Wednesday, July 21, 2010

Not easy to use and by default not secure

I read something funny on the Mac website; "A Mac is easy to use, powerful, compatible, and highly secure." My experience setting up Mac to connect with a network file space was not easy because its defaults are not secure.

Our pictures are located on a disk that has been shared for years by all of our machines. While investigating the Mac as a potential new machine, I asked several Apple store Specialists and Geniuses (capitalization from their website, but I like the irony) about connecting to network drives on a Linux system. Most did not even know what I was talking about, but finally the manager was able to provide some assistance. After a few button clicks there appeared a window that allowed for NFS. This was through Finder | Go | Connect to Server ... and the syntax seemed reasonable.

Unfortunately it did not work on my home system. Over the course of several months I would troubleshoot a bit here and there without success. Of course during that time the Macbook was an island unto itself concerning the shared pictures and other data.

The solution came only when I set aside several consecutive hours for research and experimentation. The first discovery was an application called Disk Utility and found a promising entry, File | NFS Mounts .... In this utility there is the ability to exert a measure of control for the mount versus using the Connect to Server ... method. Finding the Advanced Mount Parameters input held promise but no help, because the root problem remained unclear.

More research revealed that Mac OS X, which is based on BSD, uses an insecure port. For an example see http://blogs.techrepublic.com.com/mac/?p=430 or http://www.unixtutorial.org/2010/03/mounting-nfs-shares-on-mac-os-x/ for a few details. Both articles describe one potential way to get connected; change the server side to share over an insecure port. While this is probably a viable solution, I shun the idea of purposely doing something insecurely as the final solution. Of course, I hoped there might have been another solution.

The same articles also introduce the -resvport switch that worked from the command line. This solution is more to my liking because it changes the client to use a secure port. However, this did not work when used in the Disk Utility. (Note: The first article I found did not have an example of using the switch in Disk Utility, so used the dash. However, after those attempts I found a second article that had an example in the Disk Utility that did not use the dash. It is possible that resvport may work, but I have not returned to that path.)

Since that did not work I continued the investigation and found the possibility that the -P switch might work. Indeed it did. Putting -P in the Advanced Mount Parameters of Disk Utility allows the Mac to connect to the external data.

It was by no means easy and the default behavior is insecure, contrary to the advertisements.

No comments:

Post a Comment