Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Allow shared write access to any directory System
A straightforward method can be used to enable shared write access on selected directories for multiple users on the same machine, without resorting to cron scripts or Access Control Lists (ACLs).

Since Tiger and Panther use, by default, a "user private group" (UPG) scheme, in which every user gets his own group, it is perfectly reasonable and secure for the default umask to be 002 (which means files are group writable by default). If you never create another group, umask values of 002 and 022 will be exactly equivalent, because there will never be a group with more than one member.

In fact, this is how many Linux distributions ship by default. Check out this nice writeup from RedHat, explaining the ins and outs of the UPG system.

To set this up for OSX 10.3 or later, all you need is to set the default umask for all users who'd like to share write access on some set of directories, create one or more custom user groups to enable such sharing, and then enable the setgid bit on one or more shared directories. Read on for a step-by-step walkthrough...

Here's how to allow sharing of any set of directories for any number of users on the same machine:
  1. Set the default umask to 2. You can't do this globally using the umask command in the Terminal, but rather, as mentioned in this hint, with this command:
    defaults write -g NSUmask 2
    You must do this for all users who would like to share write access to files using this scheme. You can check if it worked by logging out and back in, and typing umask in the Terminal. It should report 2 as the value.

  2. Make a new group (mine is called home), and add all users who would like shared write access. To do this, launch NetInfo Manager (in Applications/Utilities), click on groups, click the lock and authenticate to make changes, and then click on the group which is the same as your username. Use Edit: Duplicate to make a copy.

    Change the name of the duplicate to your chosen shared group name, and the GID to some free number (401 is a good choice, if you have no preference). Then use Directory: New Property to add the property users. Click on the newly created users property, and use Directory: New Value to add the first username who you'd like to be a member of the group. Repeat for all such users (no need to add all users, just ones who'd like shared write access). Save changes and quit.

    Now wipe the sweat off your brow and write Apple an email begging for an easier tool for adding user groups. You can, of course, make multiple groups with different user membership to allow shared-write for different projects, etc.

  3. Pick a directory (or more than one) for sharing. I use the pre-existing /Users/Shared, but any directory will do (including ones in your own /Users directory). In the Terminal, run these commands:
    % sudo chown -R my_username:shared_group /Users/Shared
    % sudo find /Users/Shared -type d -exec chmod  g+s \{} \;
    
    Change my_username to your username and shared_group to the name of the shared group you created.

    The chmod g+s command is setting the set-group-id bit on all directories, which makes all newly-created files inside that directory inherit the group of their parent directory, instead of the user's current group (which will very likely be their user private group -- useless for sharing). This is very important, as many OS X file types are actually directories, and will quickly become unwritable, as different users create new sub-files which don't inherit the shared group. The nice thing is, you only have to do this once. If you have an empty /Users/Shared, then you don't need the complex find command; a simple chmod g+s /Users/Shared will set you up for good.

  4. If you'd like to preserve the existing permission scheme for /Users/Shared (everybody can read everything, only you can modify your own files, and you can only delete your own stuff), you might consider a new directory, like /Users/SharedWrite, to use this method on.
What can you do with this, once setup? For one, the scheme can be used to enable shared iPhoto and iTunes databases among multiple users on a single machine. This hint suggests enabling the new ACL permissions scheme to do this, but it's not necessary for simple read/write sharing. Here's a sample of what I did to use my newly shared-write-enabled directory /Users/Shared:
% mv ~/Pictures/iPhoto Library ~/Pictures/iPhoto Library old
% ln -nsf /Users/Shared/Pictures/iPhoto Library ~/Pictures/
This shares an iPhoto library magically (you can also hold down Option when iPhoto starts and select that library directly). I did similar for ~/Music/iTunes. I also created a link...
% ln -s /Users/Shared/Movies ~/Movies/Shared Movies
...to have shared iMovie files in a Shared Movies folder inside of Movies. The possibilities are limitless.
    •    
  • Currently 2.00 / 5
  You rated: 3 / 5 (4 votes cast)
 
[32,486 views]  

Allow shared write access to any directory | 18 comments | Create New Account
Click here to return to the 'Allow shared write access to any directory' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Allow shared write access to any directory
Authored by: aliensub on Jan 11, '06 09:17:06AM
Great article. Been waiting for something like this for a long time! It seems a line is wrong in the article:
sudo find /Users/Shared -type d -exec chmod  g+s {} ;
Should be:
sudo find /Users/Shared -type d -exec chmod  g+s {} ";"


[ Reply to This | # ]
Allow shared write access to any directory
Authored by: mtimmsj on Jan 11, '06 10:22:40AM
Traditionally the semicolon is escaped by a backslash. So the command as I learned it and as I would run it would be:
sudo find /Users/Shared -type d -exec chmod  g+s {} \;
Either way works though. The original command in the tip would fail with an error from find about there being no terminating semicolon. Good catch.

[ Reply to This | # ]
Allow shared write access to any directory
Authored by: jdsmith on Jan 11, '06 11:07:03AM

My submitted hint had:

% sudo find /Users/Shared -type d -exec chmod g+s \{} \;

but the backslashes were removed. Hopefully those can be repaired.



[ Reply to This | # ]
g+s is not necessary
Authored by: Ptitboul on Jan 13, '06 04:52:28AM

On MacOSX (and other BSD unix), groups are always inherited from the parent directory. g+s is a SystemV technique.



[ Reply to This | # ]
Allow shared write access to any directory
Authored by: shavenyak on Jan 11, '06 11:13:02AM

Crap. I sat down and figured out how to do all this on my own over this past weekend, while moving a bunch of family data from an old Linux server to our new Mac mini. I was gonna write it up and submit it as a hint, but hadn't gotten around to it yet. Changing the global default umask was really the only hard part, the rest is pretty straightforward Unix stuff. I also had to figure out how to get Tiger to mount the drive in my MiniStack at boot time instead of waiting until a user logs in, since I'm sharing this data out to the LAN.

On the iTunes and iPhoto libraries and Movies folder stuff, though, I wonder if it would be better to use aliases instead of symlinks?



[ Reply to This | # ]
Allow shared write access to any directory
Authored by: david-bo on Jan 13, '06 07:20:42AM

Why don't you write a hint about mounting drives at boot time? I think there would be some interest in that.

---
http://www.google.com/search?as_q=%22Authored+by%3A+david-bo%22&num=10&hl=en&ie=ISO-8859-1&btnG=



[ Reply to This | # ]
Allow shared write access to any directory
Authored by: jdsmith on Jan 11, '06 12:38:19PM
I've had a few questions on this hint and thought I'd offer some further clarification:

The umask is a subtractive permission from 777, where "7" means 1(=read) + 2(=write) + 4(=execute). And the three digits are for user/group/others in that order. So, a umask of 002 means files have default permissions 775, or user rwx, group rwx, others r-x. Note that whether the execute bit actually gets set for new files is actually not entirely determined by umask. It is usually not (except for directories), which is the correct behavior.

As for the UPG scheme, umask of 002 and 022 are exactly the same, since by default you are the only member in your group, so it doesn't matter if you give group write access. In this sense, Apple implemented half of the UPG scheme (all users get their own private group), which isn't too useful by itself.

It's vital that the setgid bit be set on directories and subdirectories which you want to share. Once you do this, you don't have to worry anymore: all nested directories created there later will be fine. If you want to check, try this:

% cd /path/to/shared_dir
% find . \! -perm -g=w -exec ls -ld \{} \;

which will show any files which don't have group writeability. Do notice the backslashes!

Important: Please note that simply moving files/folders to a shared directory does not alter their permissions or group ownership, so if you have existing files you'd like to share, you must set their group ownership (and possibly permissions, if they were created elsewhere or before your umask took effect) by hand. For importing pre-existing files/directories, you must use chgrp and chown as shown above for the iPhoto Library on them.

Actually, this is probably a common case: create a file in your Documents directory, and then later decide you want to let others edit it to, so drop it into /Users/Shared. Without explicitly setting ownership, or a folder action, this won't work. A useful folder action would chgrp -R parentdirectorygroup and chmod -R g+w the incoming file/folder, where parentdirectorygroup is the shared group name of the parent directory (or you could just hardcode it).

Disk Utility "Repair Permissions" does not affect user directories, so can be used freely without worrying about breaking your sharing scheme.

[ Reply to This | # ]

Allow shared write access to any directory
Authored by: Han Solo on Jan 11, '06 04:56:52PM
Do notice the backslashes!

I suspect GeekLog ate your backslashes in the find command you posted. You should try again, without using the code tages this time....

[ Reply to This | # ]

Allow shared write access to any directory
Authored by: jdsmith on Jan 11, '06 10:27:56PM
I'll figure this out eventually:
% find . ! -perm -g=w -exec ls -ld \{} \;


[ Reply to This | # ]
How we do it globally
Authored by: matx on Jan 11, '06 03:49:04PM

On every machine to affect The Finder umask, type this in Terminal:

sudo defaults write /Library/Preferences/.GlobalPreferences NSUmask 2

(use ARD v.2 for lots of machines)

And if you want files created in Terminal affected, put "umask 002" in
/etc/profile (with no quotation marks).

-x

---
Mat X -- VFX Mac Tech



[ Reply to This | # ]
Easier group modification than netinfo...
Authored by: woogli on Jan 11, '06 08:39:49PM

If you want a slightly nicer (and possibly more robust than using duplicate) way of modifying group memberships etc, and you are using Tiger, you should try downloading the server admin tools from apple (http://www.apple.com/downloads/macosx/apple/serveradmintools104.html). Most of the tools don't work without 10.4 server, BUT, the one that does work as much as you need is the 'workgroup manager' tool.

In that tool you have all sorts of useful things you can do, which you can't easily in just the client version. You can do things like 'lock' accounts, and so on. For example, I have a 'guestacct' account, which I only activate when I have people visiting, but the rest of the time, it's deactivated.

Most relevant to this hint, I used the tool to set up a 'photo' group, and an 'itunes' group, into which I put the users to gain access.

Thanks for this hint though, I was missing the umask and setgid pieces of the puzzle to make things 'elegant'.

Cheers.



[ Reply to This | # ]
Oops ... one more thing
Authored by: woogli on Jan 11, '06 08:42:11PM

I forgot to mention ... when using the workgroup manager tool, you need to connect to "localhost".



[ Reply to This | # ]
Allow shared write access to any directory
Authored by: Baggins on Jan 12, '06 10:37:14AM

Starting with the disclaimer that UNIX permissions and groups are still somewhat of a mystery to me, it appears that on my machine all user accounts with Admin privileges also belong to the admin group.

I was able to make the home folders of two admin accounts completely sharable to each other simply by changing the group to admin and setting the permissions to allow read/write/exectue for that group.



[ Reply to This | # ]
Allow shared write access to any directory
Authored by: david-bo on Jan 13, '06 07:16:34AM

Sharepoint makes it very easy to add groups. it is also indispensable for everything Windows/Samba file sharing related.

---
http://www.google.com/search?as_q=%22Authored+by%3A+david-bo%22&num=10&hl=en&ie=ISO-8859-1&btnG=



[ Reply to This | # ]
Allow shared write access to any directory
Authored by: syzygies on Jan 20, '06 01:23:46PM
Nice summary!

I have two accounts, an administrative account ad and a nonadministrative account me, constituting a group we. Both accounts have a umask of 0007. I have changed ownerships and permissions recursively on both users' home directories using chown -R ad:we, chown -R me:we, chmod -R g+rwX,o-rwx. All is nearly well; most applications and shell commands create files and directories obeying the umask. However, the Finder persists in creating folders with permissions drwxr-xr-x, not drwxrwx--- as I would like. It seems to ignore the umask setting.

Any ideas?

[ Reply to This | # ]
Allow shared write access to any directory
Authored by: thorsten.b on Feb 09, '06 06:27:33AM

Great Hint.
I tried this with mail, adium, ical ,address book and safari bookmarks file/folders in the library to share those applications between 2 local accounts. Yet: mail works, but all the other applications not. also i can't symlink the apple.com.mail pref file in the preference library. has anyone tried this? even when i symlink the pref files - new files are created when I exit the progams overwritting the sym link. also address book and ical won't even start up.



[ Reply to This | # ]
Tried it but it doesn't work for me
Authored by: dmcheng on May 15, '07 08:53:47AM

Hi. Well-written hint, but it's not working for me. When I'm logged in as User A and create a new folder "SubFolder" under the main shared folder (/test), then User B cannot create any new folders or files *within* SubFolder because the group permissions are still set to read only on SubFolder.

Any ideas? I'm using OS X 10.4.9 with all the latest.

Thanks
David



[ Reply to This | # ]
generateduid problem
Authored by: cupertinox on Jul 27, '07 09:17:56AM
great hint, however i had some issues to make it work on tiger 10.4.10

1
my problem was that adding a new group "shared" with id 401 (by duplicating an existing; step 2 above) via netinfo did not quite make the cut. testing whether my user was in the newly generated group (with the id command from the terminal) gave a negative result. utilizing an otherwise unheard outcry from our community (found at http://forums.macosxhints.com/archive/index.php/t%20%3C/t-46830.html) i realized that the new group needed a unique generateduid (in addition to unique id) to make it work. so i generated one from the terminal using the uuidgen command and pasted the result into the appropriate field in netinfo. after logout/login my users showed correctly all relevant groups.

2
i promoted a user's iphoto library to the shared library by copying (not moving) it there. seems so, that per default iphoto libraries are created 700 in the user's Picture directory, however it has to be at least 770 in the shared folder.

in the wake of the release of ilife07 (maybe next week) all this hopefully gets rendered irrelevant with apple introducing a proper solution for multiple users living and editing there ilife collaboratively on the same computer (wishfull thinking).



[ Reply to This | # ]