Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

OS X Personal Web Sharing - how safe?

nagromme

nagromme

macrumors G5
Original poster
May 2, 2002
12,546
1,196
I've always turned PWS off when not in use, but it would be nice to have it up and ready 24/7 so people can grab certain (yes, legal) files from me any time.

* It would be running in a non-admin account. On a vital machine, but no vital files in that particular account.

* It would be at an address posted publicly (not here :) )

* It runs OS X firewall and is behind a DSL router's firewall. Fully-patched Tiger system.

How safe is this? What ways might people exploit Apache to get at my system? It makes me nervous but it would sure be nice! Talk me into it or talk me out of it :)

TIA!

(Ultimate goal is to deliver maps and mods for a UT2004 server. But the server is my laptop, which makes it important when I travel.)
 
why not set up some webhosting? I mean ASO is $25 a year for 75MB space and 3GB bandwidth or $50/year for 400MB and 10GB bandwidth and they are highly recommended on MR (e uses them, and I do too but only for a short time.)
 
Good thought. In this case, it's a hobby thing and not worth any money to me :) but thanks for the link! I'll keep it in mind.

Also, it's about 15 GB of files, only a few of which are needed at any one time but the set changes and must be refreshed--which would mean a massive upload from my end every so often.
 
nagromme said:
...

How safe is this? What ways might people exploit Apache to get at my system? It makes me nervous but it would sure be nice! Talk me into it or talk me out of it :)

...
Click to expand...
The US Army switched to Macs running MacOS 9/MacHTTP for its webserver back in the day. Today, it runs MacOS X/4D WebSTAR. The Army had been running Windows, but switched to the Mac for security reasons. Personal Web Sharing is an implementation of opensource Apache, the most popular webserver in the World. 4D WebSTAR is the commercial version of pioneering shareware webserver MacHTTP. I am aware of no security advantage one way or the other between 4D WebSTAR and Apache. You may have more pressing security concerns, but Mac webservers work just fine for the US Army.
 
I would not worry about it at all. Regardless of what user you're logged in as when you turn it on in System Prefs, Apache runs under its own unprivileged account, so even if it could be exploited in some way, it would be very unlikely that that attack could result in root access. The version that ships with OS X (Apache 1.3) is old, stable, and well-tested. Just double-check your permissions in your web-accessible folders, give those folders and the files within them no more permissions than they need, make sure they are owned by the proper account (www:www in /Library/WebServer/Documents and you:you in ~/Sites) and you'll be fine.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back