Personal File Sharing
 

When I turn on personal file sharing does that Mean that my files can be accessed from anyone on the internet who had my ip address and my password, OR is filesharing only accesable from your LAN?

That is only available from LAN with users that are authorized.

Anyone with your IP address, a Mac, and a valid login (username/password) can connect. It's definitely not LAN based.

sweet.... so thats conflicting replys
Do you know a way I can make it LAN Based?

Heres the deal: Yellow had it right the first time. Even if you're using a private IP address, someone that is able to attain your Mac address can correlate the two and use it to access your files, which is basically how you are able to surf the web behind a router. Now if you don't have a router, then you're exposing yourself even further since there is no natural "firewall" inbetween you and the outside, that is; unless you enable port filtering, etc via your own personal firewall settings on your computer.

Now if somone one has your IP address (assuming its a private address), thats of little concern since private IPs are used everywhere, everyday. However, if they can attain your MAC as well, then you're in trouble. The best solution is to authenticate, firewall, and provide anyother means you can on top of the file sharing.

You tend to hope that no one will figure our your unique username and password, but thats why you layer protection on top of everything else.

Want another conflicting reply?
 

If you are behind a router, it is essentially lan-based because the IPs assigned by your router (assuming you use DHCP) are non-routing IPs, so only the machines behind your router can see them, since it isn't a "public" IP. If you have a range of public IPs from your ISP and use those, then it opens up your computer to a wider range of connections. Sometimes that's desirable, sometimes it isn't.

Joe VanZandt

LAN based implies that it only works within your subnet, which I can assure you, you can connect to Macs OUTSIDE your subnet. So it's not LAN based at all.

If you're behind a router (or some other firewall enabled device), then effectively you're protected from outside sources connecting unless they have port forwarding set up (or not blocking port 548).

If you want to restrict it to only computers within your subnet, you should look into learning how to use ipfw2 (the built-in firewall) to restrict port 548 traffic to your subnet, or get yourself a router.

David, it would be most helpful if you clearly framed your question. Otherwise, you'll get another collective lecture on a wide range of networking questions leaving you without a clear answer.

If you're still on that three-Macs-on-a-LAN scenario, no worries. Otherwise, explain how exactly your internet-connection is set up.

Excellent, vdn, I was just about to ask this question: are you behind a router under your control?.

now, my set up is changing frequently, Friends will bring over there computers, plug them in. I dont set a password for my computer because I dont need one at all, everyone around my computer is welcome on it.
I live in a rural area, Sometimes im on dial up, some times Im on a high speed wireless connection (depending where I am). We have a band, so we are always hauling a couple of macintosh computers around for recording. I would like to share band files with personal file sharing with other computers (via firewire), Not have a password naging me every time i log in and change users, and be able to go on the internet without my computer being completly open to anyone who has my ip address.
I messed around with my firewall but when ever its on i cant personal file share at all, if its enabled for personal file sharing or not.

and again voldenuit sorry for the terrible communication

I can't test this at the moment to see if it's still true, but in the past, if there was an account without a password available for connection over AFP, it was possible for any remote user to connect to the account, and change that password. And of course if anyone was foolish enough to leave an "admin" account without a password accessible over AFP, depending on what else was enabled (or if the computer is runnng "Panther"), it could have been possible for someone to connect, take over the whole machine, change the password and lock out the real user.

yea, I think its possible on tiger also. I know for sure they can connect to my computer, and access all the files on my hard drive though, and delete files as much as they wanted (if I left file sharing on and then went on the internet). Right now I just never go on the internet with File sharing turned on.

FWIW, a password will help curtail possible accidents from happening.

Say someone connects to your system and accitentally trashes an important system file. A window will pop up asking for authentication. This window has the name of the currently logged in user already filled in. With no password, if they simply press enter the changes will be commited, resulting in a hobbled computer.

Having a simple, easy to remember password is much better than none. Just make it the same as your login name, or the name of your band or something. This goes againts almost every "sensible password guideline"...but a little security is better than nothing.

It's good that you're enabling/disabling Personal File Sharing when needed.

That being said, in reality the odds of someone cracking into your Mac is extremely low. It would take a lot of work by someone with enough time and skill to make something like this happen (unless an exploit is uncovered, then any script kiddy would have access to your bands info).

No worries, just trying to make sure you get the best possible answers from the forums... I'm having a lot of fun when the others try to figure out what you really meant, but you're probably not ;) .

Leaving an admin account unpassworded is an extremely Bad Idea and that's a polite understatement, feel free to ask for a stronger wording if you're not convinced.

For what you really want to do, setting up a distinct account, perhaps using Sharepoints, pointing only to a directory where the files live you want to share is a much better idea. Your friends can still read and write all they want, but only in the folder(s) you allow them to. That way some drunk-out-of-his-mind drummer can no longer ditch your entire Documents folder...

Setting up joe accounts (login=password) makes no difference, unless you're trying to defend yourself against 3 year old retards.

No need to get paranoid, but some very basic common sense goes a long way.

yea thanks for the advice. I probably should set a password.
But as long as I have file sharing disabled, there is no risk in not setting a password other than someone physically getting on my computer right?

yup, with file sharing turned off the biggest (and only realistic) threat is someone sitting in front of your computer.

Not quite.

Whenever a program does something that requires you to enter your password, leaving it empty would allow the (hostile) program to bypass that step.

Leaving accounts, especially admin accounts, without a decent password (>8 chars, no dictionary word, mixed case...) is a very Bad Idea. You even get lectured by Apple that it is Bad Practice to do that when you try.

What else will it take to understand that you're probably better off to comply with recommended policies unless you completely understand what you're doing ?

In case this point needs more emphasis, let me say that I agree with voldenuit.
It is very important to have a good (i.e. hard to guess - see this thread) password for at least the user accounts that have admin privileges.
Not having a good password is analogous to leaving the door of your house unlocked when you live in a bad part of town. Any computer that is (ever) connected to the Internet, or on which you run software that you got from anywhere other than an implicitly trustworthy source, is effectively in a bad part of town.

ok guys i set a password Its long, confusing, and really annoying.
and I finally set it so all the users arent admins.... thats right....all the users were admins
I still like fat elvis's look on it though

Technically, other forms of file sharing could easilly be enabled outside of the Sharing Preferences Pane. With no password, there's nothing to prevent any ap from turning on those exploits and using them. If you're on the Internet, you should always have passwords for administrative accounts. Even a simple password is better than none.

But applications ask me for my password all the time,
And all I have to do is click OK
The apps still have to ask me dont they?

Which apps are asking you for your password? And when do they do this? What are you trying to do when they ask?
It should be relatively unusual for an app to need your password.

If an application goes through the normal APIs, a password dialog would be presented. This is how a "good" program operates. That doesn't mean that a "bad" program can't attempt to go through the back door and send a blank dummy password directly through the UNIX command line. If it fails, no harm - no foul. You'd never know it even tried. It would be extremely easy to write a bash script to open various ports into your files that would be invisible to the Sharing preference pane.