Cussedness
The natural cussedness of things in general.
-
Securing MAMP
MAMP is a really easy way of running recent versions of Apache, PHP and MySQL on your Mac for development purposes, something that can take quite a lot of effort if you attempt to set things up on your own. There is one major drawback, however: the default install is really rather insecure, with Apache serving pages up to all and sundry, including the configuration sections of the install, meaning that anyone who happens to spot that port 80 is open can do things like drop databases at will, which would be somewhat irritating to say the least. This tutorial from Eric Keil covers some techniques for securing everything, but I went about it a little differently.
I decided that I didn’t want anyone to be able to access my development websites at all, so I restricted access to everything under the Apache document root by adding the following lines near the end of /Applications/MAMP/conf/apache/httpd.conf:
<Location /> Order allow,deny Allow from localhost </Location>
This stops anyone from accessing anything on the server at all, unless they are on the same computer. <Location> directives override all the <Directory> directives that MAMP leaves wide open by default, so these lines prevent anyone from accessing MAMP-hosted sites from other computers without necessitating changing anything else in the configuration files. MAMP isn’t suitable for running a production website anyway, so restricting access in this way is sensible, and I’m not really sure why Apache isn’t configured in this way by default. Anyone who finds editing httpd.conf too intimidating really shouldn’t be running publicly accessible sites anyway.
MAMP MySQL comes configured with an apparently pointless, anonymous and passwordless user account, which doesn’t appear to have sufficient rights to do damage to any databases, but should probably be deleted anyway just to be on the safe side. I used MySQL Administrator to do this, available as part of the MySQL GUI toolkit, but you could also use MAMP’s install of PHPMyAdmin to delete the anonymous row from the ‘user’ table in the ‘mysql’ database. It is also sensible to change the default password for the MySQL ‘root’ user account; although that user can only be used from localhost it’s better to be safe than sorry. Eric Keil’s tutorial covers doing this in more detail. Overall, the security for MAMP MySQL is much better than for Apache, as far as I can tell: the TCP port seems to be only accessible from localhost, so there’s no real need to add any further restrictions but the above tweaks give a little more peace of mind.
It would also be possible to completely secure MAMP by closing all the ports it opens in OS X’s firewall, using ipfw rules, but this strikes me as overkill, so I decided to leave that for another, more paranoid day. It’s a shame that MAMP doesn’t have more secure default settings, as it seems to be pretty trivial to close up the main gaps in the defences of what is an otherwise rather splendid collection of software.