File sharing in Leopard
If you want to share files with other people (and who doesn’t these days?), you can always send the files via e-mail or iChat. But it’s far more efficient just to give your collaborators shared access to the files, folders, and volumes on your Mac and let them get the files themselves.
Unfortunately, OS X hasn’t always made file sharing easy. Tiger and preceding versions of Mac OS X lacked some file-sharing features—such as the ability to share folders as networked volumes—found even in Mac OS 9; plus the tools you used to configure file sharing weren’t always as straightforward as they should have been.
The good news is that in Mac OS X 10.5, Apple has dramatically improved the tools you use to share all kinds of resources from your Mac across local networks and the Internet. And some of the biggest—and handiest—of these improvements are in the ways Leopard lets you share files, folders, and volumes. In the Sharing preference pane, you can now specify which folders and volumes you want to share, which users get what kind of access, and which file-sharing protocol they’ll use, all with drag-and-drop ease. Here’s how it works.
What to share
To start, launch System Preferences, select the Sharing pane, and select File Sharing in the Service list.
At that point, you’ll see two windows: Shared Folders and Users. As the name implies, you use the first one to share entire folders and volumes. You can add a folder or volume to the Shared Folders list in two ways: drag it from the Finder into the Shared Folders window, or click on the plus-sign (+) button and navigate to the folder you want to share.
You can choose to share any mounted volume—including a disk image—that isn’t itself a network volume. You can share the entire volume or any directory within it. By default, this list already includes your public folder.
Note that you can also share folders and volumes in the Finder by selecting an item, choosing File: Get Info, and selecting General: Shared Folder.
Whom to share with
In previous versions of Mac OS X, if you wanted to share files with someone, you had to set up a new account, with its own unique login and password. In Leopard, the process is much simpler.
Now you can add or remove users and groups in the Users list. To remove one or more people, you select a user or group and click on the minus (-) button. To add users, you click on the plus button; when you do so, you’ll see a list of users and groups in the Accounts preference pane. You’ll also see an entry for your Address Book; you can choose any contact, click on Select, and set a password, creating a Sharing Only account.
You can create entirely new users by clicking on the New Person button in the unlabeled dialog box that appears when you click on the plus button. Any new users you create here will also appear in the Accounts preference pane as Sharing Only users. (The Guest account isn’t listed here because it’s included as part of the special Everyone group, and is not available otherwise.)
Warning: Do not remove or modify the default users for the startup volume or for special folders like System or Library. Doing so could disable Mac OS X and require a boot from the startup DVD and a trip through Disk Utility’s Repair Permissions tool.
Leopard lets you configure file access for certain special classes of users, as well as for the people in your Address Book and Accounts lists.
If you look at the Accounts preference pane, you will see a user named Guest. This account lets other people use your Mac without compromising the security of your own account. But it also gives them password-free access to volumes you choose to share. So if you select the Guest user in the Accounts preference pane and enable the Allow Guests To Connect To Shared Folders option, anyone with network access to your Mac will be able to access your shared folders without having to provide a password. (The Guest account can’t access files via FTP.)
You can also set up a new account type: Sharing Only. As the name implies, a Sharing Only account has remote access to shared folders and volumes on the Mac on which the account is set up, but no login privileges on that Mac.
You can create Sharing Only users in the Accounts preference pane by creating a new account and selecting Sharing Only from the New Account drop-down menu. You can also create a new Sharing Only user from the File Sharing pane by clicking on the plus button under the Users list; by default, that new user will be granted Sharing Only privileges. (Sharing Only users can access remote volumes only via Apple Filing Protocol [AFP], not FTP or Samba.)
You can select any folder or volume that you added in Shared Folders, and set specific access rights that correspond to users or groups of users. When you select a shared item, the Users list to its right fills with any existing permissions. For a folder in your home directory, you are usually listed along with the special Everyone user, which sets access for all accounts on the computer, including the Guest user.
You can specify one of four kinds of access rights—read only, read-write, write only, or no access—via the drop-down menu to the right of the user or group name. Read-write access gives users complete creative and destructive rights to all files in the shared folder. Users with read-only access can view files and folders, but they can’t change them. With write-only access, they can copy documents into the folder, but they can’t view its contents. (That’s why Apple helpfully appends the phrase Drop Box to the Write Only entry in the menu.)
Drop boxes are useful when you’re trying to let people submit information but prefer to give them no other access to the system. By default, Mac OS X sets up a shared Public folder in each user’s home directory: the folder is set to read-only status, and a Drop Box folder inside Public is set to write-only status.
How to share
With permissions for access set, you now need to choose the method— and protocol—you use to share files. Leopard, like Tiger and Panther, offers built-in support for AFP, FTP, and Samba.
Leopard improves tremendously on previous versions of OS X by making all three services accessible from one central location. Unfortunately, you can’t specify what you want to share according to each sharing protocol. The permissions you grant to any given volume, folder, user, or group stay the same no matter which sharing protocol you use.
To specify how a given resource will be shared, click on the Options button in the File Sharing pane and select the protocol you want.
Typically you’ll want to use AFP when sharing among Mac users. Previous implementations of AFP used unencrypted passwords, which created a security risk, but this is no longer the case. Unfortunately, that means some older systems may not be able to connect to your Mac if you’re using AFP. Also, if systems that aren’t yet using Mac OS X try to connect to a Leopard AFP server, you’ll have to enable AppleTalk on the interface over which you’re sharing. (Go to the Network preference pane, select the appropriate adapter and then its AppleTalk tab, and turn that option on or off; note that only one adapter can have AppleTalk active at a time.)
Samba is the best option if you’re sharing files among mixed Mac, Windows, and Linux or Unix systems. Samba passwords are stored with weaker security than those used for Mac OS X. But to exploit even this weaker encryption, a malicious hacker must have access to the Samba password file; passwords in transit can’t be cracked by any known means.
FTP offers the most unrestricted access to your files, but that’s not necessarily a good thing: Leopard allows any full user account to connect via FTP without paying attention to the Shared Folders list of accessible shared volumes and folders. FTP users can traverse all mounted drives to which they have at least read-only permission.
FTP doesn’t encrypt passwords at all, so it’s unsuitable for use on any public network. You could use Secure FTP (SFTP), which uses strong encryption, but it isn’t integrated into Leopard’s File Sharing service. Instead, you enable SFTP by turning on the Remote Access service. SFTP lacks the configuration options of FTP, so all physically connected local volumes are shared.
How to access files
Once you’ve set up file sharing, other users can access your Mac by selecting it from the Shared list in the Finder. By default, Mac OS X will connect as a Guest. If you want to connect as a non-Guest user, click on the Connect As button and enter the appropriate user name and password. Resources shared in Samba, whether from another Mac, a PC, or a Unix box, show up with a Windows blue-screen-of-death icon (very witty, Apple). AFP icons correspond to the specific Mac model.
To connect to a server outside your local network, choose Go: Connect To Server from the Finder. Enter an IP address, a domain name, or even a Bonjour name to connect to AFP servers. (Not all IP addresses are publicly reachable outside the local network; see “Back To My Mac” for a solution to that problem.) For SMB or FTP, precede the name with smb:// or ftp://, respectively. For FTP, you can also use a stand-alone file-transfer program.
With both local and remote networks, Leopard no longer shows the mounted volumes on the desktop by default. Choose Finder: Preferences and click on General, and then select Connected Servers to show networked volumes on the desktop.
Just as Leopard has made file sharing simpler than ever, it has made screen sharing—which lets you see and even control someone else’s Mac screen, or vice versa—possible without any third-party software.
Giving access to your system is simple: Launch System Preferences, select the Sharing pane, and select Screen Sharing in the Service list. To limit access to specific people, click on the Only These Users button, and choose which users can remotely control the screen; users must then enter their Mac OS X passwords for access.
Accessing a remote system is a bit trickier. Leopard offers five ways to do so.
The Finder Over a local network, any computer that has Screen Sharing enabled advertises that fact via Bonjour. Open any Finder window, and select the server from the sidebar’s Shared list. If Screen Sharing is enabled, a Share Screen button should appear. Click on that and enter the appropriate user name and password for that computer.
iChat AV 4 Select a buddy, and the Screen Sharing button will (or won’t) light up, depending on whether that contact has Screen Sharing enabled.
Click on that button, and you’ll be offered the choice to Share My Screen With Buddy or Ask To Share Buddy’s Screen.
Internet Using the Screen Sharing program in /System/Library/CoreServices, enter the IP address or domain name of the remote system, and you’ll be prompted for login information.
VNC on Tiger or Other Platforms To access a Leopard system from Tiger, you’ll need a VNC client; Chicken of the VNC may be the best choice.
On the Leopard system, turn on VNC access by selecting the Screen Sharing service in the Sharing preference pane and clicking on the Computer Settings button. Select VNC Access and enter a password to allow VNC use.
Leopard users can access remote VNC systems directly through the Screen Sharing program or via the Finder sidebar’s Shared list using Bonjour, for those systems that support Bonjour.
In the Tiger system that you’re making accessible, go to the Sharing preference pane and select Apple Remote Desktop. Click on the Access Privileges button, and choose which users to enable by selecting their names and then selecting Control.
Back To My Mac
As the name implies, Back To My Mac lets you remotely access your Mac at the office or at home. It performs this bit of magic through the .Mac service and wide-area Bonjour. To enable Back to My Mac, you enter your .Mac account information in the .Mac preference pane, and then, in the Back To My Mac tab, click on Start.
Once you’ve done that, available Back To My Mac systems should appear in the Finder sidebar’s Shared group. The services available on that particular computer—File Sharing and/or Screen Sharing—should show up when you select the remote computer. Shared folders should appear automatically; clicking on Share Screen shouldn’t require a separate password entry.
The glitch in Back To My Mac is that it can have a hard time accessing Macs that connect to the Net through routers and Wi-Fi base stations. If the Mac you’re trying to access doesn’t have a publicly reachable IP address, you need to configure the router it’s sitting behind. If you’re using an AirPort Extreme or AirPort Express router (any version), that means enabling Network Address Translation Port Mapping Protocol (NAT-PMP). On other routers, it means turning on Universal Plug and Play (UPnP).
On routers without either feature, port mapping might allow you to create a tunnel between the router and a single computer on the gateway; Apple has a Knowledge Base article on how to make that work.
[Glenn Fleishman is the author of Take Control of Sharing Files in Leopard (TidBits Publishing, 2007).]