Sharing everything with multiple users on one machine

Mar 07, '03 08:24:00AM

Contributed by: designr

For about nine months now, I have been sharing numerous portions of my "Home" directories amongst three users. These shared directories include the Desktop, Documents, Music and portions of the Library.

I have a Titanium PowerBook, and when I am in my home office, I want access to everything. But, when I set up shop in a cubicle at a client's office, I want to limit access to personal and financial (billing) information while retaining access to everything else. And, when I loan my laptop to a client (I'm very trusting), I want them to have access to a few things but not much else.

Read the rest of the article for a detailed explanation of how I created and modified users, folders and permissions to accomplish these objectives.

[robg adds: If you're interested in some unique ways of creating shared folders and users on one machine, read the rest of the article -- but please, if you're going to try any of this stuff, make sure you have a good backup first!]

The first step in my solution was to create three Users:
/Users/userathome (Admin User - access to everything)
/Users/useratwork (Admin User - access to almost everything)
/Users/guestuser (Guest User - shared preferences)


I then manually created two additional directories in the Users directory:
/Users/mystuff
/Users/openstuff


And, a variety of subdirectories:
/Users/mystuff/Desktop
/Users/mystuff/Documents
/Users/mystuff/Library
/Users/openstuff/Library
/Users/openstuff/Music


Then, logged in as root, I deleted the following directories:
/Users/userathome/Desktop
/Users/userathome/Documents
/Users/userathome/Music
/Users/useratwork/Desktop
/Users/useratwork/Documents
/Users/useratwork/Music
/Users/guestuser/Music


Still logged in as root, I created aliases:

FROM:
/Users/userathome/Desktop[ alias]
/Users/useratwork/Desktop[ alias]

TO:
/Users/mystuff/Desktop

FROM:
/Users/userathome/Documents[ alias]
/Users/useratwork/Documents[ alias]

TO:
/Users/mystuff/Documents

FROM:
/Users/userathome/Music[ alias]
/Users/useratwork/Music[ alias]
/Users/guestuser/Music[ alias]

TO:
/Users/openstuff/Music

Links are fine but aliases seem to work better with Classic apps. Be sure to remove the " alias" from the end of the alias filenames. Next, set the permissions appropriately:

Aliases (or links) are owned by the appropriate user:

/Users/userathome/Desktop[ alias]     userathome:admin   -rw-r-----
/Users/useratwork/Desktop[ alias]     useratwork:admin   -rw-r-----
/Users/userathome/Documents[ alias]   userathome:admin   -rw-r-----
/Users/useratwork/Documents[ alias]   useratwork:admin   -rw-r-----
/Users/userathome/Music[ alias]       userathome:admin   -rw-r--r--
/Users/useratwork/Music[ alias]       useratwork:admin   -rw-r--r--
/Users/guestuser/Music[ alias]         guestuser:admin   -rw-r--r--
Shared directories (and everything contained therein) are as follows:
/Users/mystuff/Desktop                userathome:admin   drwxrwx---
/Users/mystuff/Documents              userathome:admin   drwxrwx---
/Users/mystuff/Library                userathome:admin   drwxrwx---
/Users/openstuff/Library              userathome:admin   drwxrwxrwx
/Users/openstuff/Music                userathome:admin   drwxrwxrwx
At this point, when logged in as userathome OR useratwork, you will have full access to the same Desktop and Documents directories. Logged in as ANY user, you will have full access to the same Music directory. In my case, I then created two new directories in my home directory:
/Users/userathome/Finance             userathome:admin   drwx------
/Users/userathome/Personal            userathome:admin   drwx------
The next step is to selectively move preferences from the users' ~/Library to the appropriate shared/Library and replace the local preferences with aliases (or links). For example, my DragThing preferences are here:
/Users/openstuff/Library/Preferences/DragThing Preferences
Thes preferences are shared via aliases by all users. DragThing is now the same no matter who is logged in. Any changes made when logged in as one user are applicable to all users. I do the same thing with FruitMenu and my FruitMenu Items. A more complex example would be Entourage. My business email identity is in:
/Users/mystuff/Documents/Microsoft User Data/Office X Identities/Designr
This identity is accessible when I'm logged in as userathome or useratwork but not guestuser. And, my personal email identity is linked via an alias at:
/Users/mystuff/Documents/Microsoft User Data/Office X Identities/Brian
This alias points back to:
/Users/userathome/Personal/Microsoft User Data/Office X Identities/Brian
This is only accessible when I am logged in as userathome.

Don't laugh...it works. Sure, someone could boot OS 9 or in Firewire disk target mode, but the casual user can't just walk up to my cubicle and get into my billings or personal files. With an OS X only machine or with a firmware password, you can increase your protection a little more.

I have given you a simple example. From this starting point, you can create a variety of directories and configurations for shared and private data that quickly and easily links kids and spouses. It helps to give each user a different desktop picture so you know who you are.

BTW: Back up EVERYTHING before trying this at home!

After about six months of using the above configurations, the only irritation I ran into was in saving over previously created files. For example, say I am logged in as userathome and create a Quark document called mynewsletter that I save in ~/mystuff/Documents. If I then log in as useratwork, I can open mynewsletter but not save it over the original until I change the Owner or give the admin group write permission.

This is the same irritation many have experienced with the OS X Server. I tried a variety of the umask solutions that worked for the server but found they did not help when applied in OS X Client.

The solution I found was to create an AppleScript application, customized for each user. Each customized AppleScript was then added to the appropriate user's login items:

try
  do shell script "chown -R userathome /Users/mystuff"
  password "yourpasswordathome" with administrator privileges
end try
try
  do shell script "chgrp -R admin /Users/mystuff"
  password "yourpasswordathome" with administrator privileges
end try
try
  do shell script "chmod -R u=rwx,g=rwx,o=-rwx /Users/mystuff"
  password "yourpasswordathome" with administrator privileges
end try
try
  do shell script "chgrp staff /Users/mystuff"
  password "yourpasswordathome" with administrator privileges
end try
try
  do shell script "chown -R userathome /Users/openstuff"
  password "yourpasswordathome" with administrator privileges
end try
try
  do shell script "chgrp -R staff /Users/openstuff"
  password "yourpasswordathome" with administrator privileges
end try
try
  do shell script "chmod -R u=rwx,g=rwx,o=rwx /Users/openstuff"
  password "yourpasswordathome" with administrator privileges
end try
Replace "userathome" with "useratwork" and replace "yourpasswordathome" with "yourpasswordatwork" in the Applescript that runs when you login as useratwork. Wrapping each step in a "try" command prevents "file locked" errors from being returned (which stops the script). I considered a cron job but could not figure out a way to execute it at login.

Also, because administrator priviledges are required, the above AppleScript will not run when you are logged in as guestuser (ie, as a non-admin user). The permission issues don't seem to bother iTunes though, so I haven't bothered to try to find another solution.

You will also want to consider adding additional lines to customize permissions further. I found that my Quark XTension PDFFilter kept crashing Quark. The problem was that PDFFilter stores its preference file in the Quark XTensions folder, and then assigns read only access to the group, i.e.:

try
  do shell script
  "chown userathome /Applications\ \(Mac\ OS\ 9\)/QuarkXPress/XTension/PDF\ Filter.prf"
  password "yourpasswordathome" with administrator privileges
end try
BTW: Again, back up EVERYTHING before trying this at home!

Comments (7)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20030304214738124