Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Password protected file sharing of a single folder Network
I ran into a OS X limitation recently when trying to create a directory that both myself and another remote user could access via AppleTalk. I needed it set up where:
  1. the remote user would be able to see only that directory,
  2. the remote user would need a password to access that directory, and
  3. we both could read/write to that directory.
Although in OS X you have a shared folder and a drop box, the person logging in can't write to the shared folder, and (worst of all) you don't even need a password to access it. If I created a new user using the Users pane in the System Preferences, then we would still have the same problem of not having a common folder to read/write to, not to mention that it would create a bunch of unnecessary directories (like Desktop, Library, Music, Movies, etc).

I tried a shareware app called SharePoints, but for some reason couldn't get that to work (I'm sure it was my own fault) ... besides, sometimes I prefer to figure out the geekier ways of doing things. Read the rest of the article to see what I did to solve this problem...

First I created the directory to share (let's call it sharedir), which I put in my own user's directory. Then in the terminal I typed:
 % chmod 770 ~/sharedir
This made it so that myself and anyone in the group staff would have all access, and the rest of the world would have none.

Secondly, in NetInfo Manager I created a new user like so:
  • in the second column of the Directory Browser scroll down and select 'users'.
  • highlight 'www' and click Cmd-D to duplicate. Work on the copy from here on down.
  • delete the 'realname' line (so that the user won't show up in the login list).
  • change the value of 'name' to the username you want.
  • change the 'uid' value to one that no other user has (I used 504).
  • change the value of 'home' to the directory created earlier.
  • change the value of 'gid' to 20 (which is staff, the group that all users belong to).
  • set the value of 'password' to the encrypted password that you want (see below).
  • click on any other user or directory to get the save dialogs, and save.
To get the encrypted password, in the terminal type:
 % openssl passwd -crypt
It will ask you for the password on the next line, and then it will display the encrypted version of the password you entered.

That's it! :-)

Note that all users on the host machine will be able to access the new shared folder. If you didn't want to do this, then you'd need to create a new group and make only the users that have should access a part of the new group. Then you'd change the group ownership of the new directory to that of the new group. I didn't need to go this far, so I didn't figure out how to create and add users to groups using NetInfo Manager. Hopefully someone else can fill us in on this.
    •    
  • Currently 2.33 / 5
  You rated: 3 / 5 (3 votes cast)
 
[12,717 views]  

Password protected file sharing of a single folder | 17 comments | Create New Account
Click here to return to the 'Password protected file sharing of a single folder' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Easier way to share folders...
Authored by: Elander on Jul 24, '02 12:02:09PM

The easiest way I have found to share folders is via WebDAV.

Here is the general method:

Install webmin on your machine (http://www.webmin.org/). It takes about five minutes, including the coffee brake.

Using webmin, load the module "mod_dav" in your Apache server.

Add the folder you want to use as a shared folder as a DAV folder, and set up user privileges for it in webmin. You can create as many new users as you like and also groups. They will only be web users and groups, not unix accounts on your machine.

Start Apache (if it is already running you need to stop it and then start it again for the new settings to take effect).

By using the webserver as authenticator, this saves you the trouble of creating new unix users and meddling with NetInfo Manager. It also makes it real easy to move the whole thing to a new machine if you want to.

You can even use SSL (either with a real certificate or a fake, both will work) so your users can connect via https instead of http.

If the above seems difficult, let me know (preferrably by posting a reply here) and I'll write a more detailed instruction.



[ Reply to This | # ]
Easier way to share folders...
Authored by: Elander on Jul 24, '02 12:11:59PM

Oops...

I gave the wrong address for webmin, it should be the one below instead:
http://www.webmin.com/

Sorry.



[ Reply to This | # ]
Easier way to share folders...
Authored by: repro on Jul 25, '02 06:22:03AM

As belonging to the group of inexperienced UNIX user I would like to see a more detailed description for the installation of the webmin method from ELANDER. I am very interested in the https (SSL) and the possibility of windows users also having access.



[ Reply to This | # ]
Easier way to share folders...
Authored by: Elander on Jul 25, '02 03:41:15PM
Well, it turned out to become a rather lengthy document (about 10k) so I figured robg wouldn't be too pleased if I posted it as a reply.
I put it up on my iDisk instead:
homepage.mac.com/max.elander/FileSharing.html
Before you download it: it takes a while to do all the initial installing and configuring. Particularly if you want to use SSL. When you're done, you will however have a very potent admin application to handle most servers on your computer. You will also have a "remote control" so you can run shell commands from another computer if you want. You can do ANYTHING with webmin!
This means that choosing a good password is essential.
You will also have a very good reason to read the documentation on Apache, especially the part about security. You can find it here; Apache documentation
Beware also that installing webmin doesn't mean you don't have to read the manual for your server applications. You do! So there.

[ Reply to This | # ]
Screwed up the link to Apaches docs...
Authored by: Elander on Jul 25, '02 03:46:47PM
Here is the correct one: Apache documentation. Sorry.

[ Reply to This | # ]
RE:Correction
Authored by: timrob on Jul 25, '02 08:18:30PM

In the webdav.rtf file it says:

"3. Make sure that Apache (user=wheel) owns your folder."

The Apache user in OSX is "www" not "wheel". It is probably not a good idea
for it to be in the "wheel" group as root as in that group also.

Tim



[ Reply to This | # ]
RE:Correction
Authored by: Elander on Jul 26, '02 01:57:44AM

Sorry. I thought I had changed that. I have now though, so the new version should be correct.



[ Reply to This | # ]
i guess easy is relative
Authored by: badrad on Jul 24, '02 03:57:40PM

I dont know Unix. That simple.

All I want to do is get as close as possible to the ability of the filesharing in OS 9, where you could easily browse all the volumes on all the computers on the network, with full read and write privledges. Our network is shielded from the outside so security is not an issue.

I installed apache 2.0, i cant even begin to configure it because OS X likes to hide entire directories and stuff from me, and I dont know all the terminal commands.

Gah! OS X is getting closer and closer to being used on all our machines at the office. I am the only one using it now, and i had to really work hard to get that approved. Ive got all the quirks worked out, and the only remaining barriers, short of a few missing drivers (damn you epson! and hurry up lacie!), the only 2 remaining barriers are a native quark (which should happen eventually) and this damn filesharing stuff!



[ Reply to This | # ]
found another hint that did it
Authored by: badrad on Jul 24, '02 04:17:49PM

http://www.macosxhints.com/article.php?story=20011108161839416

I am still working out making some extra things writable, but I was able to accomplish what I was after with this.



[ Reply to This | # ]
found another hint that did it
Authored by: badrad on Jul 24, '02 04:42:04PM

Ah, further toying with the method I described that I used shows it is not as complete as I thought. While the entire volume is readable, it is not writeable. Plus, if I set a directory to writeable, it does not set subdirectories.

I would like it so any subdirectories/files inherit the privlidges, plus any new files/directories created after the setting of the privledges inherit them. Just like OS 9. Am I making since?



[ Reply to This | # ]
WebDAV Tutorial
Authored by: timrob on Jul 26, '02 01:55:09PM

There is a good tutorial at:

http://www.goliveheaven.com/tutorials

It doesn't use Webmin.
Between this tutorial and the Document listed here
you should be able to put together WebDAV server fairly easily.
Also, if you want the server to use mod_ssl,
You need to start the server with:

%httpd -D SSL



[ Reply to This | # ]
WebDAV Tutorial: a warning
Authored by: Elander on Jul 27, '02 11:19:01AM

Although the tutorial mentioned above (www.goliveheaven.com) is pretty good, it contains one thing that is generally considered a "bad idea". They use ".htaccess" files to provide access control.

A ".htaccess" file sits in the directory it is intended to protect, which is generally accepted as a potential risk. Most security experts advise against using them. That's why I included a bit in my tip to place the password files outside the hierarchy of folders contained in the servers root folder. Doing so makes it more difficult for the evil doers to get at it (unless they hack webmin of course).

I know I'm being paranoid, but in this day and age that is a profitable condition. Remember, just because your'e paranoid it doesn't mean that everybody else isn't trying to hurt you...

Also, my tip requires you to do a lot of "sudo" commands. You really shoudn't just take them for granted. The command "sudo" is inherently dangerous and you should figure out what those commands are doing before you try them. You don't know me, so why should you trust me?

;-)



[ Reply to This | # ]
WebDAV Tutorial: a warning
Authored by: jima on Jul 28, '02 05:33:55AM

Yes, it's a bad idea to have the password file in a publicly accessable directory, but the .htaccess has to be there to protect the directory (unless you do it in the httpd.conf).

So on OS X a safer place to put the password file is in /Library/Webserver. Just don't put it anywhere in /Libabry/Webserver/Documents. Use this to create a new password file called .htpasswd:
<pre>htpasswd -c /Library/Webserver/.htpasswd username</pre>And to add new users just remove the "-c". Also it's a good idea to prepend a dot (".") to your password file name so that they are hidden.

Note that the way Elander described this part in his tutorial is much better -- not only is the password file in a non-public directory (as above), but instead of using a .htaccess file it's was done in the httpd.conf. I don't know if it's more secure not using the .htaccess file, but I do know that it's MUCH faster. Still you should use hidden names for the password files.

Jima



[ Reply to This | # ]
WebDAV Tutorial: a warning
Authored by: Elander on Jul 28, '02 10:38:33AM

You hit the nail there: the .htaccess file is publicly accessible. Not only that, it has to be read by the Apache server, so every user -- or scripts uploaded by users -- can read it. The "invisibilty" offers no real protection, it only hides the file from Finder view. Unless you change the file permissions to exclude the Apache server from also altering the file, your system is wide open!

Using httpd.conf, and a password file outside the server hierarchy is thus less unsafe. Unless you screw up the permissions yourself of course... ;-D

In short: don't use ".htaccess" and be careful when you choose passwords and assign privileges!



[ Reply to This | # ]
you mean the password file?
Authored by: jima on Jul 28, '02 05:18:32AM
Yes, it's a bad idea to have the password file in a publicly accessable directory, but the .htaccess has to be there to protect the directory (unless you do it in the httpd.conf). So on OS X a safer place to put the password file is in /Library/Webserver. Just don't put it anywhere in /Libabry/Webserver/Documents. Use this to create a new password file called .htpasswd:
htpasswd -c /Library/Webserver/.htpasswd username
And to add new users just remove the "-c". Also it's a good idea to prepend a dot (".") to your password file name so that they are hidden. Note that the way Elander described this part in his tutorial is much better -- not only is the password file in a non-readible directory, but instead of using a .htaccess file it's was done in the httpd.conf. I don't know if it's more secure not using the .htaccess file, but I do know that it's MUCH faster. Still you should use hidden names for the password files. Jima

[ Reply to This | # ]
Ignore above: posted in wrong place
Authored by: jima on Jul 28, '02 05:30:03AM

this was meant to to be a reply to Elander's "WebDAV Tutorial: a warning"

so sorry :)



[ Reply to This | # ]
My experiences
Authored by: badrad on Jul 29, '02 03:36:35PM

I have explained the 3 best ways I have found to file share under OS X at:
http://www.abacusgraphics.com/osx/



[ Reply to This | # ]