Mar 07, '03 08:24:00AM • Contributed by: designr
I have a Titanium PowerBook, and when I am in my home office, I want access to everything. But, when I set up shop in a cubicle at a client's office, I want to limit access to personal and financial (billing) information while retaining access to everything else. And, when I loan my laptop to a client (I'm very trusting), I want them to have access to a few things but not much else.
Read the rest of the article for a detailed explanation of how I created and modified users, folders and permissions to accomplish these objectives.
[robg adds: If you're interested in some unique ways of creating shared folders and users on one machine, read the rest of the article -- but please, if you're going to try any of this stuff, make sure you have a good backup first!]
The first step in my solution was to create three Users:
/Users/userathome (Admin User - access to everything)
/Users/useratwork (Admin User - access to almost everything)
/Users/guestuser (Guest User - shared preferences)I then manually created two additional directories in the Users directory:
/Users/mystuff
/Users/openstuffAnd, a variety of subdirectories:
/Users/mystuff/Desktop
/Users/mystuff/Documents
/Users/mystuff/Library
/Users/openstuff/Library
/Users/openstuff/MusicThen, logged in as root, I deleted the following directories:
/Users/userathome/Desktop
/Users/userathome/Documents
/Users/userathome/Music
/Users/useratwork/Desktop
/Users/useratwork/Documents
/Users/useratwork/Music
/Users/guestuser/MusicStill logged in as root, I created aliases:
FROM:
/Users/userathome/Desktop[ alias]
/Users/useratwork/Desktop[ alias]TO:
/Users/mystuff/DesktopFROM:
/Users/userathome/Documents[ alias]
/Users/useratwork/Documents[ alias]TO:
/Users/mystuff/DocumentsFROM:
/Users/userathome/Music[ alias]
/Users/useratwork/Music[ alias]
/Users/guestuser/Music[ alias]TO:
/Users/openstuff/MusicLinks are fine but aliases seem to work better with Classic apps. Be sure to remove the " alias" from the end of the alias filenames. Next, set the permissions appropriately:
Aliases (or links) are owned by the appropriate user:
/Users/userathome/Desktop[ alias] userathome:admin -rw-r-----
/Users/useratwork/Desktop[ alias] useratwork:admin -rw-r-----
/Users/userathome/Documents[ alias] userathome:admin -rw-r-----
/Users/useratwork/Documents[ alias] useratwork:admin -rw-r-----
/Users/userathome/Music[ alias] userathome:admin -rw-r--r--
/Users/useratwork/Music[ alias] useratwork:admin -rw-r--r--
/Users/guestuser/Music[ alias] guestuser:admin -rw-r--r--
Shared directories (and everything contained therein) are as follows:/Users/mystuff/Desktop userathome:admin drwxrwx---
/Users/mystuff/Documents userathome:admin drwxrwx---
/Users/mystuff/Library userathome:admin drwxrwx---
/Users/openstuff/Library userathome:admin drwxrwxrwx
/Users/openstuff/Music userathome:admin drwxrwxrwx
At this point, when logged in as userathome OR useratwork, you will have full access to the same Desktop and Documents directories. Logged in as ANY user, you will have full access to the same Music directory. In my case, I then created two new directories in my home directory:/Users/userathome/Finance userathome:admin drwx------
/Users/userathome/Personal userathome:admin drwx------
The next step is to selectively move preferences from the users' ~/Library to the appropriate shared/Library and replace the local preferences with aliases (or links). For example, my DragThing preferences are here:/Users/openstuff/Library/Preferences/DragThing PreferencesThes preferences are shared via aliases by all users. DragThing is now the same no matter who is logged in. Any changes made when logged in as one user are applicable to all users. I do the same thing with FruitMenu and my FruitMenu Items. A more complex example would be Entourage. My business email identity is in:
/Users/mystuff/Documents/Microsoft User Data/Office X Identities/DesignrThis identity is accessible when I'm logged in as userathome or useratwork but not guestuser. And, my personal email identity is linked via an alias at:
/Users/mystuff/Documents/Microsoft User Data/Office X Identities/BrianThis alias points back to:
/Users/userathome/Personal/Microsoft User Data/Office X Identities/BrianThis is only accessible when I am logged in as userathome.
Don't laugh...it works. Sure, someone could boot OS 9 or in Firewire disk target mode, but the casual user can't just walk up to my cubicle and get into my billings or personal files. With an OS X only machine or with a firmware password, you can increase your protection a little more.
I have given you a simple example. From this starting point, you can create a variety of directories and configurations for shared and private data that quickly and easily links kids and spouses. It helps to give each user a different desktop picture so you know who you are.
BTW: Back up EVERYTHING before trying this at home!
After about six months of using the above configurations, the only irritation I ran into was in saving over previously created files. For example, say I am logged in as userathome and create a Quark document called mynewsletter that I save in ~/mystuff/Documents. If I then log in as useratwork, I can open mynewsletter but not save it over the original until I change the Owner or give the admin group write permission.
This is the same irritation many have experienced with the OS X Server. I tried a variety of the umask solutions that worked for the server but found they did not help when applied in OS X Client.
The solution I found was to create an AppleScript application, customized for each user. Each customized AppleScript was then added to the appropriate user's login items:
try
do shell script "chown -R userathome /Users/mystuff"
password "yourpasswordathome" with administrator privileges
end try
try
do shell script "chgrp -R admin /Users/mystuff"
password "yourpasswordathome" with administrator privileges
end try
try
do shell script "chmod -R u=rwx,g=rwx,o=-rwx /Users/mystuff"
password "yourpasswordathome" with administrator privileges
end try
try
do shell script "chgrp staff /Users/mystuff"
password "yourpasswordathome" with administrator privileges
end try
try
do shell script "chown -R userathome /Users/openstuff"
password "yourpasswordathome" with administrator privileges
end try
try
do shell script "chgrp -R staff /Users/openstuff"
password "yourpasswordathome" with administrator privileges
end try
try
do shell script "chmod -R u=rwx,g=rwx,o=rwx /Users/openstuff"
password "yourpasswordathome" with administrator privileges
end try
Replace "userathome" with "useratwork" and replace "yourpasswordathome" with "yourpasswordatwork" in the Applescript that runs when you login as useratwork. Wrapping each step in a "try" command prevents "file locked" errors from being returned (which stops the script). I considered a cron job but could not figure out a way to execute it at login.Also, because administrator priviledges are required, the above AppleScript will not run when you are logged in as guestuser (ie, as a non-admin user). The permission issues don't seem to bother iTunes though, so I haven't bothered to try to find another solution.
You will also want to consider adding additional lines to customize permissions further. I found that my Quark XTension PDFFilter kept crashing Quark. The problem was that PDFFilter stores its preference file in the Quark XTensions folder, and then assigns read only access to the group, i.e.:
try
do shell script
"chown userathome /Applications\ \(Mac\ OS\ 9\)/QuarkXPress/XTension/PDF\ Filter.prf"
password "yourpasswordathome" with administrator privileges
end try
BTW: Again, back up EVERYTHING before trying this at home!
