Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A simple way of locking down folders for a lab System
This hint is for smaller labs without a Mac OS X Server system (like the Xserve). It explains how to lock down the desktop (and it could be adapted for any of the user's folders).
  1. First create all needed folders for the desktop. Name them and position them where they are wanted.
  2. Logout then back in (this saves the icon positions).
  3. Go to the Users folder and do a Get Info on the Desktop folder (highlight it and hit Command-I). Change the permissions so the user only has Read Access. Potentially you could change the owner and a group the user belongs to, as this would prevent the user from easily changing the Desktop folder back to read and write.
  4. Run Terminal, then cd desktop. At this point, it's usually good to do an ls -al (or pwd) to verify you are in the right directory. If you're sure you're there, then type chmod u-w .DS_Store.
At this point, the user shouldn't be able to rename the folders on the Desktop. They will be able to move them around the Desktop, but if they drag one onto another folder, or some other place on the hard drive, it will default to copying the folder instead of moving it. Even if folders are moved around on the Desktop, once the user logs out then back in, the folders will be back in their set positions (from step 1).

A lab I've been working with has one admin account and one student account. Several different classes use the same machine, so we set up folders on the Desktop -- one for the morning and afternoon class for each day of the week, plus for the web browsers, a Downloads folder on the desktop. With the normal OS X settings, any of the students can rename and move the folders around the desktop, or even into other places on the computer.
    •    
  • Currently 2.33 / 5
  You rated: 1 / 5 (3 votes cast)
 
[8,701 views]  

A simple way of locking down folders for a lab | 6 comments | Create New Account
Click here to return to the 'A simple way of locking down folders for a lab' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
And how users can defeat this
Authored by: SOX on Oct 13, '04 11:01:49AM

Build a better mousetrap and someone builds a better mouse....

If you leave the user's Desktop folder writable they can overwrite the .ds_store even if they cannot alter it. that is they can simply delete the old one. If you leave the User's Home directory writeable they can delete the desktop folder.



[ Reply to This | # ]
And how users can defeat this
Authored by: BMarsh on Oct 15, '04 01:05:37PM

that is one of the steps, make the users Desktop Folder read only.

as for the user folder itself being writable... yes that could be an issue, changing it's permissions so it is read only shouldn't affect anything, since all of the needed folders are in place, this should protect things like Library from being moved.

While I don't think you were intending it, you just gave me more idea's to protect from a few problems I've seen on users computers.

There will always be ways around these things, but if you don't do anything, then it is far to easy to have things messed up.

Something else I failed to mention I believe, was having to change the "Downloads" folder from the Desktop, to another folder on the desktop. Safari to my surprise actually did this automatically (it changed to a folder named "Downloads" (except in french) without me changing anything)
I had to do it manually for IE



[ Reply to This | # ]
A simple way of locking down folders for a lab
Authored by: fotmasta on Oct 13, '04 11:07:34AM
One step really got my attention. It was-

"Logout then log back in to save icon positions."

I have to do the same thing when I create a .dmg or Toast image and want to preserve icon settings and window background etc.
If we could find the service that is being refreshed, we could just send a SIG HUP to it and not have to quit all apps and logout/in.
I haven't found it yet. Relauching the Finder doesn't do it either.

[ Reply to This | # ]
A simple way of locking down folders for a lab
Authored by: club60.org on Oct 13, '04 12:03:24PM

You don't need to logout when creating .dmg images.
Just apply all the view settings you want and then either unmount it or use Disk Utility to convert the image to compressed (making it compressed and read-only).



[ Reply to This | # ]
A simple way of locking down folders for a lab
Authored by: jiga on Oct 13, '04 04:37:37PM

But this won't work with the startup volume, unfortunately :-(



[ Reply to This | # ]
A simple way of locking down folders for a lab
Authored by: David on Oct 13, '04 01:09:54PM

I'm pretty sure this is because it isn't the Finder that needs to be refreshed, it is the loginwindow application. But I don't think you can just -HUP it as you will log yourself out immediately. :-)



[ Reply to This | # ]