Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Sharing everything with multiple users on one machine System
For about nine months now, I have been sharing numerous portions of my "Home" directories amongst three users. These shared directories include the Desktop, Documents, Music and portions of the Library.

I have a Titanium PowerBook, and when I am in my home office, I want access to everything. But, when I set up shop in a cubicle at a client's office, I want to limit access to personal and financial (billing) information while retaining access to everything else. And, when I loan my laptop to a client (I'm very trusting), I want them to have access to a few things but not much else.

Read the rest of the article for a detailed explanation of how I created and modified users, folders and permissions to accomplish these objectives.

[robg adds: If you're interested in some unique ways of creating shared folders and users on one machine, read the rest of the article -- but please, if you're going to try any of this stuff, make sure you have a good backup first!]

The first step in my solution was to create three Users:
/Users/userathome (Admin User - access to everything)
/Users/useratwork (Admin User - access to almost everything)
/Users/guestuser (Guest User - shared preferences)


I then manually created two additional directories in the Users directory:
/Users/mystuff
/Users/openstuff


And, a variety of subdirectories:
/Users/mystuff/Desktop
/Users/mystuff/Documents
/Users/mystuff/Library
/Users/openstuff/Library
/Users/openstuff/Music


Then, logged in as root, I deleted the following directories:
/Users/userathome/Desktop
/Users/userathome/Documents
/Users/userathome/Music
/Users/useratwork/Desktop
/Users/useratwork/Documents
/Users/useratwork/Music
/Users/guestuser/Music


Still logged in as root, I created aliases:

FROM:
/Users/userathome/Desktop[ alias]
/Users/useratwork/Desktop[ alias]

TO:
/Users/mystuff/Desktop

FROM:
/Users/userathome/Documents[ alias]
/Users/useratwork/Documents[ alias]

TO:
/Users/mystuff/Documents

FROM:
/Users/userathome/Music[ alias]
/Users/useratwork/Music[ alias]
/Users/guestuser/Music[ alias]

TO:
/Users/openstuff/Music

Links are fine but aliases seem to work better with Classic apps. Be sure to remove the " alias" from the end of the alias filenames. Next, set the permissions appropriately:

Aliases (or links) are owned by the appropriate user:
/Users/userathome/Desktop[ alias]     userathome:admin   -rw-r-----
/Users/useratwork/Desktop[ alias]     useratwork:admin   -rw-r-----
/Users/userathome/Documents[ alias]   userathome:admin   -rw-r-----
/Users/useratwork/Documents[ alias]   useratwork:admin   -rw-r-----
/Users/userathome/Music[ alias]       userathome:admin   -rw-r--r--
/Users/useratwork/Music[ alias]       useratwork:admin   -rw-r--r--
/Users/guestuser/Music[ alias]         guestuser:admin   -rw-r--r--
Shared directories (and everything contained therein) are as follows:
/Users/mystuff/Desktop                userathome:admin   drwxrwx---
/Users/mystuff/Documents              userathome:admin   drwxrwx---
/Users/mystuff/Library                userathome:admin   drwxrwx---
/Users/openstuff/Library              userathome:admin   drwxrwxrwx
/Users/openstuff/Music                userathome:admin   drwxrwxrwx
At this point, when logged in as userathome OR useratwork, you will have full access to the same Desktop and Documents directories. Logged in as ANY user, you will have full access to the same Music directory. In my case, I then created two new directories in my home directory:
/Users/userathome/Finance             userathome:admin   drwx------
/Users/userathome/Personal            userathome:admin   drwx------
The next step is to selectively move preferences from the users' ~/Library to the appropriate shared/Library and replace the local preferences with aliases (or links). For example, my DragThing preferences are here:
/Users/openstuff/Library/Preferences/DragThing Preferences
Thes preferences are shared via aliases by all users. DragThing is now the same no matter who is logged in. Any changes made when logged in as one user are applicable to all users. I do the same thing with FruitMenu and my FruitMenu Items. A more complex example would be Entourage. My business email identity is in:
/Users/mystuff/Documents/Microsoft User Data/Office X Identities/Designr
This identity is accessible when I'm logged in as userathome or useratwork but not guestuser. And, my personal email identity is linked via an alias at:
/Users/mystuff/Documents/Microsoft User Data/Office X Identities/Brian
This alias points back to:
/Users/userathome/Personal/Microsoft User Data/Office X Identities/Brian
This is only accessible when I am logged in as userathome.

Don't laugh...it works. Sure, someone could boot OS 9 or in Firewire disk target mode, but the casual user can't just walk up to my cubicle and get into my billings or personal files. With an OS X only machine or with a firmware password, you can increase your protection a little more.

I have given you a simple example. From this starting point, you can create a variety of directories and configurations for shared and private data that quickly and easily links kids and spouses. It helps to give each user a different desktop picture so you know who you are.

BTW: Back up EVERYTHING before trying this at home!

After about six months of using the above configurations, the only irritation I ran into was in saving over previously created files. For example, say I am logged in as userathome and create a Quark document called mynewsletter that I save in ~/mystuff/Documents. If I then log in as useratwork, I can open mynewsletter but not save it over the original until I change the Owner or give the admin group write permission.

This is the same irritation many have experienced with the OS X Server. I tried a variety of the umask solutions that worked for the server but found they did not help when applied in OS X Client.

The solution I found was to create an AppleScript application, customized for each user. Each customized AppleScript was then added to the appropriate user's login items:

try
  do shell script "chown -R userathome /Users/mystuff"
  password "yourpasswordathome" with administrator privileges
end try
try
  do shell script "chgrp -R admin /Users/mystuff"
  password "yourpasswordathome" with administrator privileges
end try
try
  do shell script "chmod -R u=rwx,g=rwx,o=-rwx /Users/mystuff"
  password "yourpasswordathome" with administrator privileges
end try
try
  do shell script "chgrp staff /Users/mystuff"
  password "yourpasswordathome" with administrator privileges
end try
try
  do shell script "chown -R userathome /Users/openstuff"
  password "yourpasswordathome" with administrator privileges
end try
try
  do shell script "chgrp -R staff /Users/openstuff"
  password "yourpasswordathome" with administrator privileges
end try
try
  do shell script "chmod -R u=rwx,g=rwx,o=rwx /Users/openstuff"
  password "yourpasswordathome" with administrator privileges
end try
Replace "userathome" with "useratwork" and replace "yourpasswordathome" with "yourpasswordatwork" in the Applescript that runs when you login as useratwork. Wrapping each step in a "try" command prevents "file locked" errors from being returned (which stops the script). I considered a cron job but could not figure out a way to execute it at login.

Also, because administrator priviledges are required, the above AppleScript will not run when you are logged in as guestuser (ie, as a non-admin user). The permission issues don't seem to bother iTunes though, so I haven't bothered to try to find another solution.

You will also want to consider adding additional lines to customize permissions further. I found that my Quark XTension PDFFilter kept crashing Quark. The problem was that PDFFilter stores its preference file in the Quark XTensions folder, and then assigns read only access to the group, i.e.:

try
  do shell script
  "chown userathome /Applications\ \(Mac\ OS\ 9\)/QuarkXPress/XTension/PDF\ Filter.prf"
  password "yourpasswordathome" with administrator privileges
end try
BTW: Again, back up EVERYTHING before trying this at home!
    •    
  • Currently 2.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[27,134 views]  

Sharing everything with multiple users on one machine | 7 comments | Create New Account
Click here to return to the 'Sharing everything with multiple users on one machine' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Sharing everything with multiple users on one machine
Authored by: digito on Mar 08, '03 06:56:54PM

Have you tried the group 'stikiness'?
It sets the active group in that folder
try
> sudo chmod g+s foldername



[ Reply to This | # ]
Is a false sense of security better than nothing?
Authored by: noworryz on Mar 13, '03 01:45:57AM

Obviously, a lot of work went into this hint. Trouble is, there must be 50 ways to bypass Unix privileges, including starting up in single-user mode, booting OS 9, booting from a CD, and connecting (via FireWire) to another machine.

If you want any real security, you have to use encrypted disk images. These are files, made by Disk Copy or hdiutil, which request a passphrase when opened. If the correct passphrase is given, a disk volume appears on the desktop. You use the volume normally but once the volume is ejected, there is no way to read what you put on it without the passphrase. (Memorize the passphrase and avoid the Keychain if you value your privacy.)

If you eject your encrypted volumes before walking away from your machine, your personal information is secure even if the machine is stolen. Also, after a disk volume is ejected, you can back up its image file to CD or other media, without worrying about someone stealing the backup.

You can even implement multiple levels of security by nesting encrypted image files within other encrypted image files (using a different passphrase, of course). For example, with no images mounted, there is basic access to your machine. Mount your outer image to provide more file access. Mount an image file within it to access your really private stuff. You won't notice much, if any, delay due to the multiple layers of encryption and decryption going on.

There have been several OSXHints about encrypted disk images: making sparse images, moving info onto encrypted images, and keeping your mail on encrypted images.

[ Reply to This | # ]

Another method...
Authored by: robg on Mar 27, '03 09:51:16AM
Anonymous commented via a hint submission:
I found it easier to use NetInfoManager to create a new user group (i called mine 'staff') and set permissions on directories to share (within our own homes) to be read/write to 'staff' group members. My girlfriend and I now have access to each others desktops and music directories, while still being secure from the outside. Most importantly, we both still 'own' our files and directories so neither of us have to mess around with permissions.
Just thought I'd add it here so it's documented in the same place...

-rob.

[ Reply to This | # ]
Sharing mail amongst users?
Authored by: pobs on Feb 09, '04 08:14:51PM

I tried this hint and it seems to work fine for folders like documents and desktops... but I couldn't get it to work for things like mail and iCal.

I have multiple users on my machine for various different things I do (classes, work, personal). All of the "users" are me but I want to keep documents and weblinks separate.

I want to share iCal calendars and Mail, making them mutually editable form all parties. Is there a way to do this?

I tried linking the "Mail" library folder and pref's but i upon starting up mail.app it wouldn't use the alias...

am I doing something wrong?

any help would be much appreciated.

_POBS



[ Reply to This | # ]
Sharing everything with multiple users on one machine
Authored by: rvamerongen on Mar 23, '04 06:49:29AM
Hi I just have a question.
I did use,
display dialog "This script resets the Development Volume Folders back to their default settings. "
  & return & return & "Sure, You want to run this Script!"
 & return & " " default button "Cancel" with icon stop 

try
    do shell script "chown -R administrator:admin /Volumes/Development/" password "passw" with
    administrator privileges
end try
instead of two try's, one for the new owner and one for the tmp group.
Is there any problem to do it this way? It saves time!
René

[ Reply to This | # ]
Sharing everything with multiple users on one machine
Authored by: cpragman on Mar 23, '04 09:00:04AM
My wife and I share most documents, Music, and iPhoto library in a similar way. This works for us in 10.2.8 (where all users are members of the "staff" group by default, not sure if 10.3 uses "staff" as the default group). Make a new folder called /Users/shared/staff. Move your ~/iPhoto and ~/iTunes folders there. Put symlinks in your home folder that point to them. Do the same in your spouse/partner's Home folder. Also make a folder for shared documents, such as /Users/shared/staff/documents. Create a shell script (ex., sharenice.sh), to periodically ensure that files are being shared nicely between users. Execute this shellscript hourly using CRON.

chgrp -R staff /Users/shared/staff/*
chmod -R g=rw /Users/shared/staff/*


[ Reply to This | # ]
Sharing everything with multiple users on one machine
Authored by: tobyknows on Dec 17, '11 07:33:15AM

i have read a lot of complex ways to share on macs between users, what i did is went to my docs folder and went to get info and selected everyone and read only ,now if another user goes into hd and clicks docs they can see everything in it, is this a bad way to share, the other ways just seemed a bit comlex



[ Reply to This | # ]