What are the built-in options?
| 9:59 pm on Nov 20, 2003 (gmt 0)|
The other night, I finally turned AppleTalk on, so my boyfriend could access files on my machine at home. But now I'm freaking out, concerned that anyone standing outside my house with a laptop could get access to my more interesting data. I'm on a wireless network with a firewall, router, and NAT, with WEP turned on. The machine I'm using is a G5 with Jaguar (upgrading soon, if it matters).
My question is this: How does my Mac deal with security? Is it just like Linux security? When I look at the Info for an individual file or directory, I seem to have lots of security settings, but I don't get the interface. Does each file/directory get one owner and one group? Where do I go to find out who the listed groups represent? (I'm trying to lock out non-authenticated users.) Are security settings inherited? Can I set my basic permissions for the Hard Drive and be relatively sure I've locked out undesirables?
I'm not sure what I need, in terms of a push in the right direction, but any information anyone can share is greatly appreciated.
| 10:22 pm on Nov 20, 2003 (gmt 0)|
You have various security options with MacOSX. In your system settings you have a personal firewall that allows you to block access to any ports that are not used for a service (like web server, sharing, sssh etc.).
Just look at the System Settings > Sharing > Tab Firewall and disable everything you dont' need. Normally you won't need any service unless you run a webserver. SSH is somehow exploitable so i'd disable it. But, seriously, MacOSX is pretty secure unless you run public servers without knowing what you do.
Fellow member EliteWeb might give you some more hints ...
| 6:46 am on Nov 21, 2003 (gmt 0)|
I never used AppleTalk so I'm not sure if this idea would prevent your boyfriend from accessing your files or not but it is something you can try.
What I did was set the permissions on the directories in my home directory /Users/dave to no access for "group" and "others". You should be able to do this with finder.
In finder right click on the directory that you don't want others to be able to get into. A menu will pop up and then click on "Get Info". Look for the section that says "Ownership and Permissions". Look for "Group" and right below that it will say "Access". Click on the menu for access and look for "No Access" and click it. You can also do the same for "Others". You do not have to click "Apply to enclosed items". When your done just close that window and follow the same steps for any other directory you don't want people to get into.
If you use the terminal, you can get a look at all your directories and the permissions they have by typing: ls -l
I don't recommend changing the permissions on your Hard Drive as that may cause problems.
| 2:33 pm on Nov 21, 2003 (gmt 0)|
Not a security expert, but here's some "common wisdom"...
Don't forget to make sure your wireless network requires a hard-to-guess password. That's pretty easy to do with Airport.
From the Internet, you seem to be pretty secure. NAT heps a lot.
Probably wnat to make sure that under your System Preferences...Sharing that "Internet Sharing" is off.
To answer your first question, Mac OS X handles security a lot like Free BSD Unix. I hear (but don't know) that Linux is a little different.
If you're still nervous, shut your computer off when you're not using it.
You can use the finder's Get Info command to "lock down" individual files/folders. I'd suggest only doing this to things your create, which are inside your account, e.g., your "Financials" folder, not the "Documents" folder.
You might want to set up a User account for your boyfriend with his own password. Even beyond security issues, it makes easier/more fun to share the computer.
| 4:29 pm on Nov 21, 2003 (gmt 0)|
Thanks to all of you for the info. Sounds like I'll be ok if I just lock down the folders that contain the browser caches, since everything else on that machine was explicitly created to end up on the web.
timster, when you recommend I put a password on my network, do you mean beyond the WEP key, or will that do it?
One last question: Is there a group that includes root and the system, but not guest users or any accounts I may add later?
| 6:17 pm on Nov 22, 2003 (gmt 0)|
Problem 1): Securing your wireless network from any outside intrusion.
In the following I'm assuming you have an Airport BaseStation of any kind.
In 'Applications/Utilities' you've got the 'AirPort Admin Utility'
Start this application, select your AirPort BaseStation and log into it.
(I'm on a danish system, so I don't know precisely what the options are named in english, but you ought to get my drift anyway ;) )
Select the button at bottom left (Show All ***)
In the first Pane check off all three boxes at the bottom
- Closed Network (makes sure you don't advertise the name of the network)
- Stability (improves the connection at the expense of speed)
- Encryption (no listening in - please ;) )
And set the highest possible level of security with a *very* hard to crack password. Very hard to crach passwords means:
- at least 8 characters
- mixes lower and uppercase
- at least one number and if possible at least one special character
- don't use any know dictionary words, common names, the licence number of your car, the name of your pet, etc (you get my drift, I hope ;) )
Also, use the same guidelines as described for the password to set the name of the network.
In 'Applications/Utilities' you've also got 'Network Utility'
Start this application and select the first pane (info)
In the select box choose your AirPort Card (usually EN1)and write down the Hardware Address.
Back to 'AirPort Admin Utility' and choose the fifth pane - Admittance.
Click on 'Add' and enter the Hardware Address of your Airport Card.
Save your settings, etc in 'AirPort Admin Utility'
Now, *only* your computer will be able to log into your wireless network.
Any potential cracker will have to discover the following three things before being able to do anything at all:
- the network name
- the password
- the MAC address of your computer
and then the cracker'll have to modify the MAC address of his/her network card to match yours. None of these four tasks are easily undertaken if you follow my guidelines as described above
| 8:59 pm on Nov 22, 2003 (gmt 0)|
OK - now on the second paragraph:
Mac OS X security is based upon exactly the same principles as you'll find in any Linux distribution and any version of Unix. In fact, Mac OS X is a variant of FreeBSD Unix. So, any book dealing with Unix or Linux security is recommended reading.
Any file and folder has three entities associated with it and each entity has three levels of permissions.
Try the following: start 'Terminal' in 'Applications/Utilities' and then enter the following : ls -aloF . You'll now have a list of the files and folders in your home directory with all of the associated permissions and entities. Files and folders starting with '.' are invisible to 'Finder'. Note especially how the 'Sites' and 'Public' folders have been set up in comparison to your other folders. Then, try the following : cd Public ; ls -aloF , and compare.
As to the entities, there are three: the owner, the group, and everybody else. Each of these can have three kinds of permissions: read (r), write (w), and execute (x). There are a few other possibilites, but these cover the basics. You might wonder why a folder can be executed. That's because when it's a folder the execute flag indicates that the entity can access the folder, while when this flag is set on a file it means it ought to be an executable program.
Each file and each folder get one and only one owner and one and only one group assoiated with it.
To mess around with users and groups you'll need to start 'NetInfo Manager' in 'Applications/Utilities'. But basically, you normally use the preference pane 'Accounts' to create new users and their associted home directories in a user-friendly way as well as adminster users generally. If you are the only user on your computer, try creating a new user from scratch, and then use 'Finder' to navigate to that user's home directory and see just *what* you are allowed to do. That's how other users'll see your home directory.
In the 'NetInfo Manager' interface you can really mess things up, but this is the place to create new groups and associate users with these. To create a new group, select an exiting one that looks somewhat like the one you want to create, and press the 'Duplicate'? button (the one with two folders at the top of the interface). Then just change the settings to your liking. If it's a normal group you want to create, my advise is to base your new group on 'staff'. You'll need to change at least the name and gid to something else that's not in use anywhere else. Take special care not to get a duplicate gid - that can really mess your security up and really confuse Mac OS X
Users and groups come in two flavours: people and processes. Some processes like the Apache webserver, the MySQL database server, and the Sendmail daemon have their own user and group associated with them. This is for security reasons : they won't be able to access anything else but what they are supposed to access and nobody'll be able to mess around with their files.
Good places on the web are :
- [mac.oreilly.com...] and [safari.oreilly.com...]
- [osxfaq.com...] and [macosxhints.com...]
| 4:53 pm on Nov 24, 2003 (gmt 0)|
BjarneDM, thanks for your hints. I've talked about limiting access by MAC address, so I probably will do that. The rest I'm waiting on, since my boyfriend's WiFi card seems to have issues joining all but the most open network.