads the package become part of a peer-to-peer file-server network for that package (as long as your and their copies of Pando are running). Pando doesn’t let you create a directory and upload files to such a directory, and in Pando it can be complicated to distribute or pass around many files. Still, for large downloads, Pando could be ideal for many users. In collaborating on this book, I used Pando to send and receive files— typically around 5 MB in size—from my editor and we found it convenient, but we also found it best in some time-sensitive situations to send an extra copy via different means, because occasionally Pando wouldn’t work properly. Pando will almost certainly need to be updated for Leopard. Page 31 AVOID FILE-SHARING RISKS Before you dig into the details of how to share your files, you should consider the risks of file sharing and possibly take action to avoid them. And, no, I’m not talking about storm troopers of the Recording Industry Association of America bursting into your bedroom—that’s only a concern if you’re using peer-to-peer file-sharing networks to share works that aren’t licensed for that kind of sharing. Rather, you risk having unintended others accessing your files or abusing your storage space. This can happen even if you share files only over your local network; unless you set up a firewall or other protection, you may unintentionally leave your files available to outsiders. It can also happen if you don’t carefully protect your passwords while you work on insecure networks: your file servers could be hijacked using your own accounts. TIP The RIAA would like you to believe that sharing any music is illegal. Not so. Some music is licensed under broad terms that encourage sharing, such as forms of the Creative Commons license, a standard set of copyright terms designed to make it easy to retain rights while allowing reuse and distribution of any creative work. Some bands also explicitly allow trading of music recorded at live shows, or certain tracks they release online. See http://creativecommons.org/audio/ for more details. Problems with Open Servers Our Windows brethren have long been aware of the problem of accidentally running an open file server, because before Windows XP, Microsoft’s default configuration made it easy to turn on file sharing without any protection. On the first cable-modem networks, which work essentially like large Ethernet networks, people could troll through their neighbors’ unprotected files with abandon. Whoops. The Internet is so large and so fast, and full of so many jokers, that it has become something like a large local network. If you purposely or accidentally expose more than you intended, it’s likely that some automated evil—a scanning program that looks for open fileserver connections—will suck down your data. Less maliciously, however, because search engines like Google follow all links from public Web Page 32 pages, many Word, PDF, and other files have entered Google’s maw unintentionally from an obscure but linked location of a Web site. Worse, if your computer is hijacked (taken over) by crackers, it could become a depository for warez, which is the slang name for pirated software. A number of years ago, I ran an FTP site with a few files in it, but I misconfigured it to allow both read and write access to anyone. A huge spike in bandwidth led me to discover hundreds of megabytes of pirated materials uploaded by others. Even though you probably wouldn’t face legal action for your negligence (though that’s not a guarantee these days), you could lose time and money cleaning up the problem, and your ISP might sever your Internet connection for violation of their acceptable use policies. If you think unintentionally hosting pirated software is bad, it could be worse. Your server could also become a repository of child pornography. Some countries, including the United States, have presumptive guilt. Mere possession can get you thrown in jail, fined, or otherwise sanctioned, and require a long process to clear your name. Many reports over the last couple of years have revealed that a large percentage of spam and pornography is served from hijacked computers. There’s one more scenario that stinks: if anyone can write files to a drop box on your server (even if no one can read those files once uploaded), a malicious jerk could upload hundreds of megabytes of crud, saturating your available bandwidth and filling your server’s hard disk, and making the machine unreachable until you clean up the unwanted files. This sort of vandalism may sound unlikely, but with all the hijacked computers in the world, it’s all too easy, and it does happen. Warning! Even running peer-to-peer software for legitimate purposes distributing legal files could cause you difficulty. For instance, a few years ago, Take Control publisher Adam Engst downloaded legally distributed audio files of musicians performing at the South by Southwest (SXSW) music festival via BitTorrent, the festival’s preferred distribution method. Unfortunately, he left BitTorrent running, became a seed node, overloaded his longrange wireless link, and was temporarily shut down by his ISP. Page 33 Recommendations for Avoiding Risks I recommend that before you turn any type of file sharing on, you think carefully about who needs access, and what kind of access they need. Here are some specific recommendations: • Set up specific accounts for users who need access: Most of the time, you should set up an individual account for each user or you should set up a single account to be shared by a group of users who need access to files. If you are sharing files from a Mac running Leopard, you can set up a Sharing Only account that provides limited access, and a Sharing Only account may be most appropriate for limiting users’ access to only the files they need. (Sharing Only accounts are described thoroughly in Define users; see Take Control of Users & Accounts in Leopard for additional details on setting up user accounts.) You should also restrict users’ ability to write files to the file server, using techniques such as these: ◊ Allow write access only to those who absolutely need it. For instance, if you are sharing files from a Mac running Leopard, you can set the permissions for other users to Read Only. (In the Sharing preference pane, select File Sharing, and then choose each shared folder in turn to set the permissions in the Users list for each user or group that has access.) ◊ Choose read-only file-sharing methods to offer up files (like Web download). ◊ Allow read-only access through configuration options that I describe later for each kind of file service. TIP If you’ve never configured a file server before, you might not know that you can control the extent to which other users (or even yourself, when logged in as a user) can work with files stored on the server. For instance, you can let users just read files and browse folders; or just upload files without then seeing that they uploaded; or read, write, delete, and otherwise totally control a volume. Page 34 • Limit where guests or anonymous users can upload files: You can quickly get in trouble if users who don’t need an account to gain access to your server can write files. Generally, don’t let guests write files. If there’s a reason for it, set up a write-only or drop-box folder into which they can copy or upload files but cannot read the contents or copy files out. • Make sure that iDisk HomePage users assign a password to the HomePage area: iDisk has several ways to share files that are risky if you don’t read Apple’s well-written instructions. For instance, you can assign a password to your Public Folder on iDisk that allows others to access it via WebDAV. However, if you enable Web-based sharing through HomePage, you must assign another password in the HomePage area. (For an existing site, click Protect This Site at the top of the page, or select a site and click Edit to the right below the listing.) If you don’t assign a password, anyone can gain access to those files over the Web if they know the URL. • Test your setup: I typically test any file-sharing setup by using another computer with no login privileges to see what I can get to without a user name. Can I read and write files when I shouldn’t? Am I gaining anonymous access when I should be asked for a password? I tweak until I get it exactly right. Have a friend test it from outside your network, too. • Add a firewall: If you’re even slightly concerned about who might access files you are sharing from your network, you can turn on a firewall. The firewall that’s part of Leopard is woefully restrictive, however, focusing on applications and their capability to receive data. Instead, I suggest that you install a full-featured firewall that lets you control which IP addresses can access a precise set of servers on your machine. Some Wi-Fi and broadband routers include full-featured firewall software that can protect an entire network, including networkattached storage; Apple’s AirPort Extreme does not. Page 35 For an individual Mac, four firewall packages for Mac OS X that accomplish advanced protection tasks are: ◊ Flying Buttress: http://personalpages.tds.net/~brian_hill/ flyingbuttress.html (shareware, $25) ◊ Intego NetBarrier X3: http://www.intego.com/netbarrier/ ($70) ◊ Open Door’s DoorStop X: http://www.opendoor.com/doorstop/ ($50) ◊ Sustainable Softworks IPNetSentryX: http://www.sustworks.com/site/prod_sentryx_overview.html ($60) (When you read this, Leopard updates for the above-listed programs may not yet be released.) Look on the next page more information, in Set Your Firewall for Sharing Files. TIP There’s such a thing as being too observant. One of my editor friends at a publishing house was convinced her Panther system was the victim of viruses and attacks. It wasn’t, as far as I could determine. Instead, her discovery of a Windows-focused worm probing her networked computers—a typical automated cracking behavior—led her to set her firewall settings for so much logging and rejection that it bogged down her system to an almost unusable level. Currently, neither I nor any of my colleagues know of any way that someone can connect to a Leopard system that’s sharing files and gain access to control the computer or install and execute programs on it. This doesn’t mean it can never happen. Page 36 Set Your Firewall for Sharing Files A firewall creates a virtual barricade between one part of a network and another, preventing all kinds of data from passing in and out, depending on how the firewall is configured. A firewall can protect an entire network, but more typically, you install a firewall on a single computer to prevent other computers on a local network or the Internet from accessing any services that you haven’t specifically allowed. To turn on Leopard’s built-in firewall service, open the Firewall view of the Security system preference pane. You have three distinct options to choose among: • Allow All Incoming Connections: This default option blocks no traffic. The firewall is off. • Block All Incoming Connections: An extreme option, this prevents any traffic from the outside world from initiating an unsolicited connection to any service on your computer, but allows you to connect out as much as you want. • Limit Incoming Connections to Specific Services and Applications: This option lets you pick and choose what gets in to which programs. If you have any Sharing services enabled, they appear at the top of the list below Limit Incoming Connections. If you have chosen to control incoming access for specific applications—including Apple programs like iPhoto or iTunes that add themselves to the list with your permission when you enable sharing within those programs—they appear in this list, too. When both services and applications are shown in the list, they’re separated by a line with services on top and applications on the bottom. Whenever you turn on or off any service, it is added or removed from this list to create or remove an exception to the firewall. If you launch a program that needs access from the outside world, Mac OS X prompts you for permission to allow such access; if you agree, the application is automatically added. You can also click the button to add an application to the list. Or, to remove an application from the firewall settings, select it from the list and click the button. Page 37 Each application can be set to Block Incoming Connections or Allow Incoming Connections, but the setting applies only if you chose Limit Incoming Connections as your overall approach (Figure 2). FIGURE 2 The Firewall view lets you control how the outside world reaches your computer’s services and applications. The firewall for Leopard lacks the fine-grained ability that Tiger offered to control access based on ports (see the note Ports, next page). Port-based access control is a typical feature of a firewall, and it’s odd that Apple changed its philosophy here. Apple’s firewall has never offered control over which IP addresses or ranges were allowed or banned. Most firewalls can monitor for abuse and lock out specific addresses or networks, or make sure only authorized parties have access by allowing access to a services from only a few addresses. If you need this level of control or need to control access to services that aren’t supplied with Mac OS X, you need a third-party firewall— such as one of those listed a few pages earlier, or a router with firewall functions built in. These firewalls allow more elaborate rules to permit—among other purposes—file-sharing traffic to pass if you’re trying (wisely) to restrict who connects to your computer. See Table 4 (next page) for the ports you must enable for each service. Page 38 NOTE PORTS A port is to an IP address like an apartment number is to an apartment building: ports are used to offer services, like file sharing or a Web server, and Internet-enabled software knows at which ports services are typically found. Ports can handle one of two forms of IP data: TCP and UDP. You may be familiar with the name TCP from TCP/IP, the area in the Network preference pane for each adapter in which you set up connectivity. But TCP is one form of wrapping up data; UDP is the other. TCP is typically used for communications in which ever bit of data is important; UDP is often used for streaming media where losing some data doesn’t affect overall reception. Table 4: Ports to Enable for Different File Sharing Services Service Ports Notes FTP Incoming 20 and 21, both UDP and TCP, and incoming ports 1024 through 65535 only when queried from another machine’s ports 20 and 21 FTP clients send requests from ports 20 and 21, but if passive FTP is enabled on the client—an option required for some firewalls—the client connects from a highnumbered port. Web 80, 443 80 is regular Web, 443 is the secure version Samba 136–139, 445 Apple opens just port 139 for Samba, but other ports might be required for various Windows networking services. Timbuktu 407 AFP 548, 427 iPhoto 8770 iTunes 3689 You can configure Leopard’s firewall with one special feature for greater security—Stealth Mode. To access it, from the Firewall view, click the Advanced button. Page 39 Check Enable Stealth Mode (Figure 3) to make your Macintosh appear essentially invisible to the outside world. Your computer won’t respond in any way to queries from the outside world that try to see if any port has a service behind it. This is a recommended approach for keeping a low profile. All outbound connections that your Mac originates will still work. FIGURE 3 The Stealth Mode option in the Firewall view lets you lock down Leopard tight as a sealed drum. Protect Your Passwords The last part of protecting your file-serving system is to make sure that neither you nor any of your remote users inadvertently let slip the passwords that are used to access it. Should a password fall into the hands of an unauthorized person, the contents of your read-only repositories will suddenly be available that person. And, a read/write server could be compromised with stolen software, as I noted in Problems with Open Servers, earlier. Standard AFP, Web, Samba, and FTP services that use passwords don’t protect those passwords, nor do they scramble the data that passes back and forth from a client to a server. So, if users connect to your file services over a Wi-Fi hotspot in a public location such as a coffee shop or airport—they should use either a virtual private network (VPN) that encrypts all network traffic or an encrypted version of FTP. They should avoid Samba and non-SSL–based WebDAV. TIP If you don’t have access to a VPN server, and most of us don’t, you can “rent” this encrypted service from WiTopia for $40 per year (http://witopia.net/) or publicVPN for $6 per month or $60 per year (http://publicvpn.com/). Both firms provide a simple way to start or stop a VPN connection. (WiTopia uses a separate application; publicVPN uses built-in Mac OS X support.) Page 40 SHARE FILES Turning on file sharing in Leopard requires only a few clicks in the Sharing preference pane. Although this section explains how to use the Sharing pane, you may wish to review the details about the service you are about to turn on first, either by flipping back to more general information in AFP, SMB or Samba, FTP, or Web, or by skipping ahead to more specific configuration details in Share with AFP, Share with Samba, Share with FTP and SFTP, and Share Files over the Web. Set Up File Sharing Leopard has streamlined file sharing by consolidating most of the services, and by improving its explanations. Three items in the Sharing pane’s Service list control the major file services: • File Sharing incorporates all three major forms of network file serving: AFP, FTP, and SMB. • Web Sharing turns on the local Web server. • Remote Login enables Secure FTP (SFTP) access, as well as its main function of remote Terminal sessions. Other sharing options: Other options in the Service list aren’t related to file sharing, but rather refer to sharing computing power (Xgrid), remote management and operation, and handing out Internet access. An option not listed above, NFS (Network File System), requires additional configuration, but I find the method too dangerous to recommend to anyone who is not already an experienced system administrator. Turn on services Leopard makes it a snap to set up file sharing. It’s far easier in Leopard than in any version of Mac OS since, quite honestly, Mac OS 9! Leopard has more options and is more sophisticated, but the simplicity of sharing took 7 years to cycle back around. Page 41 Here’s how to turn on a service: 1. Working in the Sharing preferences pane (Figure 4), and referring to the bulleted list on the previous page if needed, check the box to the left of the service name that you want to turn on. FIGURE 4 To turn a service on, click the checkbox to the left of the service. To turn the service off, uncheck the checkbox. File Sharing has further options when you click Options. 2. Now: • In the case of File Sharing, click the Options button to enable or disable a specific file sharing service (Figure 5). • In the case of Web Sharing, after checking the box, skip ahead to Share Files over the Web. • In the case of Remote Login, which you’d be checking in order to enable SFTP, skip ahead to Using SFTP. Page 42 FIGURE 5 Check any one, two, or all three of the filesharing types to start them running. The options are: ◊ AFP file sharing, listed as Share Files and Folders using AFP. ◊ FTP, a stripped-down form of transferring files, listed as Share Files and Folders using FTP (see Share with FTP and SFTP to learn important configuration information). ◊ SMB, also known a Windows file sharing, listed as Share Files and Folders using SMB. (If you’re wondering about the Account list below the SMB option, see Share with Samba. Or, keep reading along and I’ll cover it when I reach that point in the procedure.) 3. Click Done. You have now turned on at least one file-sharing service. In the procedures ahead, I’ll explain how to set which items are shared, who can access them, and what they can do with them. Page 43 NOTE Apple’s explanation in the Services pane and Options dialog of what each service does and how to access a service as a network resource after you’ve turned it on is terse but cogent, and I expand on it in Access Shared Files. Add shared folders for file sharing Once you’ve turned on a file sharing service, it’s time to set which folders on your Mac can be accessed by which users through the three File Sharing options in the Sharing preference pane, AFP, Samba and FTP. Apple labels Mac OS X’s list of shared items Shared Folders, but you can add the top level of anything mounted on the Desktop—hard drives, CDs and DVDs, flash drives, and even disk images—as well as individual folders. It’s really “Shared Folders and Volumes.” To add a folder or mounted drive, follow these steps: 1. In the Sharing preference pane, under the Shared Folders list, click the button. 2. Select the folder or drive that you want to share. For folders, navigate to the item, and make sure it’s selected. For volumes, choose the volume under the Devices list in the left sidebar. 3. Click Add. There’s no additional “apply” button; the folder or drive is now available for sharing, and it appears in the Shared Folders list. NOTE In Leopard, Apple has dramatically improved the granularity of items you can share and who may access them. Apple has restored folder sharing, lost since Mac OS 9 days; and they’ve added per-volume access control. Apple turns file sharing on for Guest accounts in a clean Leopard installation, but they provide a single checkbox to disable this access. For more about guest access, see Define users, a page or so ahead. Page 44 Sharing terminology: While volume is a synonym for any partition on a disk, in the context of sharing a folder or drive, it’s also used to mean any shared item that appears as a volume when mounted as a server. So, what you might think of as a folder turns out to be a volume from the perspective of those accessing the folder via file sharing. I use the term volume often ahead to describe items in the Shared Folders list. You can also add folders and disks from the Desktop by dragging their icons into the Shared Folders list; or, by selecting a folder, choosing File > Get Info, and checking the Shared Folder box under General. The volume immediately shows up in the Shared Folders list in both cases, where you can set access to it. By default, Leopard shares the volume with the users and group for a given item, as I explain next. Warning! The Public folder in every user account is automatically shared by default. Turning off Public folder sharing—even when there were no contents—was a chore in Mac OS X before Leopard. In Leopard, you use the Get Info method noted above for a given Public folder and uncheck the Shared Folder box. That particular change allowed me to cut about ten pages from this edition of the book. Page 45 How to Tell if a Folder Is Shared If you don’t want to open the Sharing preference pane, you can tell if a folder is shared with a glance in a Finder window: With the contents of a shared item visible, you’ll see a dark gray box near the top of the window reading Shared Folder (Figure 6). A sharing badge on the folder would have been nice, too. FIGURE 6 A gray bar with Shared Folder indicates that the folder is, indeed, shared. Define users Leopard adds a unique category of user account: Sharing Only. This lets you set up an account to be used solely for transferring files through File Sharing options, with no access to other services on the system, or to a regular login. If you already have other users on the system who need remote access for SFTP or more full access, you can use their accounts for access as described two pages ahead, in Assign users for files sharing. Safe Samba set up: Before you set up users for Samba file sharing, skip ahead and read about special security concerns for Samba in Extra step due to weak passwords. Here’s how to set up a Sharing Only account: 1. Open System Preferences. 2. Click Accounts. Page 46 3. Click the lock icon at the bottom left, and enter an administrator password. (That’s the password for any account set to Allow This User to Administer This Computer.) 4. Click the button below the list of accounts at left. 5. From the New Account pop-up menu, choose Sharing Only. 6. Enter a long name (a full descriptive name that AFP can use), a short name (the login account name used by SMB and FTP, and an option for AFP), the password, and a hint (Figure 7). 7. Click Create Account. This account can now be assigned as a valid user for a shared folder. FIGURE 7 A Sharing Only user can only access files, not log in to the Mac to use applications. You can also disable the Guest account user in the Accounts preference pane. To disable the Guest account, follow Steps 1–3 in the previous procedure; then select Guest Account at the left of the Accounts preference pane and uncheck Allow Guests to Connect to Shared Folders. (To re-enable guest access, check that box.) Guests can connect via SMB and AFP, but not via FTP; I describe a workaround for this in Share with FTP and SFTP. Page 47 Warning! The Guest account isn’t revocable; that is, if you decide you don’t want someone to have guest access, you can’t turn the account off and have a way of letting other people still access the same files through a Guest-account method. To avoid this problem, I suggest you not use the Guest account for file sharing, but instead create a Sharing Only account with a name that you use for guest access, like guest1, with a simple password like guest. You can turn that account off, changes its password, or rename it to drop people from having access. Assign users for file sharing For each volume shared via the File Sharing service, you must specify a set of users who may gain access, and their level of access. Mac OS X does have default user-access settings, and you can see them in a folder or disk’s Info window or when you select an item in the Shared Folder list in the Sharing preference pane. (The Users list comprises both users and groups, I’ll explain that shortly.) Mac OS X picks up these defaults from the underlying Unix directory permissions. These permission settings control general system and user access to files outside of file sharing, controlling which users on the computer can read, modify, or execute (launch) files, programs, and folders. (See Take Control of Permissions in Leopard, by Brian Tanaka, for more details.) For a shared volume, you can assign permissions to three different kinds of users (Figure 8): • Owner: The owner is the user who created the item. For a folder that’s within a user’s home folder, the user is typically the owner. For a system-level folder or a startup volume, the owner is often the special System Administrator user if it’s a system-level folder, or the volume that’s your Mac OS X startup disk. The Owner entry is listed as a single head and chest with the full account name following. • Group: Folders and volumes can also have a group assigned that allows a separate setting for permissions. This is how several people can modify files within a volume, or have read-only access. Many folders lack group settings. (To set up a group, open the Accounts preference pane, and authenticate if needed using the Page 48 lock at the lower left. Click the button, choose Group and enter a group name, and click Create Group. Then, with the new group selected at the left, select the checkboxes for the accounts that you want in the group.) The Group entry shows two heads and torso with the group name following. • Everyone: Everyone includes all other accounts on the computer, including the Guest account and Sharing Only users. This setting makes it easy to allow everyone access to certain folders without having to muck about when new users are created. The Everyone entry shows the top of three people overlapped and the name Everyone following. FIGURE 8 The three kinds of users that can be assigned to a shared folder: an owner (top), group (middle), and Everyone. Warning! The Guest account can access any folder with Everyone set to anything but No Access over AFP and Samba, but not via FTP. Apple put some special under-the-hood “wiring” in Leopard that prevents this kind of guest access. The File Sharing service lets you choose users to assign to a folder from one of two sources: Users & Groups and Address Book. • Users & Groups: This includes all defined users on the computer you’re working on, including regular accounts, groups of users (defined in the Accounts preference pane), and Sharing Only users. Any accounts or groups already added to the Users list for a particular shared item are grayed out. (The Guest account user isn’t listed, as that account’s ability to access files is constrained; see Warning, above.) • Address Book: You can select any user in your Address Book, and create a Sharing Only account for them on the fly by assigning them a password when prompted. If you’ve already done this step for a user, their Sharing Only account appears in Users & Groups. Page 49 Groups of contacts created in Address Book show up below the Address Book icon. You can select a group, and then choose one or more of its members to add. For any member that doesn’t already have a Sharing Only account, you’re prompted to create that account. To assign users to a shared item, carry out these actions: 1. In the Sharing preference pane, select an item under Shared Folders. 2. Under the Users list, click the button. 3. Pick a user type at the left—Users & Groups is selected by default (Figure 9)—and then select users or groups from the right (groups appear with a two-heads-and-torsos icon). You can select multiple items as you would for any multiple selection: Press Command for noncontiguous additions or removals, and press Shift to extend a selection. FIGURE 9 You can select users from local accounts, network accounts, and the Address Book. 4. Click Select. If you chose users from the Address Book, you are now prompted to enter a password for each user to create their Sharing Only account entry. Any users or groups that you set up now appear in the Users list for that shared volume. Removing a user or group is as simple as selecting one entry at a time in the Users list and clicking the button beneath the list. Page 50 Now that you’ve set which accounts can access a shared item, your next task is to control the access. Control access via file sharing One of the best new features in Leopard for controlling AFP, FTP, and Samba access is per-volume, per-user/group sharing. This allows you to set separately who may access a given shared item and in what fashion. Warning! Because Leopard ties together AFP, Samba, and FTP, you cannot restrict access by any of those methods to a given volume for a user that has permission to access that volume. That means that any valid user can access any permitted volume through all enabled file-sharing methods. This shouldn’t be a problem, but it’s worth noting. To the right of each entry in the Users list, an access pop-up menu lets you set one of four choices (Figure 10): FIGURE 10 The four options for access give you highly granular control over what users have permission to do. No access appears only for the special Everyone user. • Read & Write: This allows unlimited access to the shared item. • Read Only: For items that you want to provide access to but not allow modifications, additions, or deletions, Read Only is the option of choice. Read Only is also a good mode if you want to share a folder or volume in such a way that you can’t accidentally write over any of its contents. • Write Only (Drop Box): This last choice turns a folder into a drop box. Connected users have permission only to “drop” a file into the volume. They can’t view the contents of the folder or access anything inside it. The Drop Box option helps when you’re trying to collect documents but not share them. • No Access: Use this option to disable access for users or groups by choosing No Access, rather than deleting their entry altogether. This option is available only for the Everyone entry. Page 51 What to do next: Now that you’ve set up users who can access a shared volume, assigned those users to the volume, and set how they may access the volume, it’s time to learn a little more about your specific method of sharing files, and possibly to further configure your set up. In the following subsections, I cover special configuration considerations that you may wish to be aware of as you finish setting up file sharing. As appropriate, skip ahead to Share with AFP (below), Share with Samba, Share with FTP and SFTP, and Share Files over the Web. Share with AFP AFP has just one proviso when it comes to file sharing: because it’s the longest-established method of moving documents around under any version of the Macintosh operating system, even before it was called Mac OS, Macs running Mac OS 9 through Mac OS X 10.3 (Panther) can’t access Leopard and Tiger AFP servers without a setting change. Macs running Tiger and Leopard don’t use the old AppleTalk protocol for AFP, relying instead on IP networking. If you need to access a Tiger or Leopard AFP server from Mac OS 9 or Mac OS X 10.3 or earlier, you must enable AppleTalk. On a particular file-sharing Macintosh, running any version of Mac OS X, AppleTalk can be active on only a single network connection at a time—you can’t turn it on for both an Ethernet and a Wi-Fi connection, and it’s important to turn it on for the correct connection. (Note that Leopard Server can offer AppleTalk over all connections at once.) To enable AppleTalk, follow these steps: 1. Launch System Preferences and click Network. 2. Select your connection in the list at left, such as Ethernet or AirPort. Page 52 3. Click the Advanced button. 4. Click AppleTalk. 5. Check Make AppleTalk Active. (If AppleTalk is active on another connection, Mac OS X will warn you.) 6. Click OK. 7. Click Apply. Warning! Apple dropped from Leopard several security-related options, accessible from a special gear-icon Action menu, that related to mounting AFP volumes. I’m not sure why Apple removed these options, and it may be an oversight. First among them is the ability to use AFP over SSH, a secure option supported by Mac OS X Server. NOTE To find out about connecting to your AFP server from other computers, skip ahead to Access Shared Files. Share with Samba As you may recall from SMB or Samba, earlier, Samba is how Windows shares files, and Leopard’s version works in a way that Windows and other Samba clients are quite happy with. There are just two issues to be concerned about: turning on Samba accounts, and dealing with odd characters. Extra step due to weak passwords Leopard (and Tiger before it) likes to remind you that SMB passwords are stored in a less-secure manner than other network and system passwords. Both versions of Mac OS X have you go through an additional step to enable accounts to share via Samba because if the password is cracked for Samba, that’s the same password that could be used for remote access to your computer or allow someone with physical access full privileges to use your machine. Page 53 Because of this weakness, you might consider enabling Samba access through only one Sharing Only user account that you set up especially for Samba users. This account’s password, if cracked, would reveal only files stored that the account was given access to. TIP Samba is best used on a local network, not over the Internet, because of its password weakness. Samba ports are often blocked by network administrators and ISPs, and they are typically disabled in default firewall configurations. If you have another option for sharing files to remote users, try it. In the Sharing preference pane, click Options. Now, beneath the Samba checkbox, you need to check a box next to each account you want to allow access to over Samba (Figure 11). Enter that account’s password when prompted. When you finish, click Done. FIGURE 11 Check the boxes next to accounts that are allowed to access this machine via Samba. Enter the account passwords when prompted. Avoid file naming problems Certain versions of Samba are more restrictive than others about which characters they can handle. I’d like to generalize, but the documentation about various Samba servers doesn’t make it crystal clear whether older or newer servers are more or less restrictive, or just Page 54 configured to be more or less restrictive. Let’s just say that your mileage may vary. Many characters that you can use to name a file or folder under Mac OS X will make certain versions or configurations of Samba barf. I can’t find a definitive list of characters that Samba clients (and servers) don’t like, but it appears to include \/:*?"<>|. At one time, the list was more restrictive; over time, Apple has improved how Mac OS X handles mapping characters that Macs understand and Windows doesn’t like. If you try to copy a file that includes any or all of these characters to a Samba file server, Leopard encodes them in a way that Samba likes. In Vista, for instance, the unsupported characters show up as bullets (•) in the Desktop file lists, but Vista preserves the underlying special character codes. You can copy and paste the file names in Vista without ruining the name. This is a neat trick, and a big improvement over even Tiger’s improved support. Share with FTP and SFTP Let me address just two issues worth considering: guest access in FTP and the particulars of turning on and using SFTP. Guest access in FTP With Leopard, FTP access is controlled identically to AFP and Samba. The one exception is that—at this writing—guest access does not work with the Guest account. To work around that, create a special Sharing Only account called guest_ftp (or whatever you choose), give it a password like guest, and assign it to any shared items you want to enable guest FTP access to. Then, to provide a link to the file repository, tell your users about the account or even publish the account name and password on any Web page you need to provide a link to for the file repository. In a future edition of this book, I hope to provide a simpler step. For security reasons, Apple may have chosen to hardwire their system to not allow anonymous, password-free access at all, reserving that for Mac OS X Server. Page 55 TIP MORE OPTIONS IN PUREFTPD MANAGER If after you read this “Share with FTP and SFTP” subsection, you want still more configuration options or tighter security for your FTP-based file sharing, you should look into PureFTPd, a donationware FTP server that should be available at some point after Leopard’s release (http://jeanmatthieu.free.fr/pureftpd/). PureFTPd Manager packages well-written FTP server software that handles all forms of FTP encryption and, to boot, can enable a more flexibly defined guest user and offers a host of subtle options like restricting inbound bandwidth or access by time of day. Click the Check for Updates link on the cover of this book to look for more details. Using SFTP SFTP isn’t tied into File Sharing; it’s essentially a separate method that happens to work in a similar manner, and to which none of the File Sharing tools for managing access apply as noted above. To enable SFTP on the server end, turn on the Remote Login service in the Shared preference pane. (You don’t need to turn on FTP Access by selecting the File Sharing checkbox and clicking Options if you’re offering only SFTP on your server: Remote Access enables SSH, which in turn hands off SFTP traffic to a special program called sftpserver.) As noted earlier, Apple’s SFTP relies on users defined in the Accounts preference pane, and on the permissions attached to those users. Access controls that you see if you select File Sharing in the Sharing preferences pane—the Shared Folder and Users lists—don’t limit access for users via SFTP; all users or selected users—depending on your setup in the Remote Login service—can access anything they have Unix-set read permissions to retrieve. From the perspective of using SFTP in an FTP client, any FTP software that supports SFTP—and all major Mac clients do—doesn’t treat SFTP any differently than FTP. It’s seamless via the client, and just handled differently by the server. TIP Read FTP, earlier, to review common FTP setups. Page 56 Share Files over the Web Leopard’s built-in Web server is a slightly modified version of Apache 2.2 (http://httpd.apache.org/). As I discussed in Web, by default, you can use Leopard’s Web server as a read-only method of providing Web pages and file downloads. Turn on Web Sharing as described in Turn on services, earlier, and then check out the default index.html.en page that you’ve made available. (There are many index.html files, all of which have a dotplus-two-letter extension to define the language they are written in; the language set in the browser tells the server which index.html file to feed to the browser.) You can start serving Web pages or downloadable files using the default directories. See “What’s shared over the Web” (just ahead) and Share files and folders. What’s shared over the Web The first time you turn on Web Sharing, Leopard shares /Library/ WebServer/Documents as the main URL for your machine, as well as the ~/Sites folders for all users as paths under the main URL. Apple also makes the Apache manual available at http://localhost/ manual. The Sharing preferences pane shows the default URL at which the Web server can be reached, and the document directory the server is sharing. TIP Localhost is the default name for your local machine, equivalent to the Internet loopback (or point-to-self) address of 127.0.0.1. The Sites folders in all user directories are shared, so you may want to configure Apache to share folders from only specific user directories. TIP Placing aliases in the Finder for files or folders located in a folder above Apache-shared folders doesn’t share those files or directories. However, creating Unix symbolic links in Terminal will work. To view the default page (index.html.en, located in /Library/ WebServer/Documents) that comes up for your enabled Web Page 57 server at its root level, enter any one of the following in a Web browser’s Location or URL field: • Your machine’s IP address (e.g., http://192.168.1.10) • Your machine’s exact domain (e.g., http://foo.example.com) • http://localhost • http://bonjour.name TIP FINDING AND SHORTENING THE BONJOUR NAME The Bonjour name, such as http://glenndual.local, is shown in the Sharing preference pane beneath the Computer Name field. You can change it to something shorter—the default is rather long, like “glenn-fleishmans-power-mac-g4” in my case— by clicking Edit, entering a new name, and then clicking OK. If you’re wondering what the Use Dynamic Global Hostname checkbox offers in that same Edit dialog, move along—nothing to see here. Apple has enabled what it calls wide-area Bonjour, but it requires support by Internet service providers and domain-name service hosts, which isn’t yet in place. When it is, you would be able to access services through Bonjour names outside your local network. If you want to see the home page for a user on your system (the index.html file in the ~/Sites folder for that user), enter any of the previous four options plus /~username. For example, to see the home page found in /Users/glenn/Sites/ for a user with the short name glenn, view http://localhost/~glenn or http://bonjour.name/~glenn. Share files and folders It’s easy enough to share files via the Web. You can place files directly in your Sites folder, preferably inside a folder you create to hold files for download, and provide people with the exact path, like http://foo.example.com/~glenn/files/arch.zip. If you provide people with the precise path, you avoid the necessity of making HTML pages. However, you can create Web pages in software such as Bares Bones Software’s BBEdit or Macromedia Dreamweaver that point to files to download through hyperlinks. Page 58 SHARE DIGITAL MEDIA FILES Most of this book discusses sharing any type of files using file-sharing services. However, no book about sharing files on a Mac would be complete without explaining how to share iPhoto and iTunes libraries. Decide How to Share an iTunes Library The first step in sharing an iTunes Library is to decide whether to use the built-in iTunes Sharing feature or to use file sharing. I explain each option, next. Built-in iTunes Sharing feature iTunes has a built-in Sharing feature, which is easy to set up. You can use iTunes Sharing to share one iTunes Library among users on the same Mac or with users on a network. Unfortunately, the feature is limited in a number of ways: • Because Apple is playing nice with the recording industry, if another user connects to your shared library, all that user can do with shared media is play it from within iTunes. He can’t add a song or video or album to his own playlists, set ratings, or edit the tags that identify each MP3 file. That’s appropriate in some situations, but in cases where you’re sharing your own iTunes Library among your own Macs, such as on a home network, it’s needlessly limiting and technologically overrules U.S. law and court decisions on fair use. • Apple allows just five other users to connect to your iTunes Library within a 24-hour period. Boo, Apple, boo. This restriction prevents you from infringing on a song’s copyright, but in so doing eliminates rights that you would have with physical media, like a CD, DVD, or VHS tape. If you have a large family or a number of computers at work and home that you use to listen to an iTunes library, you aren’t violating anyone’s copyright and yet you could run into problems with this restriction. Listening to music isn’t the same as stealing music. Page 59 • When you share an iTunes Library among users on the same Mac, the library is available to others only when Fast User Switching is turned on. It works like this: first one user logs in and launches iTunes. Then, if another users logs in via Fast User Switching, that second user can listen to the first user’s music. You’ll encounter a few additional limits when sharing over a network: • The shared iTunes Library is available only when iTunes is running on the machine that is sharing the library. If you turn that machine off, it crashes, or someone needs all its processing power for Photoshop or other tasks, you can’t access the media in the library. • iTunes sharing relies on Bonjour, a technology for automatically announcing network resources over a local network. But unlike Apple’s general use of Bonjour in which any resource is available to any other on the same physical network, iTunes restricts its sharing to machines on the same range of IP addresses. Even simple home networks could have two or more ranges of private or translated addresses, which eliminates iTunes Sharing among users of them. (A typical scenario: a wired gateway and a wireless gateway feed out two different private network ranges.) A generalpurpose file server, as I describe next, has no such limitation, and might be appropriate for more complicated networks. I cover how to Set Up iTunes Sharing on the next page. Shared iTunes Music folder This approach involves storing your iTunes Library in a central location. File sharing is harder to set up than iTunes Sharing, but it is the best way to go if you want to share an iTunes Library across a network or the Internet. In this case, you don’t actually share an iTunes Library file; instead you share the iTunes Music folder associated with a particular library, which you’ll use as a starting point for what media is initially shared. Relying on a shared iTunes Music folder has the advantage of letting people share the same media while still creating and maintaining their own playlists, since the playlist information stays with each user. On the downside, every time someone adds new media by, for instance ripping a new CD, downloading a new podcast episode, or purchasing something from the iTunes Store, each user must import Page 60 the files manually by dragging them into iTunes. The silver lining in that cloud is that each user can pick and choose which of the shared files to import. Flip to the next page to learn how to Share an iTunes Music Folder. TIP Sharing music over a network requires just a few hundred Kbps of bandwidth per user, so it should work fine even on the slowest Wi-Fi or Ethernet network. Set Up iTunes Sharing If you decide that the built-in iTunes Sharing feature is the way to go, you can start sharing your iTunes Library by choosing Preferences from the iTunes menu (Command-,), clicking the Sharing button, and selecting Share My Library on My Local Network. As you can see in Figure 12, you may limit the shared music to specific playlists and set a password. FIGURE 12 To share your iTunes Library, simply turn on Share My Library on the Local Network in the iTunes Preferences window. Page 61 To set the name that appears in other people’s copies of iTunes when the library is shared, enter a name in the General pane’s Shared Name field. The name that iTunes then uses is your account’s name plus ’s Library. (There’s no good reason the Shared Name field isn’t in the Shared pane, as far as I can tell!) If your firewall is enabled, Leopard asks you if you want to allow incoming access to iTunes, and admonishes you that sharing music is for personal use only (thanks, Nanny RIAA!). If you click OK, iTunes is added as an application to the Firewall view of the Security preference pane, set to Allow Incoming Connections. On the playing side, there’s nothing new to do: If another user on your Mac logs in via Fast User Switching, or for users on your network, shared music appears automatically in iTunes in the Shared category at the left; they play music by double-clicking a song just as they would normally in iTunes. Share an iTunes Music Folder If you’ve decided to use the shared folder approach, you’ll be happy to know that accessing shared media in iTunes is easy because iTunes is happy to load its files from any location. Follow these steps: 1. On the Mac that will hold the shared iTunes Music folder, in the account for the user who will be in charge of the folder, open the ~/Music/iTunes/ folder. 2. From inside that folder, select the iTunes Music folder. 3. Choose File > Get Info. 4. In the General section, check Shared Folder. (If Leopard pops up an alert telling you to enable File Sharing, click Enable.) If you’re using that user account to log in over AFP from other computers on the network, you can skip these next steps; otherwise, set up a user and permissions for that folder: 1. Open System Preferences and click Accounts. 2. Create a new Sharing Only user named whatever you like by clicking the button, choosing Sharing Only as the user type, and Page 62 filling out the user name and password information. (You may need to click the lock icon at the lower left and authenticate, before you can click the button.) 3. Switch to the Sharing preferences pane. 4. Select File Sharing. 5. Select the shared folder, called iTunes Music, in the Shared Folders list. 6. Under Users, click the button, and add the Sharing Only user you just created, and if you don’t want other computers to modify the contents of the folder remotely, set that user’s permission to Read Only. You’ve now successfully set up folder as the shared folder. Now, it’s time to set up iTunes for everyone else who will share the folder. Perform these steps for each user on each Mac: 1. Launch iTunes, choose Preferences from the iTunes menu (Command-,), and click the Advanced button. 2. In the Finder, from the Shared region of the sidebar, select the server that contains the iTunes Music volume (use Go > Connect to Server if you can’t see the server in the sidebar). Log in as whatever user you chose or created just previously, and mount the iTunes Music volume 3. In iTunes, in the Advanced pane, next to the iTunes Music Folder Location field, click the Change button and then navigate to and choose the shared iTunes Music folder within the shared volume you just mounted. 4. The user that has the original copy of the iTunes Music Folder should be the one that handles ripping CDs and downloading iTunes Store items. For all other users, make sure the two checkboxes for keeping the iTunes Music Folder organized and copying files to it are unchecked, or iTunes will try to manipulate files unnecessarily and quite slowly. 5. Click OK to save your changes. Page 63 6. In the Finder, where you should see the iTunes Music volume mounted, open the iTunes Music volume, select its contents, and drag them into the iTunes window to import them. TIP To find new items in the iTunes Music folder, open it in the Finder, switch to List View, and sort by date so you can see the most recently added folders. This can fail to work if music was ripped a while ago and copied over much later, of course. Share Photos in iPhoto Sharing photos in iPhoto is more complex than sharing music in iTunes because iPhoto is more particular about where its files live, and because all users need read-and-write access for importing and editing purposes. You must choose between two approaches to sharing photos in iPhoto: what I term the “shared iPhoto Library” approach, or the iPhoto Sharing approach: • Use the shared iPhoto Library approach to share photos when you need to ensure that all networked users can import, view, organize, and output the same set of photos. The shared iPhoto Library method is best for people who want to mix all their photos and work on them together. For info on setting up this approach, see Share an iPhoto Library, next page. • Use the iPhoto Sharing approach if you want multiple users on the same Mac (with Fast User Switching enabled) or across a network to be able to view each other’s photos and perform limited output. In this case, the user who stores the photos in his iPhoto Library can use the photos normally, but others who share the photos are limited to options that don’t modify the photos. They can print shared photos, view them in a slideshow, send them to others in email, order prints of them from Apple, upload them to make .Mac Web galleries, and use them as .Mac slides. However, they can’t add a shared photo to an album, edit it in any way, use it in iPhoto books, use it as a Desktop picture or for a screensaver, create an iDVD slideshow with it, or burn it to CD. To accomplish any of those tasks, the shared photo must first be copied to the secondary Page 64 user’s account (which is easy to do in iPhoto; just drag it to the Library album), after which it’s just like any other photo in that account. iPhoto Sharing is ideal for situations where each person in a family might have his or her own camera but wants to make some pictures available to the others, without allowing the others to edit them or mix them up. I describe how to configure iPhoto Sharing in Share photos via iPhoto Sharing, ahead. TIP To use the shared iPhoto Library folder technique over a network, you’ll want at least at 100 Mbps Ethernet network or an AirPort Extreme with 802.11g (25 Mbps of real throughput) or 802.11n (30–90 Mbps). The iPhoto Sharing method of sharing photos over a network works better over relatively slow network connections, but even still, the faster your network, the easier it will be to work with shared photos. Share an iPhoto Library The iPhoto Library package—a special kind of folder—can’t be accessed by other users of the same computer due to permissions issues. That means that if you have multiple people who want to edit and share the same iPhoto Library package, that package must be placed in a folder on a file server that all the users on the network can access. (If multiple users want to work with the same iPhoto Library on the same machine, you should set up a special account that has the iPhoto images; this special account will help you to avoid complexity and other problems.) Warning! Mac OS X will not let you mount your computer’s AFP file server to itself; I’m sure that struck you as a clever workaround, but Apple doesn’t want to create nasty infinite loops, despite its street address in Cupertino. Page 65 Follow these steps to enable full iPhoto capabilities for other users over the network: 1. On the Mac that will host the iPhoto Library, open System Preferences and click Accounts. 2. Create a new Sharing Only user named iphoto by clicking the button, choosing Sharing Only as the user type, and filling out the user name and password information. Set the short name to iphoto. (You may need to click the lock icon at the lower left and authenticate, before you can click the button.) 3. Switch to the Sharing preference pane, and select File Sharing. 4. In the Finder, open the Pictures folder from the previous step and select the iPhoto Library. 5. Choose File > Get Info. 6. In the General section, check Shared Folder. (If Leopard pops up an alert telling you to enable File Sharing, click Enable.) 7. From the Sharing & Permissions section at the bottom, set the owner to iphoto: click the button to add the iphoto user to the Name list, and then choose Read & Write from the Privilege pop-up menu. 8. For each remote user in turn, mount the Pictures volumes using the iphoto user login, select the shared iPhoto Library folder within it, press Command-Option, and drag it to that user’s Pictures folder. When you drop the icon in the Pictures folder, the Finder creates an alias of the shared iPhoto Library folder. By default, iPhoto always looks for a package called “iPhoto Library” in the Pictures folder, and it accepts an alias happily. (Alternatively, press Option and launch iPhoto from the Dock, click Choose Library from the dialog that appears, and navigate to and select the shared iPhoto Library package.) 9. Verify that each user can import a photo and edit existing photos, and that every other user can see the results of those changes. After that, all users can use iPhoto with the shared iPhoto Library just as they would normally. Page 66 TIP When you share an iPhoto Library over a network, multiple copies of iPhoto can’t access the shared library at once; iPhoto prevents access when the files are in use by another copy. Share photos via iPhoto Sharing You can use Bonjour network sharing with photos, just as you can share media with iTunes. Unlike with certain types of media (like music) in iTunes, though, everyone sharing photos presumably has legal permission to do so, so Apple lets various users copy shared photos to their own Photo libraries and use them in any way desired. To start sharing photos, choose iPhoto > Preferences (Command-,), click Sharing, and select Share My Photos. You may limit the shared photos to specific albums, change the name that appears in the album pane for others on your network, and set a password (Figure 13). Warning! One password controls access to everything you share. FIGURE 13 To share your photos in iPhoto, turn on Share My Photos in the iPhoto Preferences window. If you have the firewall enabled to restrict access to all or limited programs, Leopard prompts you to agree to open a hole for iPhoto sharing (Figure 14). iPhoto is then added to the list of applications in the Security preference pane’s Firewall view. Page 67 FIGURE 14 To let iPhoto Sharing function on the network, click Always Allow. Shared photos appear in iPhoto as just another album, and you can view and output them in many of the ways you’re accustomed to with your own photos. However, if you want to edit a photo or use it in a way that iPhoto doesn’t allow with shared photos, you must first copy the photo by dragging it from the shared album to your Library or one of your albums. Page 68 ACCESS SHARED FILES Now that you’ve had the chance to read about every conceivable way to share files, you can learn about the complementary action: accessing those shared files. Let’s walk through mounting volumes or browsing for files on each of the major operating system versions, starting with Mac OS X. Access Shared Volumes with a Mac To mount a server from the Finder in Leopard, you can simply select it from the sidebar’s Shared list. New in Leopard, the Shared section of the sidebar shows all discoverable servers on the local network— file servers that use Bonjour (all services shared by Macs) and NetBIOS (Samba on any platform) to announce their existence. After you select one of these servers, you can connect to it by clicking Connect As. Once mounted, connected servers are also shown in that list. See Mount by browsing for more details. TIP You can prevent shared and discoverable servers from appearing in the list: in the Finder choose Finder > Preferences, click the Sidebar button, and uncheck Connected Servers or Bonjour Computers. Tiger & Panther: The following instructions for Leopard are nearly identical for Tiger (any version) and Panther (10.3.3 and later) except for the improvements in the network browser and the Sidebar listing. Alternately, to mount a server’s volumes, you can choose Go > Connect to Server (Command-K) to bring up the Connect to Server dialog. From that dialog, to access a server, you can: • Choose a recently mounted server: Click the top right button to pop up a menu to choose from. • Select a favorite server: Select a server from the list. • Browse for an AFP or Samba volume: Click the Browse button, and see Mount by browsing, a few pages later for more info. Page 69 • Enter an exact server address: Enter a scheme, (ftp:// for FTP, http:// for WebDAV, and so on) followed by a server name or IP number. You enter the server’s address just as you would in a Web URL. See Table 5 for examples. • Enter a Samba name: For Samba volumes, you may enter the Samba scheme and the Samba name of the volume, such as smb://SHAREDPC. You can even build a password into the URL in the form: scheme://user:firstname.lastname@example.org/path. Passwords with special characters, like an @, break this method, however. After you click Connect, Leopard prompts you for a password as needed, depending on the protocol. TIP If you stored your server password in the Keychain, you can enter just scheme://email@example.com to mount the server; Mac OS X will prompt you to use the Keychain password if you haven’t opened the Keychain earlier in the current session. Table 5: Schemes for Mounting Servers Protocol Type Scheme Name Example AFP afp:// afp://officeserver.local or afp://afp.example.com FTP ftp:// ftp://ftp.example.com/ WebDAV http:// http://rwgl.foo.com/pages/ Samba smb:// smb://192.168.1.4/SharedDocs or smb://UNPUNDPC/ShareDocs NFS nfs:// nfs://126.96.36.199/usr/www Page 70 TIP If you type a host name, Bonjour name, or IP address into the Server Address field without a scheme and click Connect, Mac OS X automatically tries to mount via AFP. TIP Mac OS X has the interesting option of mounting an FTP server in the Finder, after which you can treat it just like another mounted volume. In contrast, most FTP client software presents you with a list of files in a custom window. Use a real FTP program like Interarchy (http://www.interarchy.com/) or Fetch (http://fetchsoftworks.com/) instead of Leopard’s built-in support. Interarchy and Fetch have the added benefit of handling SFTP (Secure FTP), too. NOTE Because we’re in the Unix world, once you mount a file server in Leopard, it has a local path: /Volumes/servername. That path is available via Terminal and Unix programs. In the Finder, choose Go > Go to Folder (Command-Shift-G) and enter /Volumes. Find and use a mounted server After you mount a volume, you would expect an icon to show up on the Desktop to represent the volume. But Leopard confounds our expectations by shipping in its clean installation version without showing servers on the Desktop! In the Finder, choose Finder > Preferences, click General, and select the Connected Servers checkbox. By default, mounted servers do appear in the Shared list in any Finder window’s Sidebar. An eject icon appears next to each server in that list. Page 71 Like any other item in the Finder, you can select either the volume or any folder within it and copy files to and from them, and you can navigate to items within mounted volumes through any Open or Save dialog. (For advice on dismounting a server, see Dismount a Server.) Make it easy to remount To make a server volume easily accessible in the future, drag the server volume, or any folder inside it, to the Finder’s Sidebar under the Devices section, into the Toolbar, or to the Dock’s right-hand (if you view the Dock horizontally) or lower (if you view the Dock vertically) division. More interestingly, you can also make an alias that points to the shared volume or a nested folder on the volume, and use the alias to later remount the volume without re-entering any user information (assuming you’ve stored your password in the Keychain). To make the alias, select the volume or a folder within it, and press CommandOption while dragging the item onto the Desktop or into a local folder. (You can also choose File > Make Alias [Command-L], but that creates the alias at the same level as the item instead of in a new location you choose.) TIP You can add aliases of server volumes to the Login Items pane in the Accounts system preferences to mount servers automatically at startup. If you change your network settings or move to another network, the alias may fail, prompting an error and giving you a chance to cancel or delete the alias. (The third option, to fix the alias, doesn’t work without mounting the original volume again.) TIP Reader Hans M. Aus discovered that having an identically named AppleTalk zone and a Samba workgroup prevented him from seeing AFP volumes reliably. The zones would come and go for no reason, rendering the server volumes intermittently accessible. The problem disappeared when his system administrator gave the zones unique names—they had previously been identical except for capitalization. Page 72 Mount by browsing The network browser in Leopard is enormously improved, now appearing as the Shared list in the Sidebar. The new browser offers a much better view into which servers are available on the network, identifying them more clearly as Samba or AFP, and showing each available volume. In many cases, the Tiger network browser (a separate Network icon) showed no results, even when servers were available on the network; in the same situation, in my testing, Leopard displays the details correctly using the Shared list. To see a server’s volumes, click the server’s name in the Shared list. The publicly accessible volumes, if any, appear in the main Finder window. To see volumes that require a password, click the Connect As button in the window; it appears in various places depending on the view you’ve chosen. For the column view, it’s below an icon in the rightmost pane. In icon view, it’s in the upper right of the window. When you choose Connect As, you’re presented with a normal login window for that server type, and after you enter your details, you can choose the volume from a list just as when you connect to a server via Go > Connect to Server in the Finder (covered earlier in this section). Stored password skips a step: When you store your password in the Keychain for accessing a given server, the Connect As button doesn’t appear; instead, you see a label showing your user name, a Disconnect button, and a list of available volumes (Figure 15). FIGURE 15 A connected file server in Leopard shows you the login name, a way to disconnect, and the available volumes. Page 73 After you choose the volume, your Mac mounts it. (See Find and use a mounted server.) Connect via Terminal Terminal offers a host of ways to connect to file servers. If you’re a Terminal demon (or daemon), try entering man and a command from Table 6 to read about precisely how the command works. Table 6: Command-Line Mounting Programs Command Volume Type mount_afp AFP mount_ftp FTP mount_nfs NFS mount_smbfs SMB mount_webdav WebDAV None of these command-line options make sense unless you spend all your time in Terminal or are writing scripts that call file services. If you’re desperate to have AFP volumes on your Desktop that are soft mounted—that gracefully appear as needed and don’t cause Mac OS X to complain when they’re not available—you can use the mount_afp command in the Terminal with the -o automount flag, as in: mount_afp -o automount "afp://;AUTH=No%20User%20Authent@myserver/guestVolume" /Volumes/guest Manage passwords with Keychain Access Any time you check the box for Remember This Password in My Keychain as you mount a file server, Mac OS X stores the password along with the file server’s location and other attributes in a Keychain entry. The Keychain is a secure method for keeping account information, such as a user name and password. For instance, the Keychain can store a password for a Web site or an AFP file server. Keychain management takes place in Keychain Access, which you can find in the Applications/Utilities folder. Apple organizes the Keychain Access interface by sorting passwords into categories by server type and allowing you to easily search for any part of a password’s associated data (Figure 16). Page 74 FIGURE 16 Keychain helps you find account information by organizing items into categories. A Search field at the upper right lets you filter when you have many entries. Keychain Access provides several key types of information for managing file sharing and related passwords. You can retrieve these kinds of information within the program: • View basic info about a server: From the Category list, under Passwords, select the server type, such as AFP. Then, at the right, select the server. • View detailed info about a server, including your password: From the Category list, under Passwords, select the server type, such as AFP. Then, at the right, double-click the server to open an info window (Figure 17). To view the password, check the Show Password box. Leopard prompts you for your account password or the Keychain password—these are identical unless you’ve set up a separate Keychain—and then allows you to choose to avoid entering the password again while in the program. You can also change the password while you’re editing that field. Page 75 FIGURE 17 The Attributes pane of a Keychain Access info window shows basic information, like the account or user name, and any comments associated with the entry, which you can modify. • View still more detailed info and control Keychain password prompting: From the Category list, under Passwords, select the server type, such as Application. Then, at the right double-click an entry, such as .Mac. Click the Access Control button and select a radio button to set whether or not you are prompted for the Keychain password when you need to access that item from the listed applications (Figure 18). In the figure, you can see that the many different programs want access to a .Mac password! FIGURE 18 The Access Control pane sets which programs are allowed to use this Keychain item, and how a user is prompted for an access password when a legitimate program tries to use the item. • Delete a stored password: Select it in the Keychain Access main view and press Delete or choose Edit > Delete. Page 76 NOTE You can maintain multiple Keychains, which is an interesting feature when more than one user of the same machine may need to access the same servers. You could create a Keychain to which all users had access and thus avoid having to distribute passwords. Access Shared Volumes with Windows Windows XP and Vista can both connect to Samba, FTP, and WebDAV servers out of the box. All these servers show up as icons in the My Network Places dialog. They are not mounted on the Desktop per se, because Windows doesn’t work that way, but they are available like any other folder or disk. Connect via Samba To connect to a Leopard server via Samba: 1. In any window in Windows, enter the IP address or Samba shared name of your Leopard server preceded by backslashes, such as \\foo.example.com\, and press Enter. 2. When prompted, enter a user name and password. Windows presents the shared folders for that user in a window (Figure 19). Page 77 FIGURE 19 A Leopard server shared via Samba, mounted under Windows XP (top) and Vista (bottom), and showing available shared folders and printers. Page 78 Connect via WebDAV or FTP To connect to a Leopard volume using WebDAV (Leopard Server only) or FTP (any version of Leopard) from Windows: 1. If you are using… • Windows XP: From the Start menu, click My Network Places. In the My Network Places dialog, click the Add a Network Place link at the top left. • Windows Vista: Right-click the Network icon on the Desktop and select Map Network Drive, and then click Connect to a Web site. The Add Network Location wizard launches. 3. Click Next. 4. Click Choose a Custom Network Location, and click Next. 5. Enter the FTP or WebDAV address (Figure 20; the screen is essentially the same in XP and Vista). Click Next. FIGURE 20 Enter a WebDAV server address to mount the server in Windows. 6. Uncheck Log On Anonymously, enter the login name in the User Name field, and click Next. 7. Create a shortcut name, click Next, and click Finish. Page 79 8. You should now be prompted to enter a password in the Log On As screen; enter that password. You can choose to store the password. Click Log On. The contents of the volume now appear in a window. Warning! This is an unsecured connection when used for FTP. If the WebDAV address starts https://, it’s secured. If you need help dismounting a server, see the sidebar Dismounting From Other Operating Systems, a few pages ahead. Page 80 DISMOUNT A SERVER Now that I’ve discussed mounting servers, it’s time to discuss dismounting them. At some point, you will want to remove the server or servers sitting on your Desktop. Servers can slow your system if the network is slow or becomes unavailable. You may notice this on a Mac when a server window’s list of files tries to refresh and produces a spinning rainbow pointer. If you dismount servers before putting your computer to sleep, you can reduce delays at wake-up time when Mac OS X might try to search for those servers. However, when you shut down your computer, Mac OS X automatically dismounts servers before powering off. You can also dismount a server from Leopard or Tiger by carrying out one of the following actions: • Drag the volume icon in the Desktop, and notice that the Trash icon on the Dock temporarily changes to an Eject button while you drag. Then, drop the icon on the Eject button. • Control-click the volume on the Desktop and choose Eject “Volume Name” from the contextual menu. • Select the volume and press Command-E. • Select the volume and choose File > Eject “Volume Name”. • In the sidebar, click the Eject button next to the server’s name to unmount all volumes associated with a server (Leopard only; the behavior of the Eject button and the sidebar is slightly different in Tiger). • Select the volume in any Finder window, and from the pop-up Action menu (it has a gear icon) at the top of the Finder window, choose Eject “Volume Name”. TIP If you don’t change your Finder preferences to display connected servers on the Desktop, you cannot dismount them using any method that requires selecting the volume on the Desktop. Page 81 Dismounting From Other Operating Systems Here’s how to dismount servers in a few other common operating systems: • Panther: Use all the methods described for Tiger and Leopard. • Jaguar: Use all the methods described for Tiger and Leopard, except those that work exclusively in the sidebar. • Mac OS 9: Dismount a server by dragging it to the Trash, selecting it on the Desktop and pressing Command-E, or Control-clicking it and choosing Eject from the contextual menu. • Windows XP: Choose Tools > Disconnect Network Drive from any window on the Desktop. From the Disconnect Network Drives dialog box, you can select volumes to dismount. • Vista: Unless you have explicitly mounted a drive using Map Network Drive (right-click Network icon on Desktop), you cannot unmount it! You have to reboot. Page 82 APPENDIX A: SLEEP AND SHARING FILES In order to be reachable, any computer acting as a file server must be turned on and not in sleep mode. Although this seems obvious when stated this plainly, it can cause consternation if you use ordinary machines on your network as servers, as most of us do. Several readers of previous editions of this book wrote in with mysterious problems about servers disappearing, and reappearing later, which we tracked down to sleep options on the Energy Saver preference pane. In sleep mode on a Mac, the processor cycles down and the monitor switches to a low-power mode. When it’s asleep, the computer will respond to a key press or mouse click, but network access doesn’t automatically wake the machine. NOTE Macs can be woken out of sleep if they receive a “magic packet” over the network—like a sleeping prince receiving the kiss from the brave princess that wakes him. But this magic kiss has two parts: • First, you must open the Energy Saver preference pane, click the Options button, and check Wake for Ethernet Network Administrator Access. • Second, you need a way to send the magic packet from another Mac. Unfortunately, Apple doesn’t offer a way to have one Mac automatically wake another by trying to connect over the network to a shared volume. But you can do it manually—use the free Wake550 to wake up a sleeping remote server from another Mac (http://www.tc.umn.edu/ ~olve0003/wake550.html). Follow these steps to turn off automatic sleep in Jaguar through Leopard: 1. Open the Energy Saver preference pane, which displays the Sleep view. 2. If you are using a laptop, choose Power Adapter from the Settings For pop-up menu. (In Mac OS X versions prior to Leopard, you may need to click Show Details first.) Page 83 3. Drag the slider under the text “Put the computer to sleep when it is inactive for” all the way to the right to Never. (Selecting “Put the hard disk(s) to sleep whenever possible” is fine but will cause an annoying delay for infrequently used file servers, which must spin up sleeping drives when you access them.) NOTE Leopard is the first version of Mac OS X to make the logical leap and warn you when you enable File Sharing in the Sharing preference that you might want to change Energy Saver settings (Figure 21). Nice addition. FIGURE 21 Nice warning, Apple! If you want to put your Mac to sleep in the future, choose Sleep from the menu, or press Control-Eject and either click the Sleep button or press S. Remember to wake it before using it on the network as a server again. Page 84 ABOUT THIS BOOK Thank you for purchasing this Take Control book. We hope you find it both useful and enjoyable to read. We welcome your comments at firstname.lastname@example.org. Keep reading in this section to learn more about the author, the Take Control series, and the publisher. About the Author Glenn Fleishman has written for hire since 1994, starting with Aldus Magazine. He contributes regularly to Macworld, the Economist, Popular Science, the New York Times, and the Seattle Times. He’s the Macintosh columnist for the Seattle Times, and a contributing editor at TidBITS. Glenn spends much of his time writing about wireless networking. He edits the daily Web log Wi-Fi Networking News (http://www.wifinetnews.com/) and five related wireless blogs. Glenn lives in Seattle, Washington, with his wife and two sons. His older boy’s first work was “book,” not “Mac.” Author’s Acknowledgements This book has gone through several revisions and three editions, and I thank many contributors, readers, and colleagues. I would like to add thanks to Tonya Engst for her almost literal tireless work in churning through these editions and the details involved. Thanks to Adam Engst, also, for his help with the media chapter of the book. The virtual thinness of this edition could not have been accomplished without Apple having listened to its customers, and fixed numerous bugs, while filling gaping holes in sharing services. Thanks, Apple! Page 85 About the Publisher Publishers Adam and Tonya Engst have been publishing Mac-related content since they first created their online newsletter, TidBITS, about Macintoshand Internet-related topics in 1990. TidBITS has been in continuous, weekly production since then. At the TidBITS Web site you can read the latest Macintosh news, check out software reviews, find out what’s fun and interesting in the world of the Mac, and much more (http://www.tidbits.com/). Adam and Tonya are known in the Macintosh world as writers, editors, and speakers. They are also parents to Tristan, who thinks ebooks about clipper ships and castles would be cool. Production Credits Link-making AppleScript: Matt Neuburg List macros: Sharon Zardetto Take Control logo: Jeff Tolbert Cover: Adam Engst, Tonya Engst, Sharon Zardetto Editor in Chief: Tonya Engst Publisher: Adam Engst Credit here goes to Adam, for being patient, and to Tristan, for running the vacuum cleaner. Thank you to Glenn for being easy to work with, and a big thank you to Chris and Elaine for Friday October 26th child care. Finally, thanks to Oliver and Amelia for the promise of pumpkins. Page 86 Take Control of Sharing Files in Leopard ISBN: 1-933671-33-5 October 2007, Version 1.0 Copyright © 2007 Glenn Fleishman. All rights reserved. TidBITS Publishing Inc. 50 Hickory Road Ithaca, NY 14850 USA http://www.takecontrolbooks.com/ TAKE CONTROL books help readers regain a measure of control in an oftentimes out-ofcontrol universe. Take Control books also streamline the publication process so that information about quickly changing technical topics can be published while it’s still relevant and accurate. The electronic version of this book does not use copy protection because copy protection makes life harder for everyone. So we ask a favor of our readers. If you want to share your copy of this ebook with a friend, please do so as you would a physical book, meaning that if your friend uses it regularly, he or she should buy a copy. Your support makes it possible for future Take Control ebooks to hit the Internet long before you’d find the same info in a printed book. Plus, if you buy the ebook, you’re entitled to any free updates that become available. Although the author and TidBITS Publishing Inc. have made a reasonable effort to ensure the accuracy of the information herein, they assume no responsibility for errors or omissions. The information in this book is distributed “As Is,” without warranty of any kind. Neither TidBITS Publishing Inc. nor the author shall be liable to any person or entity for any special, indirect, incidental, or consequential damages, including without limitation lost revenues or lost profits, that may result (or that are alleged to result) from the use of these materials. In other words, use this information at your own risk. Many of the designations used to distinguish products and services are claimed as trademarks or service marks. Any trademarks, service marks, product names, or named features that appear in this title are assumed to be the property of their respective owners. All product names and services are used in an editorial fashion only, with no intention of infringement of the trademark. No such use, or the use of any trade name, is meant to convey endorsement or other affiliation with this title. This title is an independent publication, and it has not been authorized, sponsored, or in any way otherwise approved by Apple Inc. Because of the nature of this title, it uses terms that are trademarks or registered trademarks of Apple Inc.; to view a complete list of the trademarks and of the registered trademarks of Apple Inc., visit http://www.apple.com/legal/trademark/appletmlist.html. FEATURED TITLES Now that you’ve seen this book, you know that Take Control books have a great layout and real-world info that puts you in control. Click any book image below or visit our Web catalog to add to your book collection! Take Control of Your Domain Names by Glenn Fleishman Take Control of Your 802.11n AirPort Extreme Network Take Control of Your Wi-Fi Security by Engst & Fleishman by Glenn Fleishman Register, configure, and manage your domain names like a pro, plus learn how to solve problems. $10 Make your 802.11n AirPort network fly and learn real-world set up and troubleshooting techniques. Take Control of Mac OS X Backups Take Control of Users & Accounts in Leopard by Joe Kissell by Kirk McElhearn Learn how to keep intruders out of your wireless network and protect your sensitive communications! $10 $10 Create a rock-solid backup strategy so you can restore quickly and completely, no matter what the catastrophe. Get the most out of Leopard with real-world strategies for creating and managing user accounts! $10 $10 More Titles! Delve into even more topics, including: • Running your Mac— upgrading, accounts, fonts, permissions, syncing, and customizing. • Buying gear—Macs, cameras, and digital TVs. • More topics—.Mac, email, spam, podcasting, iPhone, iWeb, troubleshooting, GarageBand, Microsoft Office, much more! Exclusive coupon for Take Control readers! $5 off any Web order from Small Dog Electronics! Small Dog Electronics offers over 4000 Mac-compatible products, great prices, and famously superior customer service. We’re also a 100% Mac-based company. Every employee is a certiﬁed Apple Product Professional, who uses Macs at home as well as on the job. Small Dog Electronics has been part of the Mac community for more than 12 years. We’ve grown into one of the top Apple Specialists in the United States - and had great time doing it. Visit Smalldog.com and save $5 on any web order with this coupon! Small Dog Electronics Always by your side. www.smalldog.com 800-511-MACS Redeem your coupon on-line at www.smalldog.com. Limited to one use per customer. Enter coupon # bone12676716 at check out.