Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Another way to use personal web sharing and FileVault Network
I noticed that Personal Web Sharing was only partially functional when using FileVault. More precisely, accessing the users web pages inside ~/Sites using a URL similar to http://localhost/~username would always fail with a permissions error. The reason for this failure is fairly simple. When the FileVault user logs in, the encrypted disk image /Users/.username/username.sparseimage is mounted as /Users/username. Apple righty decided that a user using FileVault was trying to protect personal data, and so they set the access rights of /Users/username to 700 (rwx------), thus allowing only the user herself to access anything in her $HOME directory.

Unfortunately, this has the side effect of preventing the local Apache server from accessing the contents of /Users/username/Sites/ resulting in the aforementioned error.

A simple but unsafe solution:

A simple solution would be to change the access rights of /Users/username to 701 (rwx-----x). But that would create a fairly big hole in the otherwise good security settings Apple implemented. Read on for a better solution...

[robg adds: We've posted two previous hints (1,2) on this subject; the unsafe version above is similar to those, but read on for a new solution, based on access control lists.]

A better solution:

As of Mac OS X 10.4, Apple provided a better way to achieve the same goal: Access Control Lists (ACLs). In order to use ACLs, they must first be enabled on the given volume. Apple does this in Leopard on Time Machine backup volumes, in order to protect the backups using ACLs. But on 10.4 client, ACLs are never used by Apple to my knowledge. In our case, the tricky part is the fact that the volume in question is not / (your boot volume) but rather /Users/username -- the mounted FileVault disk image.

Using this Terminal command to enable ACLs for the FileVault user's (ie username) home directory:
sudo fsaclctl -p /Users/username -e
The following statement grants the user www the right to look into known sub-directories, provided their permissions allow such access:
chmod +a "www allow search" /Users/username
Note: The Apache web server runs as user www on Tiger, but I believe it runs as user _www on Leopard. So on Leopard, you would probably need to change www to _www in the above command. I haven't tested this yet, though.

You can check the ACLs by using the ls command with the -e option:
ls -alske /Users
This solution is much better than the simple solution mentioned above, as it only grants the user www (_www on Leopard) any additional rights. But it is not perfect yet, because it also grants the user www the right to look into subfolders other than ~/Sites. I can think of some semi-complicated tinkering with ACLs to avoid this, but I haven't found an elegant solution yet. If you have one, feel free to comment.

Note: By using this hint, anyone with access to the web browser on the local machine can obviously access files stored in ~/Sites of the FileVault user. This may or may not expose sensitive information. To protect this data, configuring Apache to only allow access to these files using HTTPS (SSL) and requiring a password may help restore the security indended by activating FileVault in the first place.

See fsaclctl(1), chmod(1), and ls(1) for details.
    •    
  • Currently 2.17 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (6 votes cast)
 
[13,963 views]  

Another way to use personal web sharing and FileVault | 4 comments | Create New Account
Click here to return to the 'Another way to use personal web sharing and FileVault' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Another way to use personal web sharing and FileVault
Authored by: Anonymous on Dec 31, '07 08:10:38PM

This seems a rather complicated way when there's a simpler solution:
Just have your shared, public, non-private [etc] web directory outside of your encrypted home directory. Encrypting the web pages that are accessible from any browser is unnecessary..

Typical linux'y location would be /var/www/ - but a folder inside /Library/WebServer/ would make more sense, then you'd have to edit the apache config to point to your new location.

Or, if you don't feel like playing around with the apache configs, install something like XAMMP (The Apache Friends stuff), where the htdocs root is in /Applications/XAMMP/ - unaffected by the encrypted home directory.



[ Reply to This | # ]
Another way to use personal web sharing and FileVault
Authored by: Mike F. on Jan 02, '08 09:04:06AM

That's why I added the second note - to emphasise that unsecured access to the personal web pages in ~/Sites could lead to unintentional security leaks.

In my case I have some private documentation in HTML+PHP format that I want to keep private. In order to be able to view ist I need a webserver. So this hint combined with SSL and password protection seems like a pretty good solution to me.



[ Reply to This | # ]
Another way to use personal web sharing and FileVault
Authored by: michelcolman on Jan 01, '08 04:43:02AM

Or, instead of using FileVault, you can just use an encrypted disk image that only stores your personal data. It sort of replaces my Documents folder, and I also replaced ~/Library/Mail with a soft link to a Mail folder on the encrypted image. Just set the image to mount automatically on login, and it all works just as transparently as FileVault. Only without the problems with disk corruption on sparse images (you can use a fixed size image instead).



[ Reply to This | # ]
Another way to use personal web sharing and FileVault
Authored by: Mike F. on Jan 02, '08 09:10:45AM

I've been using FileVault on my MacBook for a couple of months now and I have yet to see any problem.

I do agree though that a regular backup of the contents of the FileVault home directory is a very prudent idea. And of course you need to make sure that the security of the backuped data is sufficient too.



[ Reply to This | # ]