On this page
|
| SUMMARY | |
| Protocol |
: |
AppleTalk Filing Protocol |
| Protocol suite |
: |
AppleTalk |
| Layer |
: |
Application Layer |
| Related protocols |
: |
Ethernet,
Token Ring,
FDDI,
AppleTalk |
|
| DESCRIPTION |
The AppleTalk Filing Protocol (AFP) enables file sharing across a network. Clients can gain access to files on remote servers by using native file system commands. AFP also provides user authentication and file access control. On Macintosh computers, the AFP server is implemented as AppleShare. AFP is built on top of the AppleTalk Session Protocol (ASP), if AppleTalk is being used, or on top of the Data Stream Interface (DSI), if TCP/IP is being used.
This protocol preserves the transparency of the network by allowing users to manipulate remotely stored files in exactly the same manner as locally stored files. AFP uses the services provided by the ASP, the ATP, and the AEP.
AFP passes user commands down the protocol stack to lower-layer protocols that handle establishing connections and monitoring data flow between systems. AFP itself resides in the presentation and application layers of the AppleTalk protocol stack. It has the following features:
- AFP sets up an environment for a user that appears as if files on a remote file server are available locally.
- Access to server files is handled using the same procedures as access to local files, except that a user must initially establish a connection to the remote file server.
- AFP provides security features that can restrict user access to files.
AppleShare is Apple's client and server software that allows Mac OS (operating system) users to access shared files and printers. It is based on AFP. Macintosh users access AppleShare servers through AppleShare client software. Note that starting with the Macintosh System 7 OS, Macintosh users were able to share files on their own systems with other users.
In 1995, Apple introduced its Open Transport software, which allows the Macintosh system to support multiple protocols. This move was made primarily to add support for TCP/IP and the full suite of Internet protocols. In this scheme, AFP is tunneled across the TCP/IP network, allowing users to gain access to AppleShare servers, Web servers, FTP servers, and other services across intranets.
The protocol serves functions similar to SMB, which is the file sharing protocol in Windows environment. An AppleFileServer, which provides AFP services, contains an integer buffer overflow. The overflow can be triggered by a specially crafted "FPLoginExt" (authentication) request that declares a negative length for the "User Authentication Method" string. An unauthenticated attacker can exploit this flaw to crash the AFP server. Code execution (with root privileges) may be possible but has not been confirmed at this time. Note that the AFP service is not enabled by default.
Frames
AFP frames can be one of the following commands:
| [lock/unlock bytes] | Locks or unlocks a specified byte range. | | [close volume] | Closes the specified volume resource. | | [close directory] | Closes the specified directory. | | [close fork] | Closes the specified fork (file). | | [copy file] | Copies the specified file. | | [create directory] | Creates the specified directory. | | [create file] | Creates the specified file. | | [delete file] | Deletes the specified file or directory. | | [list directory] | Lists the specified directory. | | [flush to disk] | Writes data held in RAM to disk. | | [flush fork] | Writes data to disk for the specified fork. | | [get fork params] | Retrieves parameters for the specified fork. | | [get server info] | Retrieves server information. | | [get server params] | Retrieves server parameters. | | [get volume params] | Retrieves volume parameters. | | [consumer login] | Begins workstation log-in. | | [login continue] | Continues workstation log-in. | | [logout] | Workstation log-out. | | [map user/group ID] | Gets ID associated with user/group name. | | [map user/grp name] | Gets name associated with user/group ID. | | [move and rename] | Moves and renames a file. | | [open volume] | Opens the specified volume. | | [open directory] | Opens the specified directory. | | [open fork] | Opens the specified fork (file). | | [read from fork] | Reads from the specified fork (file). | | [rename file/dir] | Renames a file or directory. | | [set dir params] | Sets directory parameters. | | [set file params] | Sets file parameters. | | [set fork params] | Sets fork parameters. | | [set volume params] | Sets volume parameters. | | [write to fork] | Writes to the specified fork (file). | | [get file/dir pars] | Gets file or directory parameters. | | [set file/dir pars] | Sets file or directory parameters. | | [change password] | Changes user password. | | [get user info] | Retrieves user information. | | [open database] | Opens the desktop database. | | [close database] | Closes the desktop database. | | [get icon] | Retrieves an icon from the desktop database. | | [get icon info] | Retrieves icon information. | | [add APPL mapping] | Adds application information. | | [remove APPL] | Removes application information. | | [get APPL mapping] | Retrieves application information. | | [add comment] | Adds a comment to a file or directory. | | [remove comment] | Removes a comment from a file or directory. | | [get comment] | Retrieves comment text from a file/directory. | | [add icon] | Adds an icon for an application. |
Frame Parameters
Apple AFP frames can contain the following parameters:
- APPL index
Index, beginning with 1, of the first application mapping contained in the frame.
- APPL tag
Tag information associated with the application mapping contained in the frame.
- Attributes
Attributes of a file or directory are as follows:
- Directory attributes:
| Inv | Invisible to workstation user. | | Sys | System directory. | | Bk | Backup is needed (dir modified). | | RI | Rename inhibit mode set. | | DI | Delete inhibit mode set. |
- File attributes:
| Inv | Invisible to workstation user. | | MU | Multi-user application. | | RAO | File resource fork already open. | | DAO | File data fork already open. | | RO | Read only mode set for both forks. | | WI | Cannot write to either fork. | | Sys | File is system file. | | Bk | Backup is needed (file modified). | | RI | Rename inhibit mode set. | | DI | Delete inhibit mode set. | | CP | Copy protect mode set. |
- Backup date
Date of the last time the system backed-up the volume or directory.
- Bitmap
Field containing bits used to indicate the parameters present in request or reply.
- Request count
Maximum number of files to return for list directory requests.
- Creation date
Date that the system created the file or directory.
- File creator
ID string of the application or device that created a file.
- Destination directory ID
Destination directory ID for a file copy or move.
- Data fork length
Length of the file.
- Destination volume ID
Destination volume ID for a file copy or move.
- Directory bitmap
Field with bits that indicate which directory parameters are present in AFP frames.
- Directory ID
Identifier associated with the specified directory.
- Desktop database reference number
Reference number used to access the desktop database.
- File bitmap
Bits that indicate which file parameters are present in AFP frames.
- Free bytes
Number of bytes free on the volume.
- Open fork reference number
Reference code used to access the open fork.
- Group ID
Group ID used for authentication.
- Group name
Group name used for authentication.
- Icon tag
Tag information associated with the specified icon.
- Icon size
Size of the specified icon, in bytes.
- Icon type
Type code identifying the specified icon.
- Long name
Long file name (maximum 31 characters).
- Machine type
Type of AFP server in use.
- Maximum reply size
Maximum number of bytes this protocol returns for list directory requests.
- Access mode
Open mode attributes for a fork, represented as follows:
| R | Allows everyone read access. | | W | Allows everyone write access. | | Deny-R | Denies read access if the file is open. | | Deny-W | Denies write access if the file is open. |
- Modification date
Date the system last modified the file or directory.
- New line character
Character used to indicate a new line (CR, LF) for read data.
- New line mask
Value used to mask data for comparison to the new line character.
- Offset
Starting file offset for write commands.
- Offspring count
Number of files returned for list directory requests.
- Owner ID
ID of the file or directory.
- Volume password
Password required for access to the volume.
- Parent directory ID
ID of the parent directory.
- ProDOS information
ProDOS file type and Aux type for use by ProDOS workstations.
- Resource fork length
Length of the file resource fork, in bytes.
- Source directory ID
Source directory ID for a file copy or move.
- Short name
Short file name (maximum 12 characters).
- Signature
Identifies the volume type, as follows:
| 1 | Flat, no support for directories. | | 2 | Fixed directory ID. | | 3 | Variable directory ID. |
- Source volume ID
Source volume ID for a file copy.
- Start index
Start index, beginning with 1, of the requested file list for list directory commands and replies.
- Total bytes
Total number of bytes on the volume.
- User authentication method
Type of user authentication in effect.
- User ID
User ID number used for authentication.
- User name
User name used for authentication.
- Version
Version number of AFP in use.
- Volume bitmap
Field with bits that indicate which volume parameters are present in AFP frames.
- Volume ID
Identifier associated with the specified volume.
- Volumes
Number of volumes contained on the server.
Apple Filing Protocol result codes
| Constant | Value | Description | | kASPSessClosed | 每1072 | ASP session closed. | | kFPAccessDenied | 每5000 | User does not have the access privileges required to use the command. | | kFPAuthContinue | 每5001 | Authentication is not yet complete. | | kFPBadUAM | 每5002 | Specified UAM is unknown | | kFPBadVersNum | 每5003 | Server does not support the specified AFP version. | | kFPBitmapErr | 每5004 | Attempt was made to get or set a parameter that cannot be obtained or set with this command, or a required bitmap is null | | kFPCantMove | 每5005 | Attempt was made to move a directory into one of its descendent directories. | | kFPDenyConflict | 每5006 | Specified fork cannot be opened because of a deny modes conflict. | | kFPDirNotEmpty | 每5007 | Directory is not empty. | | kFPDiskFull | 每5008 | No more space exists on the volume | | kFPEOFErr | 每5009 | No more matches or end of fork reached. | | kFPFileBusy | 每5010 | When attempting a hard create, the file already exists and is open. | | kFPFlatVol | 每5011 | Volume is flat and does not support directories. | | kFPItemNotFound | 每5012 | Specified APPL mapping, comment, or icon was not found in the Desktop database; specified ID is unknown. | | kFPLockErr | 每5013 | Some or all of the requested range is locked by another user; a lock range conflict exists. | | kFPMiscErr | 每5014 | Non-AFP error occurred. | | kFPNoMoreLocks | 每5015 | Server*s maximum lock count has been reached. | | kFPNoServer | 每5016 | Server is not responding. | | kFPObjectExists | 每5017 | File or directory already exists. | | kFPObjectNotFound | 每5018 | Input parameters do not point to an existing directory, file, or volume. | | kFPParamErr | 每5019 | Session reference number, Desktop database reference number, open fork reference number, Volume ID, Directory ID, File ID, Group ID, or subfunction is unknown; byte range starts before byte zero; pathname is invalid; pathname type is unknown; user name is null, exceeds the UAM*s user name length limit, or does not exist, MaxReplySize is too small to hold a single offspring structure, ThisUser bit is not set, authentication failed for an undisclosed reason, specified user is unknown or the account has been disabled due to too many login attempts; ReqCount or Offset is negative; NewLineMask is invalid. | | kFPRangeNotLocked | 每5020 | Attempt to unlock a range that is locked by another user or that is not locked at all. | | kFPRangeOverlap | 每5021 | User tried to lock some or all of a range that the user has already locked. | | kFPSessClosed | 每5022 | Session is closed. | | kFPUserNotAuth | 每5023 | UAM failed (the specified old password doesn*t match); no user is logged in yet for the specified session; authentication failed; password is incorrect. | | kFPCallNotSupported | 每5024 | Server does not support this command. | | kFPObjectTypeErr | 每5025 | Input parameters point to the wrong type of object. | | kFPTooManyFilesOpen | 每5026 | Server cannot open another fork. | | kFPServerGoingDown | 每5027 | Server is shutting down. | | kFPCantRename | 每5028 | Attempt was made to rename a volume or root directory. | | kFPDirNotFound | 每5029 | Input parameters do not point to an existing directory. | | kFPIconTypeError | 每5030 | New icon*s size is different from the size of the existing icon | | kFPVolLocked | 每5031 | Volume is Read Only. | | kFPObjectLocked | 每5032 | File or directory is marked DeleteInhibit; directory being moved, renamed, or moved and renamed is marked RenameInhibit; file being moved and renamed is marked RenameInhibit; attempt was made to open a file for writing that is marked WriteInhibit; attempt was made to rename a file or directory that is marked RenameInhibit. | | kFPContainsSharedErr | 每5033 | Directory contains a share point. | | kFPIDNotFound | 每5034 | File ID was not found. (No file thread exists.) | | kFPIDExists | 每5035 | File already has a File ID. | | kFPDiffVolErr | 每5036 | Wrong volume. | | kFPCatalogChanged | 每5037 | Catalog has changed. | | kFPSameObjectErr | 每5038 | Two objects that should be different are the same object. | | kFPBadIDErr | 每5039 | File ID is not valid. | | kFPPwdSameErr | 每5040 | User attempted to change his or her password to the same password that is currently set. | | kFPPwdTooShortErr | 每5041 | User password is shorter than the server*s minimum password length, or user attempted to change password to a password that is shorter than the server*s minimum password length. | | kFPPwdExpiredErr | 每5042 | User*s password has expired. | | kFPInsideSharedErr | 每5043 | Directory being moved contains a share point and is being moved into a directory that is shared or is the descendent of a directory that is shared. | | kFPInsideTrashErr | 每5044 | Shared directory is being moved into the Trash; a directory is being moved to the trash and it contains a shared folder. | | kFPPwdNeedsChangeErr | 每5045 | User*s password needs to be changed. | | kFPPwdPolicyErr | 每5046 | New password does not conform to the server*s password policy. | | kFPDiskQuotaExceeded | 每5047 | Disk quota exceeded. |
Revision History
This table describes the changes to Apple Filing Protocol Programming Guide.
| Date | Notes | | 2005-06-04 | Fixed idle timer information. | | 2005-05-12 | Updated for AFP version 3.2. |
|
 Top of Page
|
| EXAMPLES |
|
|
Top of Page
|
| PROTOCOL RELATIONS |
■ Parent layer
■ Child layer
TCP
| | AFP | |
Top of Page
|
| GLOSSARY |
|
AEP
The AppleTalk Echo Protocol (AEP) allows a node to send data to any other node on an AppleTalk internet and receive an echoed copy of that data in return. The AppleTalk Echo Protocol (AEP) provides an echo service to AppleTalk hosts. It can specify up to 585 bytes of data for an echo transaction.
ASP
The AppleTalk Session Protocol (ASP) manages sessions for higher layer protocols such as AFP. ASP issues a unique session identifier for each logical connection and continuously monitors the status of each connection. It maintains idle sessions by periodically exchanging keep alive frames in order to verify the session status.
ATP
The AppleTalk Transaction Protocol (ATP) provides reliable delivery service for transaction-oriented operations. ATP uses a bitmap token to handle acknowledgement and flow control and a sequence of reserved bytes for use by higher level protocols.
AppleTalk
An inexpensive local-area network (LAN) architecture built into all Apple Macintosh computers and laser printers. AppleTalk supports Apple's LocalTalk cabling scheme, as well as Ethernet and IBM Token Ring. It can connect Macintosh computers and printers, and even PCs if they are equipped with special AppleTalk hardware and software.
OS
The most important program that runs on a computer. Every general-purpose computer must have an operating system to run other programs. Operating systems perform basic tasks, such as recognizing input from the keyboard, sending output to the display screen, keeping track of files and directories on the disk, and controlling peripheral devices such as disk drives and printers.
SMB
Server Message Block (SMB) is a message format used by DOS and Windows to share files, directories and devices. NetBIOS is based on the SMB format, and many network products use SMB. These SMB-based networks include LAN Manager, Windows for Workgroups, Windows NT, and LAN Server. There are also a number of products that use SMB to enable file sharing among different operating system platforms. A product called Samba, for example, enables UNIX and Windows machines to share directories and files.
TCP/IP
TCP/IP(transmission Control Protocol/Internet Protocol) is the suite of communications protocols used to connect hosts on the Internet. TCP/IP uses several protocols, the two main ones being TCP and IP. TCP/IP is built into the UNIX operating system and is used by the Internet, making it the de facto standard for transmitting data over networks. Even network operating systems that have their own protocols, such as Netware, also support TCP/IP.
|
Top of Page
|
| REFERENCES |
|
|
Top of Page
|
| OTHER PROTOCOLS OF TCP/IP SUITE |
|
|
|
|
|
